0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe
Size

384KB
MD5

cc3e0b00a1e947795fd97908ef1b63c0
SHA1

165ad5bf7a0424f3403b8f2e2d38213fb2f47786
SHA256

0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9
SHA512

4670466a194cb75892dac41854a7f69ba45e65bea7ec9b05d71e0dc74e63ead996e3a933456dd90db1d91205401f27dae1ee3c9773cc41e56d962001064c65c1
SSDEEP

6144:kHbPpOCvlZZV4U/vlf0DrBqvl8ZV4U/vlfl+9DvlEZV4U/vlf0DrBqvl8F:tCvl6IveDVqvQ6IvYvc6IveDVqvY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe

Executes dropped EXE 59 IoCs

pid	Process
2548	Jfaloa32.exe
4104	Jdemhe32.exe
2324	Jfdida32.exe
2224	Jplmmfmi.exe
3704	Jfffjqdf.exe
516	Jidbflcj.exe
3892	Jfhbppbc.exe
4824	Jigollag.exe
4212	Jdmcidam.exe
3340	Jkfkfohj.exe
4692	Kpccnefa.exe
3444	Kilhgk32.exe
3100	Kacphh32.exe
4472	Kbdmpqcb.exe
2980	Kaemnhla.exe
3184	Kbfiep32.exe
3424	Kdffocib.exe
396	Kibnhjgj.exe
1248	Kckbqpnj.exe
4504	Liekmj32.exe
3992	Lpocjdld.exe
2204	Liggbi32.exe
2320	Laopdgcg.exe
4860	Lijdhiaa.exe
380	Ldohebqh.exe
1888	Lilanioo.exe
1156	Ldaeka32.exe
2056	Lklnhlfb.exe
3780	Lnjjdgee.exe
944	Lphfpbdi.exe
4480	Lgbnmm32.exe
3228	Mciobn32.exe
2800	Mjcgohig.exe
64	Mpmokb32.exe
1524	Mgghhlhq.exe
4680	Mjeddggd.exe
2556	Mamleegg.exe
3928	Mcnhmm32.exe
4484	Mkepnjng.exe
4588	Mncmjfmk.exe
4980	Mdmegp32.exe
2992	Mglack32.exe
4276	Maaepd32.exe
2640	Mdpalp32.exe
548	Nnhfee32.exe
3632	Nqfbaq32.exe
4596	Ngpjnkpf.exe
1560	Njogjfoj.exe
2112	Nafokcol.exe
2184	Nddkgonp.exe
908	Ngcgcjnc.exe
1636	Njacpf32.exe
4284	Nqklmpdd.exe
3728	Ncihikcg.exe
4744	Nkqpjidj.exe
3396	Nnolfdcn.exe
4360	Nqmhbpba.exe
856	Ndidbn32.exe
4584	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kdffocib.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
864	4584	WerFault.exe	144

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lilanioo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2548	540	0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe	83
PID 540 wrote to memory of 2548	540	0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe	83
PID 540 wrote to memory of 2548	540	0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe	83
PID 2548 wrote to memory of 4104	2548	Jfaloa32.exe	84
PID 2548 wrote to memory of 4104	2548	Jfaloa32.exe	84
PID 2548 wrote to memory of 4104	2548	Jfaloa32.exe	84
PID 4104 wrote to memory of 2324	4104	Jdemhe32.exe	85
PID 4104 wrote to memory of 2324	4104	Jdemhe32.exe	85
PID 4104 wrote to memory of 2324	4104	Jdemhe32.exe	85
PID 2324 wrote to memory of 2224	2324	Jfdida32.exe	86
PID 2324 wrote to memory of 2224	2324	Jfdida32.exe	86
PID 2324 wrote to memory of 2224	2324	Jfdida32.exe	86
PID 2224 wrote to memory of 3704	2224	Jplmmfmi.exe	87
PID 2224 wrote to memory of 3704	2224	Jplmmfmi.exe	87
PID 2224 wrote to memory of 3704	2224	Jplmmfmi.exe	87
PID 3704 wrote to memory of 516	3704	Jfffjqdf.exe	88
PID 3704 wrote to memory of 516	3704	Jfffjqdf.exe	88
PID 3704 wrote to memory of 516	3704	Jfffjqdf.exe	88
PID 516 wrote to memory of 3892	516	Jidbflcj.exe	89
PID 516 wrote to memory of 3892	516	Jidbflcj.exe	89
PID 516 wrote to memory of 3892	516	Jidbflcj.exe	89
PID 3892 wrote to memory of 4824	3892	Jfhbppbc.exe	90
PID 3892 wrote to memory of 4824	3892	Jfhbppbc.exe	90
PID 3892 wrote to memory of 4824	3892	Jfhbppbc.exe	90
PID 4824 wrote to memory of 4212	4824	Jigollag.exe	91
PID 4824 wrote to memory of 4212	4824	Jigollag.exe	91
PID 4824 wrote to memory of 4212	4824	Jigollag.exe	91
PID 4212 wrote to memory of 3340	4212	Jdmcidam.exe	92
PID 4212 wrote to memory of 3340	4212	Jdmcidam.exe	92
PID 4212 wrote to memory of 3340	4212	Jdmcidam.exe	92
PID 3340 wrote to memory of 4692	3340	Jkfkfohj.exe	93
PID 3340 wrote to memory of 4692	3340	Jkfkfohj.exe	93
PID 3340 wrote to memory of 4692	3340	Jkfkfohj.exe	93
PID 4692 wrote to memory of 3444	4692	Kpccnefa.exe	95
PID 4692 wrote to memory of 3444	4692	Kpccnefa.exe	95
PID 4692 wrote to memory of 3444	4692	Kpccnefa.exe	95
PID 3444 wrote to memory of 3100	3444	Kilhgk32.exe	96
PID 3444 wrote to memory of 3100	3444	Kilhgk32.exe	96
PID 3444 wrote to memory of 3100	3444	Kilhgk32.exe	96
PID 3100 wrote to memory of 4472	3100	Kacphh32.exe	97
PID 3100 wrote to memory of 4472	3100	Kacphh32.exe	97
PID 3100 wrote to memory of 4472	3100	Kacphh32.exe	97
PID 4472 wrote to memory of 2980	4472	Kbdmpqcb.exe	98
PID 4472 wrote to memory of 2980	4472	Kbdmpqcb.exe	98
PID 4472 wrote to memory of 2980	4472	Kbdmpqcb.exe	98
PID 2980 wrote to memory of 3184	2980	Kaemnhla.exe	99
PID 2980 wrote to memory of 3184	2980	Kaemnhla.exe	99
PID 2980 wrote to memory of 3184	2980	Kaemnhla.exe	99
PID 3184 wrote to memory of 3424	3184	Kbfiep32.exe	101
PID 3184 wrote to memory of 3424	3184	Kbfiep32.exe	101
PID 3184 wrote to memory of 3424	3184	Kbfiep32.exe	101
PID 3424 wrote to memory of 396	3424	Kdffocib.exe	102
PID 3424 wrote to memory of 396	3424	Kdffocib.exe	102
PID 3424 wrote to memory of 396	3424	Kdffocib.exe	102
PID 396 wrote to memory of 1248	396	Kibnhjgj.exe	104
PID 396 wrote to memory of 1248	396	Kibnhjgj.exe	104
PID 396 wrote to memory of 1248	396	Kibnhjgj.exe	104
PID 1248 wrote to memory of 4504	1248	Kckbqpnj.exe	105
PID 1248 wrote to memory of 4504	1248	Kckbqpnj.exe	105
PID 1248 wrote to memory of 4504	1248	Kckbqpnj.exe	105
PID 4504 wrote to memory of 3992	4504	Liekmj32.exe	106
PID 4504 wrote to memory of 3992	4504	Liekmj32.exe	106
PID 4504 wrote to memory of 3992	4504	Liekmj32.exe	106
PID 3992 wrote to memory of 2204	3992	Lpocjdld.exe	107

C:\Users\Admin\AppData\Local\Temp\0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe
"C:\Users\Admin\AppData\Local\Temp\0286b6145261dbaabd31a07f227bd5ad2e890794efd5b79d7432325fdadc47f9.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\Jfaloa32.exe
  C:\Windows\system32\Jfaloa32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\Jdemhe32.exe
    C:\Windows\system32\Jdemhe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\Jfdida32.exe
      C:\Windows\system32\Jfdida32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        30⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        60⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 408
        61⤵
        Program crash
        
        PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4584 -ip 4584
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
384KB

MD5
a93169c5f019f6f9ff855440a4e62a20

SHA1
fae6b4f1fd558607d1bb64fc7272e1d20a56bb82

SHA256
6c9fb11f08165e7f389c4a00e9d261f07e473a0b30c10165114b125414171095

SHA512
b8a7f807a08f2bf18634e2c38129aa5c224621574d69daeea6c86b18c21059cbfcd931baf7de13757c381cd9e001a22f167d8b21ce7f59192cd6c62451b92782

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
384KB

MD5
1cac0ce8ae5d767880a6f94edafc1785

SHA1
f4bfb9aedf129819e10d0ce7f8e6ea0494981194

SHA256
5c48159d936051534d6b609204f33f81aaefe0f7fbe5ff13a5fb8d60f28a2ded

SHA512
b7dc81f488d3359559bf83c6dce8f63cf7459dd9d55ee6329b8d7c27d03180c763f2cad333780f6afd567d567155331944080c3a83c7e1f3f2f1684358916a10

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
384KB

MD5
3123b0dc1d860635058a168415109d6d

SHA1
6c0d27205d6ddfada8e4f42a222c68d8e939e6c1

SHA256
ee176403b15b0b4a94c50c18bac2150995fa96e281d1cdb230e8b7fb366e6d59

SHA512
e6b1a0fd6043a2919cf38308f273f3871ee8c104fa10ea9e689712da9be9b3b1842da60140db22d3bdd9ff19cfdb01cbf26063dd58be613f2259b61c4dbfcfc5

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
384KB

MD5
99b4f3a7c551a4581f19bdbe397fa18e

SHA1
9ac07c0244830a35481b992c4c84f1a6c78397db

SHA256
95fe18ecf921998f3df81b81a82965e4137821bf386b01894f8cc4c32cb03c3b

SHA512
2cfcdc819ef363b2c201d03306f766f9f6da8e2fe4fabbee4f33b1b4f3b7d8c19e1bb0b2754c68e97f14f8f58651a877ac61f1fb28e0ff4464846e54080e01e2

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
384KB

MD5
343ba9827e6422f7078764c75c75bedf

SHA1
516914b0ec6a24fbc2a4f98cc0749bc4987777d3

SHA256
d79b8ef79524085a23e9844f9636b4e269d4ccefc8a29d966385cc732379c5c5

SHA512
5995b8f73b4740596af7b57ca597ae9317e01464a6176a44054af00ac501f29303ecf207772334fa121c9f0f8d4dce208347fdc49f9f6b69e022ca73d3cb556a

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
384KB

MD5
f6c2990e7e984df57017fc22ed37f07a

SHA1
afd72196ea9c62b400460bc65928522d8f94c212

SHA256
8b8d740b6db8e3f99da0fc89bde37d3370faa0ac7723c303ee62a46a4ad534b7

SHA512
5ee10f7a7ec6b8c60080a7045f3688ab0578ca3af406337fd02aa32ef278ab38851716183ab42dd3e085ce22d7dc2cc2a4798152539bb7e2c4c05688b7312530

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
384KB

MD5
bb2c1e98194b4f77542be7feaeac2842

SHA1
0ef380a0961c68213074bb89645fbe02308854d8

SHA256
e184e00b0f6c7b277bdd8aea0e993e9dbc7a2cbdc04a086f9a23bc0c6cb96dff

SHA512
72bddea75038878382ac54ae595f0798628789868e18d8184fa5ad1e7cfdbc6fa793d114cc54df0a19179fb0e99370d8e55d1b206dc878a34e53e6a9ce160363

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
384KB

MD5
77403bda675357e6a4499824582eed9b

SHA1
de1a83972921c82403524e677bc18cc659c95b87

SHA256
caea0945febd56193ac9f711ce291357a6e6ae5cef757b5f8061cac378060009

SHA512
e023e4a5f66f0961523e50afabf6decff3f7c9b427ae4d44c3b6bb093f070c8816de154d6d38d656adc0131ce730045557c1bfd2365e647ca9404f3b6d5bb6c8

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
384KB

MD5
e39fd800961d8b98bf2277b9bba3d546

SHA1
9cb07f45d05075889b587f363879fab37a967fb4

SHA256
4690cb8503feff478c718a6de1d9499a4e4357b871584ca2a71af3d0084c2b12

SHA512
7043f0cc50efdf2ee6ff7d304318c0f8712df166483ef91b031734af9e53378230f10c49b50c4cd428b90b58fc7772035aca4c8720b3e021a119c2d5d3b32e8f

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
384KB

MD5
5971bdc49a3cddbaed47559caf11ac94

SHA1
809837c07e1200e2a28abcf305f09158eb17d1dc

SHA256
84489617d932a831ab63f00a34fe11942ed74b3e04fb4fef53f5366e4b34d93a

SHA512
5124324b03182eb43775453c7976d894f89075ec5ca4e7585cb8b34e5fe4af7491853b8aa97fa86fc7931906fa14739909eef8225725ba5831a44f48df61112f

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
384KB

MD5
a59f4f9344b8a3eb3ff029ea017d65ff

SHA1
06396178aa88a215a66d81debc3b2b97bb669367

SHA256
f373aa26af95180922c927c1cae5d9f5dd1704259535724aef8c2e123ae709a5

SHA512
95c09482dd6d2fde98e76fa006bbac240c689e94313ac6c70d5778fd37789f83f068e07bf9f2e6d7f4f2b53eca93dffb2917fa70648501e10c2e1e2611024fc7

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
384KB

MD5
27f0a20e9e144b77c2a0394c8a21e71c

SHA1
c0ea1196ef78dc2eee661a2564085fc7a5914837

SHA256
2c76aa9ec6b9801218f9162a9a731d7b500f0f0a91313a6057eba3fe80f89b3d

SHA512
d724e6d662cfd1daba87d60ff16c350e0afeee3ba0361784e8c8716de3125a0c6ff2b7b9b158b8526317b767fa99b45a5fcf5c49b01d944820c947bd7944e176

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
384KB

MD5
a6edbe9649c6d9be5c6ea80bc57229a8

SHA1
649acf46a076cd36f80b424e1c96d39d81704438

SHA256
381a7aa1d13b27fb1d5ac7a346ec82d0d81639d2447c3c9d12a282193816bec1

SHA512
0c27082bccba356448af5a07d25869a1eefea48bbcae2d963af12726dedf7c628df254729d4801157a5ec979737ef2134bae981f5c6bbf842ed1d81563e86510

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
384KB

MD5
da462457a00bd376e1abc42760daa96b

SHA1
9297739da38162beab0848e376091b08de772326

SHA256
b2220f02fe890eb7bf94f0aca0bf4b2535c816946a55ed46ced06317f40fef54

SHA512
547fe3645aaacbd3dc1a6bacd476e7b305210520ee8da50aec1720ef24caff715c7833f40ab9afcab0e24075d45772ba19021e3672a1e6387aeaab4b16fed5ed

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
384KB

MD5
9e79b6d4e1bc91cd8afcb673bbf13f6e

SHA1
7089448b3944d353044f7ff8138a7c06ea6bbb3c

SHA256
feaaf35e875c096cadada775266a342791b3656191f209603feb89d563862fcd

SHA512
4bb47469e3cb22bf2292ef8a3e0dd52e1978569ef61bdbd0415d5f84a7d4b8bbf2b6a39a5ba9adee4beaf0257334a19b0b6921aed54d3b14587921159d55d279

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
384KB

MD5
f25bdf94478d4ede7c1a9e55e41804e8

SHA1
cdd26b4dc7bee35afe82b9195764b0ae20af3a7c

SHA256
43afb27224eb9d5e049ae945d32241dec0a0c9f001973853e0919de14d72ea4e

SHA512
14907e8da44f7bd286ca98d0fc6235015f2adaaceff040720a6c2ad6de0df188d040d102690eb181787d4e419db282db853585bcc085c5b52faf044e9c6b7b2d

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
384KB

MD5
f322b37bd89860433716d2f8fc995fac

SHA1
0e25bd2bf5d12ec47335115f6c39deec4bcb5dd1

SHA256
2cc3a38a75cc4ed4c09136eda291b6a7fa8f0719361031858875dcda858601a1

SHA512
99923538b2cbcc0372df803347e1fc09b0b55e87414b7902b0f2766df10f5e136283e06c5669372fff7266c4c6f1bf6830cf0147b34bf2b5983fedb677368414

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
384KB

MD5
bc2130f4be2cfd4bf84d02014a63eaa0

SHA1
074e376b4bf158a7c0589a03c50decd5bd982295

SHA256
986f5fac70a41ecbff6e3b85aa86d9ec7e67650c62928b79f18b143eca327125

SHA512
7db04d4ff4248d5de67b3e464fb6d2861ff14b4e49ed339be567c8ca3a6b1f96df16e15ee4921d7d1b454fa86c62a9cfd93e92a943505620ddbacf2e9f492c71

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
384KB

MD5
a3e37a9d1075e81f0e5772bfa352a669

SHA1
cc194d9130e058349ab0542466d0f1c449248771

SHA256
5cfdd089dade44fcf4b4caa93c669727ff03e5a3dae6b75e69a386d40580c46f

SHA512
8887866776f3103cc0a28af4aca01b0f15748f1806a40a4282ab3684b365aca00b710366fe736724988919912ba894e36a770bc756d803c0fc4112554f0be5f8

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
384KB

MD5
c527ce41e8027c32e8f6ccf99ccd2721

SHA1
8d71b0405d200aec46c2dbe9d7b5560823272085

SHA256
b505348e6ea579c78fd4ac75fe44b831b88e9218ee7cdf9ff3f78e591fc1eda5

SHA512
74c17bc50f448085e46cbc45802af2810263d5a8505f10b4035f642de2a333000d5572cfc4142961407b4031cb4e36af2b3a3cf09dd73384226ace57bf020a22

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
384KB

MD5
d3cfde7e30d15253dce0c3d7b0292a06

SHA1
8db296d06bd8a6402051262a466eb4382f043151

SHA256
7c8230cc05503f3364de8ec1aba7823784f547e9acbab57138ddb75e3c603f13

SHA512
b54be1bea0ad2a52ac0f859cccef3edd87fd4d12cddae379d4dae27da0ad91c7079d6b7f58961ed166473cd46dc55390e1020037a26c53158f64ae353ca8443a

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
384KB

MD5
fcd15a34880c8a4b00f85bf914cb90c0

SHA1
8c11679ec78e0c2d38be3ed4f7c12a3e75ecd80e

SHA256
fe2a537dde449338a4a36d75cc2147caad822b3d90e271ba8d44447a017116ad

SHA512
d1948549cc3a9933800fcb2fb15925af843e8c2eb110f3a97ab2563618c4a3ed8c2b34b654c043858e6aadedae38ccfe460a4961e79d06d263cd5c4e4fe31838

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
384KB

MD5
68f516689023d6a5913bf1d6f1c3659e

SHA1
57fa704b05428806b41831040f50a83b76507d2f

SHA256
82d0fdddcd86dc53e04777d4aa56ee0f37d0beac803d212120ccc6eebd980b51

SHA512
2542c4d5d45916d3d5df1045696932be8916ae52cd404618e0a1ac63da0696a4f38a33ce63433e5e5a8c06aa71b27c82fb41cc47c36a4c7c66437c428f4aef19

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
128KB

MD5
f689c69f268c664e3cc76b0d28697ca9

SHA1
338281baa85b6b1fccfe04c676205a5d6f1cf70b

SHA256
e61685e82aca48cae7513fab9f0e89a6add11ea269049cfa8534388db12089cc

SHA512
1c06a789f789479b088a7c0340c0f93e58c37d50a904e379570678ec85e9d1fdbb982a7f419703ea74598e2de51927d0400fb76b67dea9b9080b2c38b1f24ca1

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
384KB

MD5
1290e48697640a93ea34d4dde9fc39e3

SHA1
dfc8ecaede54c2c2c3afae222c20e0b6e8a99ca6

SHA256
4d4486b261dd8bbd2be050a56d6949ef9f075fe2fd8bab46265b330ce69d15c1

SHA512
b38e79920162fea242d6d529177666eae9e405be8ab80eb8999a91818be4077882fb033386670b8057cb9e0b7fc06c00d1ed15a0b1010158d3e28c63f8bca308

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
384KB

MD5
d69d981f6cfb89e17988a3df0b23de4a

SHA1
2410a91a0ff7a1190422638f42e4c14ba633cc68

SHA256
bb393d3d3bff10279a64379b1053e71b879fc1c70ef547d5b3ccf0a8f026ec6b

SHA512
6b971b360124f1bb6cdc8f3c572a9035aef56585e571d0e8af75bf5836cbcbf70109205d0cb33e4570ab56a729d369af098bc277f0d7029d88087ce1d12ab02c

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
384KB

MD5
7da86598efc64bbd6e7aa6334bf3d478

SHA1
a96fbd0446713024631e20507d0ba849675a4279

SHA256
ad630ca2a7504d8c79fa6cc28ca39fbe3aee96df088be2542e39ef70c8fed8dd

SHA512
a2f7793de81da4770b579e60b8ea86dd3a49c42c4ec9c29adc7d2c6c2dfc64b073f19ea96db933afb08feb9e539c06e5c49dcaca1bb91a6fafe2c1fb9010299a

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
384KB

MD5
32b06b1040262a92a7a917d72c57f8cd

SHA1
47f60cc7761f3748acafdface4d3ed87bb6e8a02

SHA256
a0f39a26b3808eb48fa229116b502abb68a62b353041a75fe26611b3547fc0f1

SHA512
21b7a02adfff44a5e52ec446b64ca880f3a255fe735bdd5a99bae02d88b9b6c424cc27326a7c1227384cf3c798532aeaabdbbf19c35ff973aa609a43bbbbd9f3

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
384KB

MD5
b6063f0b8016c12989a430666b18f770

SHA1
0e20943e1051828c02f5e8ecdb6014127b4dd8bc

SHA256
04663ab0d2a6e0620a0d8ae9bf7c58ea0fe5b5d5644b40d1f3022ecf099ace34

SHA512
968c99f9a6d6c1f59b915b9d3c1a3386d7420762782d6239c5388de658085c681f4441221a96832c0b4b56a38b3268a50ed603a620e245b09806f93e62af6e03

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
384KB

MD5
154930146d00722e12593590f9c660a5

SHA1
6e8c1fd1e365d7ab03aecd4d23d4c541d31ea19c

SHA256
5afaf514f556e63d3c699ff8f9cdb968e6c8710dec23b1cf36f4f6f1e1486bb4

SHA512
44bec4bb1a7d432dce3375c63de18a17f723ad116c87c4a4dec6bc9621ae60291b7252c75dd254d4d5bddd1d62a32893179f65510322a82624bc5ce39a426b4f

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
384KB

MD5
07c9ee5387f6d1998e707990c6424a69

SHA1
56cea43573eedc1ebb7328255aa590624b3cda42

SHA256
e5e50135386a8d01dbae7a23999323b6ed10b9e07056cd22145aa77eadbfabd1

SHA512
122026d86bffdc5a1f1b89cda2c09702b31252717d0edb8ef8ade965db76b3bc7c1ccc66ad2fdf5f6ae310bf364d34b6c04c9f803dc09e62fbfbbc334393b03e

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
384KB

MD5
41a84f5319e64b1e7466c735ececc679

SHA1
045dfc7e2b14041b8ee370b93aefc930f47a023a

SHA256
e5b5f5a07c167b0138e5dab4f92ef052a7b9aba9d73c16d375754e239d108074

SHA512
37230aea1aca7c53c38ecd3f1f293e8978c238e79aa1f9ad883d02a280bf5da53e523f081bcf4d59f7db722b49ea72b5b4da50ef207f037472144a0db8c43c6d

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
384KB

MD5
dd2b3ca18da4d410dec511484ffd4a4e

SHA1
31f2ea4f54ff8b0f24a162bdbeb98c6e549a0ddb

SHA256
920147968e68331403860ab3e451d7de79a791c45f9a18a41a8b1f718201c8aa

SHA512
9e98dbc28bd9b4adbbab9b622dc8e243960e14e3cadc03747ff52239178ac1b5230b32481882e3a44d1b55a21a2095ab76e1d0449d55753e6d6aab4f5a80aa8f

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
384KB

MD5
88d7b64ed3201be688475b6c6febc73b

SHA1
2aaa115438c50aacf6e59caaa8e27fe9e533338c

SHA256
ac97ae2c8e5a442a3419bed643693fbff85fcceaf0dad3ed3741aa23fb523eca

SHA512
2c8d9267323b3cdc2e8417804e2b38da02ec2c9e17b7c2d283c405cd1710e8866e3787ada12a838e7368407d6eec9a351592fcb4b42cc49899c4380d6d0e1084

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
384KB

MD5
2c4e8e71782401ea09216e89f21ddbf2

SHA1
38af575b855fabe7a394852c1b4a1fcf0989cd9b

SHA256
6ab309662ca1757059a05565af0078ec897dd595b8e90fd414a07194747f76b8

SHA512
7aa2d8382f921a3d608461f942e0f5509c3094cb17b66ba017deb6f10774db5764d722592d0b16630e02540f42f2299195a44f3a4c0c2c4dee259dbaa48e8169

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
384KB

MD5
5f148c57e2ab6651a73433be801c86d2

SHA1
7b63af4d45dfef20d1b8148d1fecde1ea11b3e5c

SHA256
c29f12e277187c9d7fa0495cee1eba4ea710f220b4f9418ff60f4d5d7f57b661

SHA512
8b9a39fe4fd60bcbed7e9b3da1434e8243b7d1c373ae04dbf9e3fe38433f4e65ab8bb4f0a4ee8cfd024ae85f88129249504551536f7917562e38bedc86dab73f

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
384KB

MD5
8a52b1e24bcfd031f78a3a05fd24e786

SHA1
35dec064d8abfad8d5f15ae4d63513be75150c48

SHA256
66d56be29a5c5cc3c563988f9671cbee9b3ec8eca623c72c1165b032e4ace9e0

SHA512
e037c7bb39a825a8628a7ba23ba05e13dc89e07f34e8f5341d90327a65f5ecb40af24014c6f631371c3996444e21df4c9faa2fb6f2ec251133dfb3250b82ac47

Download Submit
memory/64-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/64-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/548-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads