f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852.exe
Size

80KB
MD5

dab1487a3c89f7ede797cc21110b60b2
SHA1

7fef8055c9c8c3122e681140223cd1ccedcfdc3b
SHA256

f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852
SHA512

8fc481cdd3298ba643791fe20bcb9ad997db6e179a449282aa7ef9e63717c119b57a10bd8a5c9bc702ce7cef9074fde5d2914d54098a0547bd167e3bf457d01b
SSDEEP

1536:+aZEG5mvITEHEUlveL5hjEnI7k/2L+aIZTJ+7LhkiB0:TimmQoNGhMIoE+aMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe

Executes dropped EXE 64 IoCs

pid	Process
1652	Jbkjjblm.exe
4564	Jidbflcj.exe
2724	Jpojcf32.exe
3368	Jbmfoa32.exe
3492	Jkdnpo32.exe
4684	Jpaghf32.exe
2736	Jbocea32.exe
1344	Kmegbjgn.exe
2132	Kpccnefa.exe
3288	Kilhgk32.exe
2864	Kpepcedo.exe
656	Kgphpo32.exe
332	Kmjqmi32.exe
3152	Kphmie32.exe
4704	Kknafn32.exe
2648	Kmlnbi32.exe
980	Kpjjod32.exe
4996	Kdffocib.exe
5036	Kgdbkohf.exe
4384	Kckbqpnj.exe
5044	Lalcng32.exe
1616	Lcmofolg.exe
4080	Lkdggmlj.exe
2544	Lmccchkn.exe
3120	Ldmlpbbj.exe
1952	Lkgdml32.exe
3968	Laalifad.exe
920	Lpcmec32.exe
3972	Lilanioo.exe
4812	Laciofpa.exe
2024	Lgpagm32.exe
4580	Ljnnch32.exe
4344	Laefdf32.exe
4608	Lcgblncm.exe
2068	Mjqjih32.exe
3344	Mahbje32.exe
3956	Mciobn32.exe
1016	Mkpgck32.exe
868	Mnocof32.exe
3668	Mdiklqhm.exe
544	Mgghhlhq.exe
2476	Mnapdf32.exe
1692	Mpolqa32.exe
3168	Mjhqjg32.exe
3348	Mpaifalo.exe
4408	Mdmegp32.exe
3644	Mkgmcjld.exe
4024	Maaepd32.exe
3080	Mdpalp32.exe
2508	Nkjjij32.exe
952	Nnhfee32.exe
3384	Ndbnboqb.exe
4520	Nceonl32.exe
3664	Nklfoi32.exe
1536	Nqiogp32.exe
4820	Ncgkcl32.exe
1896	Njacpf32.exe
2348	Nqklmpdd.exe
3876	Ncihikcg.exe
3016	Nkqpjidj.exe
4352	Njcpee32.exe
640	Nbkhfc32.exe
412	Ndidbn32.exe
4624	Nggqoj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1628	2900	WerFault.exe	149

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1652	404	f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852.exe	82
PID 404 wrote to memory of 1652	404	f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852.exe	82
PID 404 wrote to memory of 1652	404	f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852.exe	82
PID 1652 wrote to memory of 4564	1652	Jbkjjblm.exe	83
PID 1652 wrote to memory of 4564	1652	Jbkjjblm.exe	83
PID 1652 wrote to memory of 4564	1652	Jbkjjblm.exe	83
PID 4564 wrote to memory of 2724	4564	Jidbflcj.exe	84
PID 4564 wrote to memory of 2724	4564	Jidbflcj.exe	84
PID 4564 wrote to memory of 2724	4564	Jidbflcj.exe	84
PID 2724 wrote to memory of 3368	2724	Jpojcf32.exe	85
PID 2724 wrote to memory of 3368	2724	Jpojcf32.exe	85
PID 2724 wrote to memory of 3368	2724	Jpojcf32.exe	85
PID 3368 wrote to memory of 3492	3368	Jbmfoa32.exe	86
PID 3368 wrote to memory of 3492	3368	Jbmfoa32.exe	86
PID 3368 wrote to memory of 3492	3368	Jbmfoa32.exe	86
PID 3492 wrote to memory of 4684	3492	Jkdnpo32.exe	87
PID 3492 wrote to memory of 4684	3492	Jkdnpo32.exe	87
PID 3492 wrote to memory of 4684	3492	Jkdnpo32.exe	87
PID 4684 wrote to memory of 2736	4684	Jpaghf32.exe	88
PID 4684 wrote to memory of 2736	4684	Jpaghf32.exe	88
PID 4684 wrote to memory of 2736	4684	Jpaghf32.exe	88
PID 2736 wrote to memory of 1344	2736	Jbocea32.exe	90
PID 2736 wrote to memory of 1344	2736	Jbocea32.exe	90
PID 2736 wrote to memory of 1344	2736	Jbocea32.exe	90
PID 1344 wrote to memory of 2132	1344	Kmegbjgn.exe	91
PID 1344 wrote to memory of 2132	1344	Kmegbjgn.exe	91
PID 1344 wrote to memory of 2132	1344	Kmegbjgn.exe	91
PID 2132 wrote to memory of 3288	2132	Kpccnefa.exe	92
PID 2132 wrote to memory of 3288	2132	Kpccnefa.exe	92
PID 2132 wrote to memory of 3288	2132	Kpccnefa.exe	92
PID 3288 wrote to memory of 2864	3288	Kilhgk32.exe	94
PID 3288 wrote to memory of 2864	3288	Kilhgk32.exe	94
PID 3288 wrote to memory of 2864	3288	Kilhgk32.exe	94
PID 2864 wrote to memory of 656	2864	Kpepcedo.exe	95
PID 2864 wrote to memory of 656	2864	Kpepcedo.exe	95
PID 2864 wrote to memory of 656	2864	Kpepcedo.exe	95
PID 656 wrote to memory of 332	656	Kgphpo32.exe	96
PID 656 wrote to memory of 332	656	Kgphpo32.exe	96
PID 656 wrote to memory of 332	656	Kgphpo32.exe	96
PID 332 wrote to memory of 3152	332	Kmjqmi32.exe	97
PID 332 wrote to memory of 3152	332	Kmjqmi32.exe	97
PID 332 wrote to memory of 3152	332	Kmjqmi32.exe	97
PID 3152 wrote to memory of 4704	3152	Kphmie32.exe	99
PID 3152 wrote to memory of 4704	3152	Kphmie32.exe	99
PID 3152 wrote to memory of 4704	3152	Kphmie32.exe	99
PID 4704 wrote to memory of 2648	4704	Kknafn32.exe	100
PID 4704 wrote to memory of 2648	4704	Kknafn32.exe	100
PID 4704 wrote to memory of 2648	4704	Kknafn32.exe	100
PID 2648 wrote to memory of 980	2648	Kmlnbi32.exe	101
PID 2648 wrote to memory of 980	2648	Kmlnbi32.exe	101
PID 2648 wrote to memory of 980	2648	Kmlnbi32.exe	101
PID 980 wrote to memory of 4996	980	Kpjjod32.exe	102
PID 980 wrote to memory of 4996	980	Kpjjod32.exe	102
PID 980 wrote to memory of 4996	980	Kpjjod32.exe	102
PID 4996 wrote to memory of 5036	4996	Kdffocib.exe	103
PID 4996 wrote to memory of 5036	4996	Kdffocib.exe	103
PID 4996 wrote to memory of 5036	4996	Kdffocib.exe	103
PID 5036 wrote to memory of 4384	5036	Kgdbkohf.exe	104
PID 5036 wrote to memory of 4384	5036	Kgdbkohf.exe	104
PID 5036 wrote to memory of 4384	5036	Kgdbkohf.exe	104
PID 4384 wrote to memory of 5044	4384	Kckbqpnj.exe	105
PID 4384 wrote to memory of 5044	4384	Kckbqpnj.exe	105
PID 4384 wrote to memory of 5044	4384	Kckbqpnj.exe	105
PID 5044 wrote to memory of 1616	5044	Lalcng32.exe	106

C:\Users\Admin\AppData\Local\Temp\f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852.exe
"C:\Users\Admin\AppData\Local\Temp\f7d618791bebbb1b90049dc984f97d2c082fe6a9e0f81e246aff837e18e6e852.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\Jbkjjblm.exe
  C:\Windows\system32\Jbkjjblm.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Jidbflcj.exe
    C:\Windows\system32\Jidbflcj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\Jpojcf32.exe
      C:\Windows\system32\Jpojcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
      - C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        40⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        45⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        66⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 400
        67⤵
        Program crash
        
        PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2900 -ip 2900
1⤵
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
80KB

MD5
db0848e9380d15278ab9c7f1298c2d23

SHA1
42f07a4233eddea535b7277a95ae6f61576d23df

SHA256
02ff37d7b5f40491580ee141e385ab41b94e2d2299aaaf0a1a5b9fb3842cac8a

SHA512
3cca7dcf0711914f6bf2f90830f948a84016fa49623663b515a4d2f90eb0ea3d4f98a4d6fe03c017b20a7f317f051fff0e5a6bd0d2bbfd6ad872442660e4c6bf

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
80KB

MD5
f764d77078dafb85ef5f6b8a33c4aa5c

SHA1
43b0aeab919ec5d3b6beec11e0ecdf7f8e5cce37

SHA256
eb8002b87ec5adaae67a33a3bf125c25822f42d777f3b3d6ca37f041e0c2e61a

SHA512
3737c16a43e7695ff73a700e5c04961fab62d02a7eba2135c729b88542553bbfcb2a088baa6503ed4dc05552304145a0267e8fa8dc6b2d44a806432527fdc54a

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
80KB

MD5
a0b6a8bdda51866e9cfe56acc0b535a0

SHA1
0dd09dd8694cc2b3fb68921ab77fd30f17877d09

SHA256
b483bc7d19e485cdbe4a4146dc88d12a1fff2372126ba655cb0368b963512727

SHA512
0364844e8efa231b0e7a6ab82b8d063e8f99498d04c6ab893d3f00339b6a112cf6b61ba3c879c07a28843ae13835f49340b14e191f4cf3f9149fc841d7adba8b

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
80KB

MD5
9c1d05d270d7d2f16cae71307ce9109c

SHA1
aca23b5108316e0308943a8867798b65d70f4ccd

SHA256
d430621671c6c14e54bd3f871c9dea255381b2b2fc41dad8e58af8c12978681f

SHA512
27c807f2b35016ac4ecba4052956f8204f428dbec2932fa79e82d840f7b0639401a3af25389652fcba87577114fe7b7ea0aace4e38a9e2df35658bb531e90ff3

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
80KB

MD5
c9a56d597e1ef0b33949f695d2605c83

SHA1
d38fa3fb654c75ba65e957bfdd98ea9e845aa273

SHA256
cef996d563ac86f61f1ae5d3d96c30d61d22711a1fcd8763244f507b8564836f

SHA512
5c24b4194976c21cb9b29b3058f164545fa81650897d4098394eae6bf137b276be923960e2000554ab67f8fca204107cb7f327331964d444928496547bcf1790

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
80KB

MD5
7289d8cbadc4d09017b82316726df456

SHA1
28f9539c683f6162b41124d4314bfe5c9bd75b63

SHA256
9aea31c53839bf919869fec261e13dfbe9a1b52e1b4c9421760bba7be2ea2576

SHA512
99102dd52580fd73dbb9202e6da1c50bc3d887272923d3a3da76d9fa1bdaf4710f99cd1f75924960fa9d735975f4f76ccdc76734da7c0b7b52141d83dfb9b3d6

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
80KB

MD5
6bcdd2380136f324e48af3235ed3f69e

SHA1
24bc9b9daef48a07feeed50c798ada80c8a56597

SHA256
72a49fb1ba3e55ba05b481ad50272c39aa3f9ec46af333e036848b03fe696c27

SHA512
d07dcaed2e57f5026526287ec1d732b0e796932458751d4b45bfc5182bd5fcca5d7d719199917d45664ba569d26dccf71a892093be65a07e3fca287acdd8fb6b

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
80KB

MD5
1be54a7c37dcfc0df01ea89cf53e14dd

SHA1
5dfd623e092f763ef71dbd96b13582521f977a44

SHA256
9673f66938db4e736660306d5ed86443ab872c07f7e60619bed75fa83b3060e2

SHA512
3856f4abbb47ce65894f5ae26d67546de82d15626e807a21d80759b263307141f64bee68d3a5d987fb2229a103c652bafcb9e14a58fff081c16cad3182b55c82

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
80KB

MD5
cfb5ff622a24b6bb2ba8238627f9cb77

SHA1
f9953fc43a8a8867a6a5409193696db8a88bd1cf

SHA256
721d1246dd5e1b449048bc5f39c376adb7a0cd2621d5d512ead90d2f9a94c03a

SHA512
67a585efc26c7cc08b2c418bcc4fde5c26b6d902488f0900bfea717e91befa2bcae3665adeb4abec834516ec17083380b330137b94749b1f0824be5240159553

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
80KB

MD5
313e8f6e867368f50de41e321e2fc6ed

SHA1
d97c17bcc7494c2a3d1ee5bc60b8ce3a9a8a4ee4

SHA256
63bdc4a6c9635b6c871b2bc0ab8c4c80e82f63f139f99c50eb1dd7d4688e8ea9

SHA512
71972bbf0264581e167667ef301bd2d202082630656d59d2ad495cb1976e797ef4ca98db426665ce6821b4b86b67ca46deb7f86c1de4e00b64e4d303e67ec4bd

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
80KB

MD5
4e94d297b26e0822e0cad0b563a8af5b

SHA1
a8ce60553ac128cc9bd41b7b05fedfb196a7833b

SHA256
936d804c3feba6128a585e66db3f3750948d31f7c903c701eb0907d88f9e0f63

SHA512
68de78212e27c98a47a07ef2136894ae911fee71f2cc917097e6830b39d10b3c811f7f18e1d8fccfdde4713a7a1821d066b03958f511fffc5de365bfdc8d8863

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
80KB

MD5
bddfb0db657c2ce23f164227c9493900

SHA1
896a9d9e440fd09b09a619ed56ade28271ff3578

SHA256
645f1cab581ca8f07b11191384be605f9d0cadd8a38e79106f2736ca7d692ff1

SHA512
c24ca4b3e65445e2bb6524f0231a6c1ad4c3a3c659bfde26b2dda4dc1561e254687394ed6c004164cbfc74aee65d253dc4abf05490fded2b196af12f126c5477

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
80KB

MD5
4d5895e2f9cc8c3ec46c816f6a6231bc

SHA1
0413f396788a99726ba76ebad217ac4f7d70a5da

SHA256
b590047dbe1dac04b2fe510bdbe36ed0d526a725ef3d4520017bd251e2b8eb02

SHA512
efd14b5704e2bada2f270ba9d875e26450302ba7fa082c466cce7cf1a374b1b5dbbc8deb8a33b07fc79b6be9d71c23f5c72b2d096217061c58419bd56eb0b41b

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
80KB

MD5
1ce3080d19de99911abca0d11f92986d

SHA1
c76ef4abd9e31b6b80c6f33b1576dc4f13c8713e

SHA256
9ae1c59a4a04dd2bea12e8a5f1d678f32c1ce2fe2bb29230ed3d30a807baaeef

SHA512
c02395d91e5001698a1ae9f53a2d2891a6a6f94f5cc85a9283a24bb94a8186a79649ba1b9cefd8269ea41429673db5b414bce82d0146a2081672b934ea82b39b

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
80KB

MD5
d22cf09bfa94040869315ceec1f1c935

SHA1
35b659076644553de3d9b0fe4d623630427a65de

SHA256
be6c06c26dd7db641125d5d7aa1510c9c98ebe94078295efaddda0a69e4a926c

SHA512
f0d0f811bd5b0542ecfd2419f663efe8f32b5d20e5b5f462bb61608db72090d52b56a54ad05927d5ba7df1e3a30128149b7416c0eab478520eb92dce361c83af

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
80KB

MD5
370221603f41a0ba0bca4470ac0329d3

SHA1
2acbe682b5cd07c5e870c01d8560c917c7767137

SHA256
fcd2facff5272fe32f5bc13311ffa4d0850e9410866e404ff5a906acd8294f1d

SHA512
8121a5c3382105dd43a77092b0cda62d08c76c65045a48ebe2a270cd7296af4652f50695346e807d0286d87b35ce5c24cb9bd634a91a04748ca4d30431b18f19

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
80KB

MD5
2ffa2b1a066407202e9cc7f94d958aea

SHA1
9af9065410e3d68f7397c8db9cc1e06b899bbc6e

SHA256
f99023587f0e5551b031d114a48a2ca7b0bf905295708aaf6b19e61450644d78

SHA512
4c6b2b3dcb7d253dbf68564ca1be0ee15dfd8cd98582b07e359561ed7b230fdfdd69ad413341c975d324854168e87f7579d248b2fcaaf309600fee8c85155f91

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
80KB

MD5
4d20ee924132692fbb999fdc48db4dd5

SHA1
c07da09544f71311911bdd5bd158954b3a103072

SHA256
016ce45b81f497360b8c578c87f4cfa7794b348dd5b4cc3c45a633c7c99772dc

SHA512
0b38265140179182535af0a54bcd4c483b5dcb2a711741b4fe2ac4c8a32b6d4d5503b7245d9dca9f9e135a77c48e357d7400723021fc89bf1276d0552b473cf5

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
80KB

MD5
6d73d5c494f09bb49ca90af9f25b3588

SHA1
24e0e0b59a50f3db3ee05a2ea34a07344a6a11da

SHA256
882ea97280c0214e8a2575be5a3f234ec7fdd352b8ea56a3f3e4b8db04d10a35

SHA512
d167354e51166c9af206115c261b7f87b8069611ec3a7e65b75076e24991e2d6dfd99d1008e0ce2063818485161c51225bf8dadffbb4f1cb4feddb74c0675695

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
80KB

MD5
a97df0075bcaa1856ceb27172448d6da

SHA1
5db8764097e7f295227f8603fe56bba2534e9276

SHA256
d800ec98e71cc686ebf0b25ae9c0dabc7be8328ce8b76af6313ae30cea33ee25

SHA512
40b4efa4def809a0c878829bb242403c70f9adaa00e3318254060108ea27abe678077e30a5f3703818a69a6e35fe89d50f9f478aefb47a536c4de5bd26444b48

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
80KB

MD5
f62bd1b74ab2d1db1ecf917a9fb732c7

SHA1
eebf6e1bdb1cfa488f1ea795a0c1bd47213e87f9

SHA256
b98c524084105c1208061b8dbfc7f991e68daacac10d7a49381dcaf7e537b72d

SHA512
ee2b2d4655b862c138a830abe0f54619f3a9a3bc91ab376078f048d118a0e9d4943bedff6d5edf9f5a14ba90e2728a4b7d25fb8e55c5e7dd6c8dbe1557466151

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
80KB

MD5
1739aaa9320581be7d206efdc9f62eaf

SHA1
4200855362b4b408f49696677b5c6e1ed7f2208d

SHA256
e34d15264f3547e449741b261686a93c1650dc99493ccc6bcca30014d245101d

SHA512
74ab0768a1b122697e0d813f786e44ce59d8b26781d1620960e75ba701bcadc4d2b76dc414439209a7725b4900c6c908e9b808fb8e10eed5c46a91b1ac5e5c28

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
80KB

MD5
c6b1e13dba24f6874e2fadf64fc83521

SHA1
10e632ff9d05f5bd36eb630c0b40143e0c68e965

SHA256
d2ceafe09a6a68a930ef7f4bcee1a1d83af0bd60652004f1a67572e733eec54d

SHA512
13e5015515a77448af17d90967f2c17e36e46f09b4f14f46938d83f093aa7387f92e8dffe8ac5a2f4cd23aa5cbbd6f50a7aacec6ad5ae5aa0ca62b7e58e803f7

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
80KB

MD5
c3ed92c4d2fe15e65a8e4f178de2632a

SHA1
6ec8c613b529b59db5c077f94d93ce29a80a7b4f

SHA256
aa3eb5b148e9175c0aa23fd600bab8b7488f7c7e44e2e3d30168f27b21fc8a00

SHA512
ccd028b199d1bf3e19f2ad3acd07af5daebad7a894d11b5acccf3b620a176fd2f5a166a060c3f39374f17141da0a7f449221333ce6824f0a5ac7c161884905b1

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
80KB

MD5
314b39226fc258f9465fd4f5db2c3d2f

SHA1
60a327f4f4f05d1b3a3726ecd342e7b9b143bf6e

SHA256
0904b2f98f8cb66f51c57e838146c64d018caf1d78665efb525f3cfad66b7675

SHA512
354891e80609900cd1cae35c3664d04b8c38fe00bac7ad7aeed5ce6be3d2d1b7e259cff51f796f1f40316938a0c4d531138891c7e516c3e81586c0297acbf720

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
c02bc76718520f655e3287fa6a8bd102

SHA1
aa7f9de6bf11ec34ee4e08b00d104a0e801bdfcc

SHA256
40faf32646dabd1f67e31bc1bc9bab0445661815f6397ed3e9489c41186bb025

SHA512
bfe76fdefee81e313e7dbe99a3394805848ede01d4d897a3158c83f82cf7ab2606c68544832b98807522a2e5dd2c2bbd45474fa09063e9ade3deff8a29c05215

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
80KB

MD5
7fe8da9693a2b90b606d17f00ee9ba4a

SHA1
979052358ea68a54e6f359ec0c223f9d3d456e4d

SHA256
8cfa14146cfb0d6b68237461deba64e0a5d046079af2721907121c4e59f29a0c

SHA512
4233e64d26f3f7c001a77c622c088ccfb49828ff2a2f8444e1f5b37e8776e9e5dd8a29389e51c931867b125c0699be853e7f4a6966ac0216544c7fbd0bd00960

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
80KB

MD5
df04f629f7b09bee21df48d41341601b

SHA1
8f65b3c2e279017391a8810be77b1b136fbeaf89

SHA256
56b5816f10bbf21aee569cab2e72e54014d4882a2fd125202e53700e7ab7c0f7

SHA512
389e29b1a928cf6faa30a2a0db71d590a9132c36b4fb0847e6bdc94a8f007e7859c6c9251ea3a3db30558aa38bd888d0f88f937af4dc082c37b662aba4ca5343

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
80KB

MD5
d7a448a2a5333eb54d3412a3839b1dda

SHA1
cc058288b8914764ea5a9a97e4af0a07e8abf9b2

SHA256
7b0b362ddf6ce04dd520308447af9431e2a956ae5ba5b0cf5496e22151f99426

SHA512
d3d61dadf280bfff78389c7f0cd160e977d0c3fc22e4c3b44048ae05811c8a86abaf57405cab6fa36a3176423e5cf12e105dc6c92e7df681bef40f387a21b489

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
80KB

MD5
1f16de8c7628c724a6f169c4c2886cfa

SHA1
78fd5b29d306839b753db9e3a0a2cc26cee09c36

SHA256
28c8fccde9d1a4fada752a238efbf03a6c07b76067811349a489c0f6f02e8dfc

SHA512
40085e860173a0ba15d31ff8efce1abdaa59888c9a754aebf9cd3795799ede6df7c03a3b86fb84479fdb585ab66bad70a5a55e05d5ff32ebf81c2c15e4952a52

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
80KB

MD5
846a9eaa58e75d70453be3c61fc42ab3

SHA1
430c65e099b9557c75757807ad105d98633d003b

SHA256
016534df800d5d5161ca0751faddbce4243673110fb8bc97a99b77165031319e

SHA512
ad2d5241fcee7ab3693152eb52c7a2af6d77c911540723a615a3d74d921bc4effc40c98b406782c2d761b72ab9ed1bc33f4277fd53e209d295e20c94ae6b8b15

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
80KB

MD5
2999bea0bf726eeacb7bc3d753f3ddb5

SHA1
2d45b9f58f66e8ee312e1f8da527a7ed3d3493ef

SHA256
3519146e657a1c659658bdfad342b369cc4bba65509de644082b1a900a7849c4

SHA512
0ae70aadf7a1cee07d0344a8bc8ebe15d821aae71c5a0a6f6079c0967346c6eca9e7e4b94f2fb37eddb93ba290d5309ab190b0aa63e1d8c050299bf56453c15c

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
80KB

MD5
1ae70c3843d1832cad1b855a2c0c02fe

SHA1
50ea90943ab3e10407c26993b58423a63d22cbe5

SHA256
7aa4ad61a870352b9109bfd1e808fa43fb1a8993ff8614d14f6fde8a1e4420f2

SHA512
fb992e9102bff34b581d754eb0145fc74456ddd8103484624cfa121308295d551418c90f2b0a2283621803d8203aa436d6a0267d0bf8627f53c466391a2e583b

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
80KB

MD5
3cc1aad532cda004ab416a440d89aac6

SHA1
d69e11c84285c4bfede8eaa2953703e0c91e1df0

SHA256
d50d018f6f043927cd40737f7aa462b6b35158db4f40710422c1fc40ce0cb769

SHA512
9054b65ea118b62f4f48d32c37c5d0a4d1a35cc11f0bdfc4a88edfa19c7f3c3a147198961aa35a861a89c30715b4d45a0805f67d0357ed5042947ce437d5553d

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
80KB

MD5
47c8321bc8c91642ec8bfce702d44cbe

SHA1
ee0116a51efe381009f46e9f5cd97b5ff36f4fff

SHA256
4a0abda7e79d6a74c0bbb3c0f11806a7104156627ac651ddb00b0190a72aa7ed

SHA512
6f09d0ad93d9159b06df5edf270773ff0cb9fb16e2667a9405269bfb75f20cdd7815ba9d2b3b162fb3cbe510893730054cd528c80e1a8e1541b2f49fb64660c9

Download Submit
memory/332-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/332-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/404-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/544-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/656-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/656-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/868-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/868-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/920-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/920-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/980-155-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1016-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1536-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1616-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1616-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1652-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1652-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2068-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2068-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2132-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2132-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2476-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2544-209-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2724-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2724-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3080-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3120-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3152-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3152-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3168-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3168-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3288-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3368-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3384-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3664-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3956-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3968-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3968-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3972-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3972-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-200-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-435-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4704-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4812-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4812-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-440-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-156-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5036-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5036-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5044-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5044-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads