c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319

Analysis

max time kernel
141s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe
Size

113KB
MD5

18a129b758a9fd4af097c6fca95c218c
SHA1

b510cb51f0473e4202da7b34acea6ab08f79d909
SHA256

c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319
SHA512

3dc63a7f69d8e33eda27a9b18dd1d472bf6a4442aff38e1387c80ca73413677199e246f4d5c1e3a00e00ac06d87fe44db6787ae7a1c1fa8f1fdaaf5dd7df5f52
SSDEEP

3072:4i1Bu1vmEmtamEGKl/ABgx9OuGkZFfFSebHWrH8wTW0:VUvBmBELlWgxM7otSeWrP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe

Executes dropped EXE 64 IoCs

pid	Process
4248	Jbhmdbnp.exe
2052	Jmnaakne.exe
2044	Jdhine32.exe
3388	Jjbako32.exe
444	Jaljgidl.exe
1628	Jdjfcecp.exe
4500	Jkdnpo32.exe
3608	Jmbklj32.exe
1912	Jpaghf32.exe
4992	Jfkoeppq.exe
4212	Jiikak32.exe
4560	Kmegbjgn.exe
5072	Kbapjafe.exe
3040	Kilhgk32.exe
3976	Kacphh32.exe
4184	Kdaldd32.exe
4872	Kkkdan32.exe
5084	Kaemnhla.exe
3272	Kbfiep32.exe
1308	Kknafn32.exe
1572	Kmlnbi32.exe
2568	Kdffocib.exe
1544	Kcifkp32.exe
3732	Kkpnlm32.exe
4608	Kajfig32.exe
1632	Kdhbec32.exe
4880	Liekmj32.exe
5056	Lpocjdld.exe
2876	Lgikfn32.exe
5004	Laopdgcg.exe
4380	Lkgdml32.exe
4504	Laalifad.exe
3024	Ldohebqh.exe
4828	Lkiqbl32.exe
2612	Laciofpa.exe
4968	Lcdegnep.exe
1244	Ljnnch32.exe
4528	Laefdf32.exe
4008	Lphfpbdi.exe
1168	Lgbnmm32.exe
3580	Mjqjih32.exe
752	Mahbje32.exe
4760	Mdfofakp.exe
4536	Mciobn32.exe
3216	Mjcgohig.exe
4680	Mpmokb32.exe
5040	Mdiklqhm.exe
4204	Mkbchk32.exe
3016	Mnapdf32.exe
3020	Mpolqa32.exe
2156	Mcnhmm32.exe
564	Mncmjfmk.exe
4420	Mpaifalo.exe
3940	Mcpebmkb.exe
968	Mkgmcjld.exe
1760	Maaepd32.exe
1316	Nkjjij32.exe
1984	Nnhfee32.exe
4980	Ndbnboqb.exe
5112	Ngpjnkpf.exe
2096	Nqiogp32.exe
4208	Ngcgcjnc.exe
1660	Nkncdifl.exe
3268	Nbhkac32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4356	3036	WerFault.exe	156

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4248	4300	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe	83
PID 4300 wrote to memory of 4248	4300	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe	83
PID 4300 wrote to memory of 4248	4300	c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe	83
PID 4248 wrote to memory of 2052	4248	Jbhmdbnp.exe	84
PID 4248 wrote to memory of 2052	4248	Jbhmdbnp.exe	84
PID 4248 wrote to memory of 2052	4248	Jbhmdbnp.exe	84
PID 2052 wrote to memory of 2044	2052	Jmnaakne.exe	85
PID 2052 wrote to memory of 2044	2052	Jmnaakne.exe	85
PID 2052 wrote to memory of 2044	2052	Jmnaakne.exe	85
PID 2044 wrote to memory of 3388	2044	Jdhine32.exe	86
PID 2044 wrote to memory of 3388	2044	Jdhine32.exe	86
PID 2044 wrote to memory of 3388	2044	Jdhine32.exe	86
PID 3388 wrote to memory of 444	3388	Jjbako32.exe	87
PID 3388 wrote to memory of 444	3388	Jjbako32.exe	87
PID 3388 wrote to memory of 444	3388	Jjbako32.exe	87
PID 444 wrote to memory of 1628	444	Jaljgidl.exe	88
PID 444 wrote to memory of 1628	444	Jaljgidl.exe	88
PID 444 wrote to memory of 1628	444	Jaljgidl.exe	88
PID 1628 wrote to memory of 4500	1628	Jdjfcecp.exe	89
PID 1628 wrote to memory of 4500	1628	Jdjfcecp.exe	89
PID 1628 wrote to memory of 4500	1628	Jdjfcecp.exe	89
PID 4500 wrote to memory of 3608	4500	Jkdnpo32.exe	90
PID 4500 wrote to memory of 3608	4500	Jkdnpo32.exe	90
PID 4500 wrote to memory of 3608	4500	Jkdnpo32.exe	90
PID 3608 wrote to memory of 1912	3608	Jmbklj32.exe	91
PID 3608 wrote to memory of 1912	3608	Jmbklj32.exe	91
PID 3608 wrote to memory of 1912	3608	Jmbklj32.exe	91
PID 1912 wrote to memory of 4992	1912	Jpaghf32.exe	92
PID 1912 wrote to memory of 4992	1912	Jpaghf32.exe	92
PID 1912 wrote to memory of 4992	1912	Jpaghf32.exe	92
PID 4992 wrote to memory of 4212	4992	Jfkoeppq.exe	93
PID 4992 wrote to memory of 4212	4992	Jfkoeppq.exe	93
PID 4992 wrote to memory of 4212	4992	Jfkoeppq.exe	93
PID 4212 wrote to memory of 4560	4212	Jiikak32.exe	94
PID 4212 wrote to memory of 4560	4212	Jiikak32.exe	94
PID 4212 wrote to memory of 4560	4212	Jiikak32.exe	94
PID 4560 wrote to memory of 5072	4560	Kmegbjgn.exe	95
PID 4560 wrote to memory of 5072	4560	Kmegbjgn.exe	95
PID 4560 wrote to memory of 5072	4560	Kmegbjgn.exe	95
PID 5072 wrote to memory of 3040	5072	Kbapjafe.exe	96
PID 5072 wrote to memory of 3040	5072	Kbapjafe.exe	96
PID 5072 wrote to memory of 3040	5072	Kbapjafe.exe	96
PID 3040 wrote to memory of 3976	3040	Kilhgk32.exe	97
PID 3040 wrote to memory of 3976	3040	Kilhgk32.exe	97
PID 3040 wrote to memory of 3976	3040	Kilhgk32.exe	97
PID 3976 wrote to memory of 4184	3976	Kacphh32.exe	98
PID 3976 wrote to memory of 4184	3976	Kacphh32.exe	98
PID 3976 wrote to memory of 4184	3976	Kacphh32.exe	98
PID 4184 wrote to memory of 4872	4184	Kdaldd32.exe	99
PID 4184 wrote to memory of 4872	4184	Kdaldd32.exe	99
PID 4184 wrote to memory of 4872	4184	Kdaldd32.exe	99
PID 4872 wrote to memory of 5084	4872	Kkkdan32.exe	100
PID 4872 wrote to memory of 5084	4872	Kkkdan32.exe	100
PID 4872 wrote to memory of 5084	4872	Kkkdan32.exe	100
PID 5084 wrote to memory of 3272	5084	Kaemnhla.exe	101
PID 5084 wrote to memory of 3272	5084	Kaemnhla.exe	101
PID 5084 wrote to memory of 3272	5084	Kaemnhla.exe	101
PID 3272 wrote to memory of 1308	3272	Kbfiep32.exe	102
PID 3272 wrote to memory of 1308	3272	Kbfiep32.exe	102
PID 3272 wrote to memory of 1308	3272	Kbfiep32.exe	102
PID 1308 wrote to memory of 1572	1308	Kknafn32.exe	103
PID 1308 wrote to memory of 1572	1308	Kknafn32.exe	103
PID 1308 wrote to memory of 1572	1308	Kknafn32.exe	103
PID 1572 wrote to memory of 2568	1572	Kmlnbi32.exe	104

C:\Users\Admin\AppData\Local\Temp\c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe
"C:\Users\Admin\AppData\Local\Temp\c7baf66d469fabdfb215ad9a7682fc51d87f8c918e7623abcb154a314cc80319.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SysWOW64\Jbhmdbnp.exe
  C:\Windows\system32\Jbhmdbnp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\SysWOW64\Jmnaakne.exe
    C:\Windows\system32\Jmnaakne.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\Jdhine32.exe
      C:\Windows\system32\Jdhine32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        25⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        29⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        63⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        66⤵
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        71⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 400
        72⤵
        Program crash
        
        PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3036 -ip 3036
1⤵
PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2196

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
113KB

MD5
9ce14cb444aca65864994d33ac2336cf

SHA1
4dd78654fd797d7ea2dc33a189dc8bcd8a03c576

SHA256
4a8e3157781a6e2d7a8a577c39191d05086ec74d7a38197acfd06923a9150794

SHA512
75564ac826791402cae86d0f3d6a0fd35e94826b5a5a03a7f0c84f9f63f670969e984fd298234c5d560d5c2eb4bacd3f5f1a7e49ac2e79ce82bae2b4c14249c5

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
113KB

MD5
1a65baf66ee8264c332ea8c093beb0ca

SHA1
acf4073322dc5eb2b21c220d14f4d8bf72bfdbdb

SHA256
68acf2ff8ce3fabb32b762dd6b48242b529c79ae361597ce6a7ce8c29ded4bd6

SHA512
4786fe7c9c235488313002c47a051d442625b79bd46bab9df46f575745025c18fa8a1f110d74a6fb2ce2082bd16668833064278ebcdeefde434498f27aea2b88

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
113KB

MD5
99b077c6e38c4a7793bada108247361d

SHA1
342fe4169fad403f9939f1df8d38c4d197dc537d

SHA256
998ecaaf763ac03de2fa3124d05e3fa049810553b44164ba7855b84c1110dbdf

SHA512
9ac2199123485e3147c30923d8364a5d518cef37e99aca5c81c3e9ea85972154d979157e4a45aa937addd98a18fe38e4ca6a8383cecf9f653439bb47e0fdbc04

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
113KB

MD5
aca2b139915d15c7756cf17e8403cb32

SHA1
83ae8bb37fa8a919d1cf35bf368ef5b7053d7df1

SHA256
5b53e83d8c6c7abb62bdf452d526fe09d70f0393c28310ac5e21e93737902757

SHA512
6c20799507eb8a6f26c2f94323e29c206d660bc56cd172aa62157ae0dd7fcfb985e8c177e7854f7f71cc1d4348147ca356641aa88b6a0c2b44e95c44311b2637

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
113KB

MD5
1467bbfc68c550faac671d3a1fcfe708

SHA1
94ef92563bd6fe8509eba841cf47448d64f461b4

SHA256
84a4ac387a21bbe92aeb5fcb7fa1ec9b47fac0ef305cf842e6ba7bc6f611a8b4

SHA512
743a58505b2c63733613f674398ac9b3f541e21e6a4cc1cd7bf5ddaac3a7b377e4cc4bc58bc3e363e8f458d11d1c72673738d8dff516bd8dd3ad5793b6346a32

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
113KB

MD5
b6261075df7d17efdefa5dd0cc0efc62

SHA1
e09b48133422eabc0c78b2213701930b0e10aa5d

SHA256
225006d2ffaee32856362d95c39c9dc297e17e091472bf0a40e07c6483c12503

SHA512
85124bfdc8bf283a1fc7b82a5c2d48ddae90b63c2ef0852b32e5f7362dcaaba35949b44678efe4bfe67b6688d56afe0f6bdd5771503ae7679e75b9c5b195a0df

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
113KB

MD5
0669535a209387a1671ee74410b5c773

SHA1
e034df6c480c47ec81bfc4bfefbd4c71b1b5edf8

SHA256
83f20172d97cf7ac36e9b2f3c20cef29ff2bdc3070ea3c57791ca057265475fd

SHA512
f06bd21e0d44585ffeb42ee67593c9fa57fd72abbb594d486b616b11fb54b56a08143cdd47b94cab37f419e4ea67707f1408bcff3c1b6289c1194512e794e35d

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
113KB

MD5
e98fc2f11898f92e4480e7c6defb9edd

SHA1
cb261630cb38d81bba5721b3c46c0cc1a5a26e4a

SHA256
5d86bb3af0104b17d395112127d88336fcafa31e87293886c251424d12c10129

SHA512
fb52094bb6121b96a3bb7ee72bcde818d74b9ada7ff492b2157877d2efe624f3930db2a05bcbe1e320e78307a8ec56bd9b62990fe55d6411f92034da590b393a

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
113KB

MD5
28138b5ddc8e24b43f13a1e8f4d27b18

SHA1
0fb8da3cf738e28d80ba64f7900eeeb938e0190e

SHA256
bab15a27d7a10363dea254cc7a3068ce69f9dc7dbc26a3d37b78704f2f1bd3bc

SHA512
d05449bdc6455193f175733ec3d359e5014fe431ea2316b1cac5e38adf3fc51ebaf3123b2e3227b1320feff66426a65cab61161ad2d3b6528833d4d83715d256

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
113KB

MD5
a1e570b9bd7208289a48c152d5208795

SHA1
74e5ee7e5e631adb7f6254268dc0805af4586819

SHA256
cef30b94d45bef4d42b628646449a44b525faecbf6fbc2c2bedeb5a817a8de67

SHA512
f724fdf7c81245fff39ca4998301814ed400047257e0dbd2400cd0e4449acfaf557c4d7adec9790af694b217182445a98d0f62ba755f9ef7b0922ce79e7aa6bc

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
113KB

MD5
2ccc2b5e115f3cb1d502f7aeab5f8e1c

SHA1
ec486867caf75efb61bd199ac826516b27c674a2

SHA256
e2c54ccd33b713e228ce92aed1e68fa158f3b5ebc663cab6653d140a82d6509d

SHA512
7d9eb75754133b2d781706126e9aa9a29178ec55750d1953948bc739aeac86ea6c80769eed5b5ac1af393d96c1adb53f880c4e548012fe3130f1dbba647b0665

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
113KB

MD5
ef073af90f7fe565a6a74a5d55548587

SHA1
2705465371ef5c3788f05e0f1453b78cb1dfc00a

SHA256
657d840ab5c86d5ee8d89d26218dd829dd0eaec46b92729ecdc5817fb317bb9c

SHA512
453f4e404cc6c12540042d5ec87c35dd647775bbdd49f2e75b2ea3526303d7258cafc0d7039fd42e86f449236148452c059137c275ddc5aaee3d0b1212a9d8fe

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
113KB

MD5
eea74743012c55d0c4a51bd3bca8e369

SHA1
0443d4aead5ba36e78dde094286e24ce85d8ec25

SHA256
18f1ec2f193f980313bcf73751bed3772402dd21e3764590bee9d7ee00525e37

SHA512
d3b79b74d0b8e6ede611c995253926a27cc436c772bbdfefa81b1708881d6450deb60652920a1e58cb4e930b2ec846fd527b61ba42ed05dff559caccd3a24262

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
113KB

MD5
f317d5d1be3cdac7c6673798dc50f337

SHA1
fb68bff8c385a8c10518fdd7ed00bb519fd34982

SHA256
e069b6adbacb380f9d797f66c574eca8848963a3c0f64df1bb0427b32992f4ec

SHA512
8d7a040d51badacf88f55c69d758bd620f4195aba5cb495e6190027a6f1f57992d722aeca0e42b6de854b2483d359d303e300de08f3fc3b09b715051ee364cbe

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
113KB

MD5
8ee2ef1b024994ecd5e3174320638dec

SHA1
be1379c68b414d39f62114bf0432d894c35d4802

SHA256
12ee1e3ae59ef3a38f59f382f509cc17fd70e5ccf3c3b15ca4daa796e828c387

SHA512
9a10c9e0d3dc545973b1ff09cadb44e81e2ae1a7799f4474a42da9dd362fcd96a843c0381e4ebf2cf56859fef32624e151239cf52c72422b421609f856ac46fb

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
113KB

MD5
7193a42e56a126e605b77fe14fc15f67

SHA1
813056ba75f1f14d0aaf7a329a134c7485b0ee45

SHA256
c98233c37d03074201f9856f083cc6b4fd273d11bb2b3c85d0c7bbc1fa5fc857

SHA512
34b914b9ab58cb3b6b2cecc78a7b3b1351785adc70c3764894e060baa812b33fba6ec5496afdd5313af62567081b059451dd59db3660e989a0b553152f826e6e

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
113KB

MD5
db6a3bd4cb8c320d54f4dabff50984b2

SHA1
0f50be2641bc93517ea4470f7541fe8bf6424251

SHA256
1e6066641d3b97a1429370fedf8c195641084d8dec4711a3cd045b18f63b0190

SHA512
b6652dd150205bb500b3aa3a7c90aadd59b74bf6f826934694d3109ad5155b97828cfbf78738a21bee8e3a312664068d8bd63d5ba3318cff99e6c8f81adfebe3

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
113KB

MD5
3488ad52199327d9bb016b1f15c499b8

SHA1
50fd730d3f31d83ce1191fe98ab0ff35a5497103

SHA256
6b2ceb651ea350ff4fddd60914eca9c27546c25ba4ac8cffdce025bec89d0cac

SHA512
126660b0ca64dd8c280baf7c6dff83b56cf7f0a9548ad6f16a3578933b39520f6253768972e1b72b1b56799ef9ac332796c92439f2ccbf7acc6ae36121f59e6a

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
113KB

MD5
27cdb2ebd3abaf1c781badf8a313985d

SHA1
2fc6984e5cae406b570f8c4eb30b14f33e5f67d9

SHA256
77bfe87aab7b9eb607c8c0d693233370846c1e274a68ff460192a34481559fe0

SHA512
a028202831fac727ddde388f7201ae5e445298ad1bb994c901e79d7d8495a4e742e278d942e778d02e15d813f38d5faee9b168d7085ef92c690bbc547fb1e577

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
113KB

MD5
330c61bf8037740278610814fdaf304d

SHA1
e484837c31d4db372d8c49653a263f2e3bab0cdb

SHA256
7372b3499e14180bc58d1fdbbdb0e9de2acb299b7ee594436f6bea2712ead3de

SHA512
ef368442399ded2e5abb3b8705b2dde8d84dbc9de5e5be83723b3f09482279464e7bfc737bf69c5fab00ad9dba09b73af2f77cbfcb16b4e79b2af2dab3ce5fbc

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
113KB

MD5
36348a8cf5959fa3d94308a9f0028df3

SHA1
dfdd983fabafa659e7c5eabc613f0575e2ac062e

SHA256
5cd6fe715de4a03163607d03ccff3597a06e1a8777a9707e059a661fb11ee478

SHA512
f66f5dcfc69a44bb07385a55edb6979d0a482e64ee58b8fd5bfdb4ee53fce79185354d8d00e28dc602bc31181735e1ede1dc842b9c35261862ad76d2f123217b

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
113KB

MD5
f0d2bba14b6e0320881b2a5301e9ce45

SHA1
1244c7ee0f3f98b52c8cdcfe5827de4135ba5de2

SHA256
053a253077657418d6a2212f4c0ba21ca069a1f38aeea6002f2f66c8b72fd347

SHA512
5f236cfc79e06f9dd46a3bca005226bdec8e5e50df9ee27a83aba8c67b5387570940d4d13f6cb6e6772b2dabafd8ef8533d1bf94a938a9c554dee786b48691ff

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
113KB

MD5
a3d672a60149ea6bdb9dcbc2f67f6dd1

SHA1
6e877c6de70736a3a0a44c300f9b63c3a8108d66

SHA256
b094e7c87f7b6149e4602381502a0753b25bd65928fa522a7017d4543bc01e27

SHA512
8ab17e7976e5bb5cc2b55b9904ae4489bd0a9ffcca5ae468660fae6afb8d72c50302c8e2538ca233edd21b28eae690548b0a02629b5a2bd750a94693258a73e6

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
113KB

MD5
eb2f2d25f1e972457c20c3448f4ee58f

SHA1
815ac362fc3bd520d386f99980353dc74e1bb0bc

SHA256
fd30dd6932af373ffe67c55ae93ac536aab0a9e17844793f5123e74928690eb1

SHA512
6ebe54298ffd73b5991e08686ac38328ce25d621d1066afc8320cf725bc843e133ed60585c5bb4f2f012d1abc714322a1747976749d76978acb293a6f0c111dd

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
113KB

MD5
0d6b13d2bccdced07e04f873b78f9464

SHA1
e31170cb8429ef41bb769aabf6f91cbb20159e78

SHA256
04d19c30bd81909cf7eeb943d9b9b99ae7d809d0d5c0351360697d870d5a0e7d

SHA512
9b02c3824a7e7c26a6d676d60c1fedf493cdccb8b2eed6792a55d221d5e5279052e724a85da9f8e4fad435f54f3daffa8a83e70cd6b2a7d76d2f0b3a5d3d0dae

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
113KB

MD5
c56d0177f1d47a7b6cf6660fd10e5784

SHA1
06a759615c9e72eb624fcadcb3064dcaed38cd8a

SHA256
13c17ca95628b0c7f5f340051e7abb8efaec78df2362cb7fdf663707f02bc903

SHA512
7f65eb011e570bee5e87e4ccd9919bd3e738c4d57ffab56855bf3ce95caa29d61f0cc7b34748649c409b6c0075631f23e92f66eee4d22de10df0b477fde682e5

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
113KB

MD5
65a1544ec990c0b5b2a287c75f6e5e85

SHA1
1476c4d91968292ddd95e216dd23e603b06216dd

SHA256
05f4799e8035e3fffa086120dea81260947d332a9b96257db7476d474c9fde20

SHA512
5e456b951ce332094ad85f48505bdc15e7448c795a8bde02af2a4b8fff1404e5a3c498b1be44692236444d8cd899035b9544bba8b43fabbe13caf3ceb796f0da

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
113KB

MD5
5eb8a8a88a9c33ddcb3f7351f554c218

SHA1
be4072337c36776d7637e690eb1e045bcccc7216

SHA256
71c6aa5d4a0546c41f4e53818361da0f3bf05c50ceddb5846bcf855c943a2670

SHA512
b42bce40b2b2e649a81c5bf8771361027fcb527c098d87c6e557932775ffb24dce1fc6430ccda7b1896b6b9256f2dbc6f7ca16affb3a0db005594c82a28f132c

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
113KB

MD5
85e78685bcd01330702c8dc906e9108f

SHA1
ce6c2b6318ab60488adeb7f5cad3d20c6a4cf179

SHA256
dd222c3097886330142b71321fc98d2dfa92114ae56b1973d16ac155b2a43ab2

SHA512
a98b76db8c52995f1cb47027ecb477a801d844c0b8bfb0fb0092124c54a56a95507ec329d678e1a27236555f105427a419b79e4802772cdcc6f2b0257bce6b1e

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
113KB

MD5
4da52ef04ac33807be9273828e9ab050

SHA1
2c0449779e7f474c845cc25133de003da3f74aee

SHA256
b58fae2f16fb1f691fcdbf9f408903cbae39360ae3f9affa7b1611a2ac34f5c8

SHA512
3017ae75aacb5441fc4a80c87f00fec3e1f6509f4400448679cde25872339616ff5c2dc4396d7ff64978121ca3cefeb18ce757fe1c8b7840496884135903dd23

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
113KB

MD5
b1af617bd979f348f8a90898703c248f

SHA1
a3522ab8756f8ccfaa4c48b8fcdebd9bf66759d7

SHA256
ffce7f79ccd088596fde45d65f2208c88ec00397ab217ae4945caa87f012a274

SHA512
d3b04c38d73eb0b7d029f0bce2a8e7680c76120a14acedf17d1c604e9600849ca553225dc15bb53fe0c8dfe7fc50a9203c62b398f8996de12c6c85663a2d0f28

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
113KB

MD5
fc24c432c8e74cfb64b32c8fc50b7cb3

SHA1
34b2cc0054d3d8fe7fc4fab368cae17e4a3561c5

SHA256
3d951ba005f885633ec9d8bbeb7f2d94ac5a137a659d403f60121f51706af7fe

SHA512
f33a85d853a269a4135064c4188b81e7a91dd9ef28f5a3b79c4eb52b0f08779597552fb11aae1c9fb0797d429c25d9d70630dc239939394458a0a6f7d4855046

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
113KB

MD5
a484d6f1d8090b4b09b982565fb5e560

SHA1
dc24c376b4975c7ada594112b88b11c127e55809

SHA256
3dc4d55021b698c88e53a4180c207ff1305fa6331cc3c1d3242abdef90ce0a56

SHA512
be063f8e6a4a92d71c7abf90481855e03220213202fa672cfe41fe37371378b2f02bc9a24db4fa890fbf6fd9fc2e69447ffadd437cb7389cd0c976aed4ea15fa

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
113KB

MD5
28b51452e90a434fd6487b715813624e

SHA1
af596135ed076f4f0576322e05ca6b6efb204407

SHA256
b0ae2d4340870c268166fd75feee27b05bd9244914a043cf8ac3194a0f882462

SHA512
fb716142c3d2768bbda624a63081a49312026a3425e7801e983d1380cab9177ad7b14e4594db1da2be631e1ccf8ce9498be0d90daaf39676747d6cda2fd74516

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
113KB

MD5
7c8dfb3bec3cb55facbc55323ead7030

SHA1
169c0c42e869a5682487e721789ebb8d609b429c

SHA256
0120b3e393ee6d145bf4883190523aa20755a470f67b2331091e2ee5158bf2bb

SHA512
60aa6413d58d40ef6605b1218475b7aebec267172ed78883cacff9c11722e5bfcc0e789bfb81efc8681213e292aa4968a62f4113f43d03e638ed8f7982bebad7

Download Submit
memory/444-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/564-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/564-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/744-454-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/744-489-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/752-320-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/924-464-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/968-499-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/968-394-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1168-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1244-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1308-164-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1316-497-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1316-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1544-190-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1628-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1632-208-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1660-446-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1660-491-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1760-400-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1760-498-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1912-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1984-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1984-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2044-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2052-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2096-493-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2096-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2156-503-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2156-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-486-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-480-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2568-181-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2612-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2876-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3016-362-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3016-505-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3020-504-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3020-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3024-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3036-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3036-485-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3040-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3148-469-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3148-488-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3216-509-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3216-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3272-154-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3388-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3580-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3608-68-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3732-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3940-500-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3940-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3976-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4008-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4184-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4204-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4204-506-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4208-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4208-492-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4212-92-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4248-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4300-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4380-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4420-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4420-501-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4500-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4504-256-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4528-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4536-328-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4560-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4608-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4680-508-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4680-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4688-474-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4688-487-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4760-327-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4828-272-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4872-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4880-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4968-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4980-495-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4980-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4992-84-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5004-240-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5040-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5040-507-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5056-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5072-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5084-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5112-494-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5112-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads