68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd

Analysis

max time kernel
79s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe
Size

97KB
MD5

64c13d087a19041cc5dcec7585700ba1
SHA1

1cd54f91121d58f325d72d150854442e1c0bb384
SHA256

68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd
SHA512

eb39397c39df7c86d6ed96c51c8d2665225e5795bff2eace9580277687b4ce9bf499791a6c5759ea9a00d41f0f0ff169861b5458401a4c050a32ad4c047e8dec
SSDEEP

1536:8YWv87wV8q0EJbgS6kcnsltlpejFr+TWgfFBnMivJXeYZ6:HUt1gRsXmFr4D9JXeK6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe

Executes dropped EXE 64 IoCs

pid	Process
3732	Jplmmfmi.exe
3408	Jfffjqdf.exe
4804	Jmpngk32.exe
4732	Jpojcf32.exe
4364	Jfhbppbc.exe
2144	Jmbklj32.exe
932	Jpaghf32.exe
544	Jfkoeppq.exe
3372	Jiikak32.exe
1944	Kaqcbi32.exe
2204	Kbapjafe.exe
3524	Kgmlkp32.exe
5108	Kmgdgjek.exe
4468	Kpepcedo.exe
2216	Kgphpo32.exe
2212	Kinemkko.exe
1172	Kdcijcke.exe
1652	Kgbefoji.exe
3804	Kipabjil.exe
1284	Kpjjod32.exe
1180	Kgdbkohf.exe
1624	Kibnhjgj.exe
3984	Kpmfddnf.exe
3224	Kckbqpnj.exe
336	Kkbkamnl.exe
4164	Lmqgnhmp.exe
5100	Ldkojb32.exe
3352	Lkdggmlj.exe
4868	Lmccchkn.exe
4728	Lpappc32.exe
3476	Lgkhlnbn.exe
4892	Lkgdml32.exe
228	Laalifad.exe
4292	Ldohebqh.exe
3948	Lcbiao32.exe
2940	Lkiqbl32.exe
1408	Lnhmng32.exe
3348	Lpfijcfl.exe
1904	Lgpagm32.exe
4760	Lklnhlfb.exe
3692	Lnjjdgee.exe
5060	Lddbqa32.exe
2332	Lknjmkdo.exe
388	Mjqjih32.exe
2316	Mahbje32.exe
4188	Mdfofakp.exe
1320	Mciobn32.exe
4864	Mjcgohig.exe
4104	Majopeii.exe
3232	Mdiklqhm.exe
4388	Mkbchk32.exe
4812	Mnapdf32.exe
3960	Mamleegg.exe
4776	Mdkhapfj.exe
2156	Mgidml32.exe
2192	Mjhqjg32.exe
2440	Maohkd32.exe
408	Mdmegp32.exe
4416	Mglack32.exe
3584	Mjjmog32.exe
4724	Maaepd32.exe
212	Mpdelajl.exe
4288	Mgnnhk32.exe
4964	Njljefql.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2456	3896	WerFault.exe	158

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3732	1812	68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe	82
PID 1812 wrote to memory of 3732	1812	68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe	82
PID 1812 wrote to memory of 3732	1812	68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe	82
PID 3732 wrote to memory of 3408	3732	Jplmmfmi.exe	83
PID 3732 wrote to memory of 3408	3732	Jplmmfmi.exe	83
PID 3732 wrote to memory of 3408	3732	Jplmmfmi.exe	83
PID 3408 wrote to memory of 4804	3408	Jfffjqdf.exe	84
PID 3408 wrote to memory of 4804	3408	Jfffjqdf.exe	84
PID 3408 wrote to memory of 4804	3408	Jfffjqdf.exe	84
PID 4804 wrote to memory of 4732	4804	Jmpngk32.exe	86
PID 4804 wrote to memory of 4732	4804	Jmpngk32.exe	86
PID 4804 wrote to memory of 4732	4804	Jmpngk32.exe	86
PID 4732 wrote to memory of 4364	4732	Jpojcf32.exe	87
PID 4732 wrote to memory of 4364	4732	Jpojcf32.exe	87
PID 4732 wrote to memory of 4364	4732	Jpojcf32.exe	87
PID 4364 wrote to memory of 2144	4364	Jfhbppbc.exe	88
PID 4364 wrote to memory of 2144	4364	Jfhbppbc.exe	88
PID 4364 wrote to memory of 2144	4364	Jfhbppbc.exe	88
PID 2144 wrote to memory of 932	2144	Jmbklj32.exe	89
PID 2144 wrote to memory of 932	2144	Jmbklj32.exe	89
PID 2144 wrote to memory of 932	2144	Jmbklj32.exe	89
PID 932 wrote to memory of 544	932	Jpaghf32.exe	90
PID 932 wrote to memory of 544	932	Jpaghf32.exe	90
PID 932 wrote to memory of 544	932	Jpaghf32.exe	90
PID 544 wrote to memory of 3372	544	Jfkoeppq.exe	91
PID 544 wrote to memory of 3372	544	Jfkoeppq.exe	91
PID 544 wrote to memory of 3372	544	Jfkoeppq.exe	91
PID 3372 wrote to memory of 1944	3372	Jiikak32.exe	92
PID 3372 wrote to memory of 1944	3372	Jiikak32.exe	92
PID 3372 wrote to memory of 1944	3372	Jiikak32.exe	92
PID 1944 wrote to memory of 2204	1944	Kaqcbi32.exe	93
PID 1944 wrote to memory of 2204	1944	Kaqcbi32.exe	93
PID 1944 wrote to memory of 2204	1944	Kaqcbi32.exe	93
PID 2204 wrote to memory of 3524	2204	Kbapjafe.exe	95
PID 2204 wrote to memory of 3524	2204	Kbapjafe.exe	95
PID 2204 wrote to memory of 3524	2204	Kbapjafe.exe	95
PID 3524 wrote to memory of 5108	3524	Kgmlkp32.exe	96
PID 3524 wrote to memory of 5108	3524	Kgmlkp32.exe	96
PID 3524 wrote to memory of 5108	3524	Kgmlkp32.exe	96
PID 5108 wrote to memory of 4468	5108	Kmgdgjek.exe	97
PID 5108 wrote to memory of 4468	5108	Kmgdgjek.exe	97
PID 5108 wrote to memory of 4468	5108	Kmgdgjek.exe	97
PID 4468 wrote to memory of 2216	4468	Kpepcedo.exe	98
PID 4468 wrote to memory of 2216	4468	Kpepcedo.exe	98
PID 4468 wrote to memory of 2216	4468	Kpepcedo.exe	98
PID 2216 wrote to memory of 2212	2216	Kgphpo32.exe	99
PID 2216 wrote to memory of 2212	2216	Kgphpo32.exe	99
PID 2216 wrote to memory of 2212	2216	Kgphpo32.exe	99
PID 2212 wrote to memory of 1172	2212	Kinemkko.exe	100
PID 2212 wrote to memory of 1172	2212	Kinemkko.exe	100
PID 2212 wrote to memory of 1172	2212	Kinemkko.exe	100
PID 1172 wrote to memory of 1652	1172	Kdcijcke.exe	101
PID 1172 wrote to memory of 1652	1172	Kdcijcke.exe	101
PID 1172 wrote to memory of 1652	1172	Kdcijcke.exe	101
PID 1652 wrote to memory of 3804	1652	Kgbefoji.exe	102
PID 1652 wrote to memory of 3804	1652	Kgbefoji.exe	102
PID 1652 wrote to memory of 3804	1652	Kgbefoji.exe	102
PID 3804 wrote to memory of 1284	3804	Kipabjil.exe	103
PID 3804 wrote to memory of 1284	3804	Kipabjil.exe	103
PID 3804 wrote to memory of 1284	3804	Kipabjil.exe	103
PID 1284 wrote to memory of 1180	1284	Kpjjod32.exe	104
PID 1284 wrote to memory of 1180	1284	Kpjjod32.exe	104
PID 1284 wrote to memory of 1180	1284	Kpjjod32.exe	104
PID 1180 wrote to memory of 1624	1180	Kgdbkohf.exe	105

C:\Users\Admin\AppData\Local\Temp\68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe
"C:\Users\Admin\AppData\Local\Temp\68d06580c4e391ed1c81b0ffc35e52643339743c0c5dbeb1e1e35b3b5ca875fd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\Jplmmfmi.exe
  C:\Windows\system32\Jplmmfmi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\SysWOW64\Jfffjqdf.exe
    C:\Windows\system32\Jfffjqdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\SysWOW64\Jmpngk32.exe
      C:\Windows\system32\Jmpngk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
      - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        36⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        67⤵
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3460
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        75⤵
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        76⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 212
        77⤵
        Program crash
        
        PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3896 -ip 3896
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dbcjkf32.dll

Filesize
7KB

MD5
27afcede94d11bc05041e15ceff2802c

SHA1
bc7f4f3c62c3cd9a9fd4d41f5719e2133782acaf

SHA256
0c19fd5454c5af0e1f3d12943676b7f6e8b26504edba5a4f8667936093bd8525

SHA512
9788cd90acaee028fc4fd1330339fe671e816dbf7af3a38e9d4b2e7489ab638f3f1caca65b1390b2ae375aacc9f29c5230166e774bb6d2a17db1b7c52dfc58cd

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
97KB

MD5
7b20268ff1cc793ad0a4d6d708c467aa

SHA1
09a3a9ae3823da376e16546b285d2604b17bb436

SHA256
6540d862cb4ac1174114cff2e803d709bec9c8fe22fdce68f7ba7ae9da227d7a

SHA512
6b831303175b28cd60dfc062f9fa1429c3dfacf43842c11e0db87ca293a4b66e3b120037273f20d9fb3995488863a98e6c7efb812142385750b821c35532de4d

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
97KB

MD5
c016700bbb150b958a0a2da5653640d0

SHA1
a06d43962ab62b7375c34aa8a6f53eb69f826bb4

SHA256
c6c6e674457a529bf45325a634f13c1f097f4cf90e770ac8a76b0f8af3e7d793

SHA512
59ea605d27c7b1bbacdbd1697d1ec22301a74f5f05f1c8b1611086f25fa7165d2f79079373fbed66c60715e4a147b1231dac382de6585cf170c5de187581c037

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
97KB

MD5
a628a8bf8df221d86867127219469aae

SHA1
b1772395251b238ea5bde61c38aac12b17d35777

SHA256
7cdf483e8f00fa60f640c226f4d6c61c547e4f84eb87543db1dd2ca2f213197e

SHA512
550a4498330de238fb55c11b1c1f0bb5a999071a46e68f4c060fd2f3b05076bb1bec6b298b83bd963a86fbe0693ea4a2dcdc2b980aaea6e630ff7ff5e9ba9cea

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
97KB

MD5
67b3c56f4865121fa0d798de5c702a5d

SHA1
42198f6b69e39f96206feaa8fc2b1b2cb290bf26

SHA256
b1927bc17670211c34897648c6f481df7bee2ef2f342d5280eb104ec3de2035e

SHA512
a7e2115eeff4e4ff47f542358f0ebf5262159576ef0a27391d79c945610d0d69038f09b4f491596a515f52bee4ccdb56608851b50b6683d9bd1e4b3ba748083e

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
97KB

MD5
8cf3ef9f2a51f968f33d2ca6c6fe81b0

SHA1
51edc1774ade78577473eca158d14e9f21b86f0a

SHA256
bf0fc364ec57072aa5b88204cbda079d12b7a1611e705f4fa2604b82bae57fe2

SHA512
3a39ad7c45bccf990db1a48299ccddfa2d12e325583a454dc1ddf2ee7bb51f80c43ba9f6b6dcacd088738f5730ac22961f2c198c514ff42cd568732369d59a00

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
97KB

MD5
00af34c0758d84aebb715bb2157fa672

SHA1
89e7023022fb8a2dd37a778a8e9f043b8b46a68b

SHA256
1c79da88ea9526987ce26a7e3a7ac77592ef2a938efab877d734b07d8a7fbfbe

SHA512
2a07d59e9b7c9494b73be9846198a6b42b8242c892a08020f74f7302d432ce477ddebe84e8a1d77f0ce3bde9debb49cfe059b63831e39a06d498b95e63c7497e

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
97KB

MD5
00df1255ae5b69654a89e2d68ac0f084

SHA1
52022d07536a7d295364a5d23416b734dc136801

SHA256
c205ec69d7a3381dcd9800ba5ea849b33464913090179c3e936c51557f622f53

SHA512
4d81ff71be832dfa35c92d028984743a4d874ba595757430912aeb014a90dafb27e9a11432d9253c946dafdbf6003d84e4503579214ef81496c219088939e9f8

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
97KB

MD5
97305c3ef0aa1153be12d45e16976aea

SHA1
63bf5eb57e0bf8e5515d41c31f86d48d8c07de4f

SHA256
f884d5eb86c0f5fc7cd353b60c0899a27e2bb28fda688bbda2090cb4b68cb95b

SHA512
2be90f43cd6ee0119e26339d99677971690c0e36d972444054b491b50587ef3e8dcd4ed4defb192e24a907342495002ed8a5fac35c3519a0a1d2630cca77735f

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
97KB

MD5
74d7f1608fd57ee345d5e2c56fcb883d

SHA1
894ff8e6b367fd152188dc979ac7c6f8472fbb80

SHA256
eefbb86f416854f0bf1b27501ec192832ef6435536aa47b8efb6abcd0da9301a

SHA512
64037261cdef213d23e0aa8b531d3d4fa1ed5f0e3caa38025faad573c0d35f667feed638288f3e301504d5c6ef60764b02b5b40a0448430b6b7fe0ccd01f1c7b

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
97KB

MD5
ec5e34235e06871ba0e97752482dc519

SHA1
aa6949116e9ac610497cb8090e5395c10307ac32

SHA256
079f5ed32fc1649b08a1ddb7efd62b9de3b64f4640dd8b8d0a3bdc990a8d0a8a

SHA512
350a1b3ad3c97f99409f6870927b11a539c95eda0c3fc311e65f73294e1a97886127c50beeb22ce351a7c66df1be03755df6c1ee99925d4c4a279553cf06ebe1

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
97KB

MD5
105f9663c341a9a02546ba97355b3278

SHA1
fcf3fc3160233eb59e868089ad3031067586af04

SHA256
2b64d37ad8d5a85ff9d8669306299cb2124948fce94b5d14e20c60f2f8105655

SHA512
93e76fbfae902d5443748b62a3484675bf90a5899f71dd6051453f8afff38c2c841bb92aaa9671d572bdb145a3307f403213c2bb8983b7658b11bf857a11f9fb

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
97KB

MD5
6217eb021223181ae6bcb3bcf71d1b1a

SHA1
ef81ab6d05b54c685d5f0eb9fb05eb743edd7453

SHA256
350389639c3e21493614735da9a082af5ab8d3156b653a8ff01c92d8f0f665f2

SHA512
6673a1d9d309eb09db5585cece13df1e60529317b12cc736a34ba5e771a49dd9727d65047c641fb2d2b02576b1f0f12d24a2f5ab51786301c96a5f785f39ddd4

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
97KB

MD5
4210dfd90307df3cd8398124f89f0a45

SHA1
01a0ad0cce86f9e55d056d17614d01c8ece12a9b

SHA256
904ba36f07add189d7d68001a0bcaa8be286a97e7161d092700656ccf00411e8

SHA512
367cc413e99f5fcf97c686de85311b90e7431d8e771d10c5657233500a3ba353415cded31bde9f98c868238dd2a0023677e50d3e56ec7a7cabbe35308e1828bd

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
97KB

MD5
b41dfb2f446db5cfe2aa7bddf74d62aa

SHA1
6e395d84b9bdb1ad088ad0df9c5f12a6da20e2c1

SHA256
c711fee0cd62c44fc3661a571f740d03865b0e225f12296bd5318dc4a48363c7

SHA512
e521a2a0cd5bf9bacedfbe3fb42c67ffcccc4c92b8ceede059eadea447e453ef78c1136c197818888c2c49f74e7f4f4c9c667fb305166a0a75d1c0541359b997

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
97KB

MD5
14da75c8f6488c23052126da4d881131

SHA1
83cfd9de76e12f81851770819244d36cc98da697

SHA256
4171f34268411f6b9b54104caa45e232d9847c85d18b87ce2bf8c265a45dbea3

SHA512
79bb941b3b2caa0f7edb52831f682c14611387ae478124afa02d44124a20179e12690f31012ce469764cdaaf33a281c229274e45d9aec924736298b6bb45411e

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
97KB

MD5
c1b186a4a8b00081fed7e55433ab66d3

SHA1
fbfd0ed199b04869aee558dd3b3ee75b081862cb

SHA256
1ed5ab6dc2a76578e680779212a2745819aa8b858d79e67281c7bcfb442956e6

SHA512
b8b08c0529afff86fc676202e2c785f233cf9f23d697e6cc40efde9540c29dc9b5067ff376e64772a9d5a3b12ce146bd7b551f02dfd777768b7d02f598dfba7e

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
97KB

MD5
914f03fa715e52bf6d8bc46d5983de63

SHA1
8f0149264700414cc023f9e794f8efad5a7ffdfd

SHA256
d133e17c94f1edf0bbf2315a1b90662a1cb69f438e1c9208c9ef45095d0c626f

SHA512
c751032d9637fef90ef1fecd32db37af44e89e6fa50038402cb8e311390b3d5d5eed452a95af724f98636d788e2f029db84d65c92ecb3a44be308fa1a2cd4001

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
97KB

MD5
c11e0c0f32e2f575f8c0a4d224647d1d

SHA1
1503898deb94bd82580836b34ca0de5bfcb81a6d

SHA256
cbae3c4a6ab3dc6f7e0fb1f77c6ffc126df43be641643910ffdbb34e50480f3d

SHA512
2e81007ff41c8ccb8ff4102b4571ee775b9f49eca16482877c8ce0e9de4f9c74dbdc3b0aeb73b35296bb59901513b25a11d2d0ac68221e4a45b7c56efdffc5c6

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
97KB

MD5
3d7a8d52d4fd5f3803c24a7f7c97b661

SHA1
2ac4d40341248c21e92531c0b8c5a59ff062b65c

SHA256
feb050fdc4fc74746cdc7cd2c34044a4bcdf969117987dedd0526aaf7ebc8696

SHA512
07012e7916e8412a23b146003f56d9f7175a3cad262c35e1c175354553e5fe7bea15dda4d39346a4b17030f456af698235599f851909a2d127de55272bdac999

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
97KB

MD5
8c2805497494c8df0fd8648fa2063fbb

SHA1
3adce45249c7d2a4c26c71164ab06be56c0df706

SHA256
d23439a056162c2f0ddcbc26eeca0239254e74b9525abda751c957f61e08c81a

SHA512
9e0bab338fedff042651e4dc99cabf41e717cdb48751602c70c20927d85ad07cd3cce6694a2490a2b36abebfb68b648f00ab659bf9a1e97b63752068c0c7990f

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
97KB

MD5
3af2747e4a01d2e82b8e41e130433c27

SHA1
ba2dd96641cd31d7cac3b8eb948228d0b48858a6

SHA256
a4ca5860e6c4c32e92031765fad954baf5bf4cfaa3024bb7aef33b613552b668

SHA512
f948e72a3ea3915f905f1e88e9860ad90a45eaa84a49995ad97d79ca7dc3fbb6e610dca72837ea7db807ec9992eec74e85b5487c297bf338b298c3b599df3eb6

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
97KB

MD5
6b390cb9fa12168051e499d3addc784c

SHA1
dbe118763db0c95de3863d18010a64e10b5a01e4

SHA256
efd23af7b136301abc30f54eb3c2b0e3d19b011ac4c5bdec6c0f539bc4e33adb

SHA512
d54bf2852259b38dd31714a34dc3e6da83b6c05ae56fe12c1326826608d02cb050515e46c1cc0d4e40872be225a07a62fc406be3b1ddcdfb87749ffd8afe800c

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
97KB

MD5
93b59443443b0b9fb2c21e3bbc8db078

SHA1
2a4f97e856add41908a5bc3b82705a4b8df099f6

SHA256
2346e2a99b1399b0b21b05c53666a0866039cf7d045e0bff54e127e060c849f9

SHA512
e180ea143322d4d38c62e9a23e598138b31d319c89e4d2f362f2b009895ca3ba4dc28a1c009f8dcf28ebd65c459d93641c54402d1e78d1eef428b05abc9a3719

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
97KB

MD5
93b5150caafe26012a3e07d95ab7071a

SHA1
10289cf71002bafc1cd2b2d4aaabeba1650114c8

SHA256
e6973939979224466740a7b353f89bc3a97c6936b53d0702463cbff99b1ff379

SHA512
6a24ca53251dfa02cff2da3c8f35668ce32de82e2adb70963d03dc7cf9acf3b31e0e221060fa9b4a623cb01d372ba6c3af9e32f25a5cdbf53d24b06d594e1f6e

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
97KB

MD5
b0ac68b3b1d4362fc00b7a2119031ac8

SHA1
ef4e45d7a814a224bb6db59dce7bd11a04129e4c

SHA256
44620465c48b672c15b2d9c76a6f6adfe24683438967e844f87833c9f95ab693

SHA512
ca64cbb29e32a2fc0339bc522306f5fcc1f1c9a396bdde6d89d99d26acb4bf1f1f25cdf40f72ccd4e12907ddd7d28570d61c918790eb2a10744b0e1ae68e4bb7

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
97KB

MD5
50ac83e4144a68efd6b8e0b9ef3e22f0

SHA1
28ae49188f3c2495a9e2ee6098309ea07b23b971

SHA256
2fdfb7f1518ec71c200f94e7b92674bec0ec40c2d763a0a1842a36d578669c06

SHA512
39cedd32686450a592b6c5cb1cd1dfeae7908fa4296ce14b6a1f74698bf2bbf7376c0b3240feb7c6e089134610c3450b19e199d0cec1a0e6910cc0bf08385d9a

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
97KB

MD5
351455fd7a0e1f5c36f30a3b8e0393ee

SHA1
9d0ec6fcbb969b60e5d3aac5ce2f93cceffbd30a

SHA256
3584a154a50b24c5bc9d087ac8f2dc5935464ea6d90b74778f015755bcc6bf00

SHA512
9a9cae546d2b676773cd206b07cda2beaba1a3e7c57373bb10bf49d9687c9f92a7586dd79ea4c1bbbf8866ae6e8db9190475f240857adb34fb64c944f6400ec4

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
97KB

MD5
715901b337a38c447cd1388a5c6dbf40

SHA1
5d2110f3674098f275cb0e9c593289d42d6059af

SHA256
389f5cb666b4f0c1811905a57c6fdddd5ce904ff57ae1dad17ba562cab77570d

SHA512
0e011d9aa20336351531107328d18d94d92bd6bb85be79d5634a8d89272a654753b9d83bcd82b6b564c68dfab627fcc26ce32ca9fd442fc7a9924060749bbcc2

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
97KB

MD5
998cdeb037b72faacca3b81133b340d9

SHA1
0001b7ba78e470221ecb72221a5109e6432f4ab8

SHA256
75cbd4f092617cbeba0880fd52e0f9526088e55df30e89cf70e8c8dc305f0cd2

SHA512
488a74e3164772daec12a7c067cf4182f047a02ca2cc61a8ea394ae6e3374557f0378b0943c98a298b84e455d82fe8630b8628673d714e54cd14165f9d05cc47

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
97KB

MD5
03ada7a6b3ff45bf468c92370eb848b3

SHA1
5a7cdc9a412ba8263a9ced4c16c5f345d666a0aa

SHA256
1b3aba60e7a6abe5c1c50800685808e569164994a09c00917b996ba7f73d3858

SHA512
dc44e592cdb5b1ce827c7a885995ac5a0ac711ff545bfb87f37a333ab9882988593fb6fce86726f9256885ff787f03bb9590ff0b2511989f43d87a49f9862873

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
97KB

MD5
39cba985bcfdc27c84d0ffbb6589c079

SHA1
8f47198450e96ee54c3b38595406409c3a64e893

SHA256
aaf9483d040f29778ff84b6ef7a2d0dd6b9a8c2fac81ab688dc3adedef67a8fa

SHA512
fd21645de0443c5f52133b67704167913be73a42fbe0b72ccaabecc9f1e50c620d314ecb24849abfb39e10dfc3844819ab3f0cdaee2339b3c09001cb958cfff9

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
97KB

MD5
1c338a0799d5682c7e67c3d3e95004e9

SHA1
71599d85889a941cd902387412449b6ad81a30c4

SHA256
2d8f17a898c7347bcec9d48eefeeae6a2c3953e00d1d67fa9fb95f2055d4f55b

SHA512
3016157580e9f0a1ecf6aecc6c0c955171dd818a38afd9017c5d9e3ad5f65b3e84fb1480d4188174d11c9c8380c18e47389fa8efc8d2d0274e7da1b0c79263b2

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
97KB

MD5
501cdb2f08d1b3b0801ea3255800574b

SHA1
daf4b64ec5132ec562c5766bfe895f49792ff83e

SHA256
e94a81bc870f11ae2ab5abe29ced5531826436572811215393b62955ac43d957

SHA512
5d1cd7b2cdded712c335ff88b9aef1c71d353389097192a8129888727af60bad9a301f304eae199b25b315614cec22a2e15dc558c9b9252aad0426aeb8f22a10

Download Submit
memory/212-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/336-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3892-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3892-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads