e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5

Analysis

max time kernel
41s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exe
Size

93KB
MD5

618fb6dcd0f72eecd6670ca482277615
SHA1

bee6d911fe7934caeb432770ae00866f582bb336
SHA256

e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5
SHA512

e263103531c7a7af9d58dd98ad1bdb34fbca1b8723f7351f85d40780aa8fc8af5f735bebb99835e61857039e1dc48878dd09a07379403174d3fbe34bcd608def
SSDEEP

1536:sWvLFJOSwEo8d81beT8UuXEZsVmBv26rwPPPPPPPPPPPPPPXPPPPPPuzPPPPPP2Q:sKiSPXmbBV++68PPPPPPPPPPPPPPXPPr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kgdbkohf.exeMpaifalo.exeLcbiao32.exeLklnhlfb.exeMciobn32.exeMpolqa32.exeMcnhmm32.exeMkgmcjld.exeMnlfigcc.exeNqiogp32.exeJpaghf32.exeLiekmj32.exeLnepih32.exeLknjmkdo.exeJpjqhgol.exeKbdmpqcb.exeMdkhapfj.exeNjacpf32.exeLgneampk.exeJbhmdbnp.exeMdmegp32.exeNdidbn32.exeJaimbj32.exeJbmfoa32.exeKkbkamnl.exeMncmjfmk.exeNcldnkae.exeLaciofpa.exeLilanioo.exeMjqjih32.exeMdiklqhm.exeJbkjjblm.exeKphmie32.exeLcpllo32.exeMahbje32.exeNddkgonp.exeMpkbebbf.exeMglack32.exeNjljefql.exeKpccnefa.exeKilhgk32.exeKibnhjgj.exeMnocof32.exeLiggbi32.exeJmbklj32.exeJdmcidam.exeKbapjafe.exeKcifkp32.exeLnjjdgee.exeLkgdml32.exeLpcmec32.exeLdaeka32.exeNbkhfc32.exeNcihikcg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe

Executes dropped EXE 64 IoCs

Processes:

Jpjqhgol.exeJbhmdbnp.exeJjpeepnb.exeJibeql32.exeJaimbj32.exeJplmmfmi.exeJbkjjblm.exeJfffjqdf.exeJidbflcj.exeJmpngk32.exeJpojcf32.exeJbmfoa32.exeJfhbppbc.exeJigollag.exeJmbklj32.exeJpaghf32.exeJdmcidam.exeJfkoeppq.exeKpccnefa.exeKbapjafe.exeKgmlkp32.exeKilhgk32.exeKacphh32.exeKpepcedo.exeKbdmpqcb.exeKkkdan32.exeKmjqmi32.exeKphmie32.exeKbfiep32.exeKknafn32.exeKmlnbi32.exeKagichjo.exeKcifkp32.exeKgdbkohf.exeKibnhjgj.exeKajfig32.exeKpmfddnf.exeKdhbec32.exeKkbkamnl.exeLiekmj32.exeLpocjdld.exeLdkojb32.exeLgikfn32.exeLiggbi32.exeLmccchkn.exeLaopdgcg.exeLpappc32.exeLcpllo32.exeLgkhlnbn.exeLkgdml32.exeLnepih32.exeLpcmec32.exeLcbiao32.exeLgneampk.exeLilanioo.exeLaciofpa.exeLdaeka32.exeLgpagm32.exeLklnhlfb.exeLnjjdgee.exeLaefdf32.exeLphfpbdi.exeLcgblncm.exeLknjmkdo.exe

pid	process
4272	Jpjqhgol.exe
1500	Jbhmdbnp.exe
2368	Jjpeepnb.exe
3184	Jibeql32.exe
1352	Jaimbj32.exe
4656	Jplmmfmi.exe
3188	Jbkjjblm.exe
1472	Jfffjqdf.exe
3872	Jidbflcj.exe
4756	Jmpngk32.exe
1356	Jpojcf32.exe
4064	Jbmfoa32.exe
1176	Jfhbppbc.exe
3416	Jigollag.exe
3604	Jmbklj32.exe
4760	Jpaghf32.exe
2232	Jdmcidam.exe
3868	Jfkoeppq.exe
4968	Kpccnefa.exe
1520	Kbapjafe.exe
4516	Kgmlkp32.exe
3164	Kilhgk32.exe
4940	Kacphh32.exe
2968	Kpepcedo.exe
4048	Kbdmpqcb.exe
4732	Kkkdan32.exe
3540	Kmjqmi32.exe
3192	Kphmie32.exe
3044	Kbfiep32.exe
3616	Kknafn32.exe
2636	Kmlnbi32.exe
4716	Kagichjo.exe
3368	Kcifkp32.exe
4416	Kgdbkohf.exe
2912	Kibnhjgj.exe
3084	Kajfig32.exe
2196	Kpmfddnf.exe
2056	Kdhbec32.exe
4592	Kkbkamnl.exe
4644	Liekmj32.exe
2268	Lpocjdld.exe
432	Ldkojb32.exe
3772	Lgikfn32.exe
2860	Liggbi32.exe
1160	Lmccchkn.exe
4700	Laopdgcg.exe
2972	Lpappc32.exe
4036	Lcpllo32.exe
1268	Lgkhlnbn.exe
3952	Lkgdml32.exe
3776	Lnepih32.exe
1560	Lpcmec32.exe
4368	Lcbiao32.exe
1844	Lgneampk.exe
1324	Lilanioo.exe
4256	Laciofpa.exe
2708	Ldaeka32.exe
2756	Lgpagm32.exe
544	Lklnhlfb.exe
2240	Lnjjdgee.exe
3536	Laefdf32.exe
1788	Lphfpbdi.exe
3172	Lcgblncm.exe
2288	Lknjmkdo.exe

Drops file in System32 directory 64 IoCs

Processes:

Mamleegg.exeMpaifalo.exeNafokcol.exee71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exeJaimbj32.exeLkgdml32.exeLcgblncm.exeLmccchkn.exeMgekbljc.exeMajopeii.exeMdiklqhm.exeJbmfoa32.exeKpccnefa.exeKkkdan32.exeKpmfddnf.exeMcpebmkb.exeNqklmpdd.exeJjpeepnb.exeJfhbppbc.exeMdpalp32.exeNnhfee32.exeLgpagm32.exeMgghhlhq.exeMaaepd32.exeMpdelajl.exeJmpngk32.exeLiekmj32.exeLaopdgcg.exeLilanioo.exeNcldnkae.exeJplmmfmi.exeKgmlkp32.exeNgcgcjnc.exeNbhkac32.exeNjacpf32.exeLpocjdld.exeNkjjij32.exeNddkgonp.exeLdaeka32.exeLknjmkdo.exeMpmokb32.exeMdmegp32.exeJbkjjblm.exeJdmcidam.exeKilhgk32.exeNdidbn32.exeMnapdf32.exeNceonl32.exeJpaghf32.exeKmlnbi32.exeLcpllo32.exeLgneampk.exeLaciofpa.exeMnlfigcc.exeMjeddggd.exeKmjqmi32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5236 5144 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
5236	5144	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Kacphh32.exeLmccchkn.exeLiggbi32.exeLaopdgcg.exeNjljefql.exeJaimbj32.exeLcgblncm.exeNcldnkae.exeJmbklj32.exeKibnhjgj.exeKkbkamnl.exeMnapdf32.exeNddkgonp.exeJbhmdbnp.exeJfhbppbc.exeKbapjafe.exeLdkojb32.exeLgkhlnbn.exeMpolqa32.exeMcnhmm32.exeNcihikcg.exeJplmmfmi.exeKpccnefa.exeKilhgk32.exeMdiklqhm.exeMcpebmkb.exeMjjmog32.exeNqfbaq32.exeNggqoj32.exeJbkjjblm.exeKmjqmi32.exeLnjjdgee.exeLknjmkdo.exeMciobn32.exeNqklmpdd.exee71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exeKpepcedo.exeKcifkp32.exeLdaeka32.exeMaaepd32.exeNgcgcjnc.exeMkepnjng.exeNafokcol.exeNbkhfc32.exeNqmhbpba.exeMjhqjg32.exeNceonl32.exeNqiogp32.exeJidbflcj.exeJigollag.exeKgmlkp32.exeLpappc32.exeLklnhlfb.exeMjqjih32.exeMncmjfmk.exeNkncdifl.exeNkqpjidj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exeJpjqhgol.exeJbhmdbnp.exeJjpeepnb.exeJibeql32.exeJaimbj32.exeJplmmfmi.exeJbkjjblm.exeJfffjqdf.exeJidbflcj.exeJmpngk32.exeJpojcf32.exeJbmfoa32.exeJfhbppbc.exeJigollag.exeJmbklj32.exeJpaghf32.exeJdmcidam.exeJfkoeppq.exeKpccnefa.exeKbapjafe.exeKgmlkp32.exe

description	pid	process	target process
PID 1808 wrote to memory of 4272	1808	e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exe	Jpjqhgol.exe
PID 1808 wrote to memory of 4272	1808	e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exe	Jpjqhgol.exe
PID 1808 wrote to memory of 4272	1808	e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exe	Jpjqhgol.exe
PID 4272 wrote to memory of 1500	4272	Jpjqhgol.exe	Jbhmdbnp.exe
PID 4272 wrote to memory of 1500	4272	Jpjqhgol.exe	Jbhmdbnp.exe
PID 4272 wrote to memory of 1500	4272	Jpjqhgol.exe	Jbhmdbnp.exe
PID 1500 wrote to memory of 2368	1500	Jbhmdbnp.exe	Jjpeepnb.exe
PID 1500 wrote to memory of 2368	1500	Jbhmdbnp.exe	Jjpeepnb.exe
PID 1500 wrote to memory of 2368	1500	Jbhmdbnp.exe	Jjpeepnb.exe
PID 2368 wrote to memory of 3184	2368	Jjpeepnb.exe	Jibeql32.exe
PID 2368 wrote to memory of 3184	2368	Jjpeepnb.exe	Jibeql32.exe
PID 2368 wrote to memory of 3184	2368	Jjpeepnb.exe	Jibeql32.exe
PID 3184 wrote to memory of 1352	3184	Jibeql32.exe	Jaimbj32.exe
PID 3184 wrote to memory of 1352	3184	Jibeql32.exe	Jaimbj32.exe
PID 3184 wrote to memory of 1352	3184	Jibeql32.exe	Jaimbj32.exe
PID 1352 wrote to memory of 4656	1352	Jaimbj32.exe	Jplmmfmi.exe
PID 1352 wrote to memory of 4656	1352	Jaimbj32.exe	Jplmmfmi.exe
PID 1352 wrote to memory of 4656	1352	Jaimbj32.exe	Jplmmfmi.exe
PID 4656 wrote to memory of 3188	4656	Jplmmfmi.exe	Jbkjjblm.exe
PID 4656 wrote to memory of 3188	4656	Jplmmfmi.exe	Jbkjjblm.exe
PID 4656 wrote to memory of 3188	4656	Jplmmfmi.exe	Jbkjjblm.exe
PID 3188 wrote to memory of 1472	3188	Jbkjjblm.exe	Jfffjqdf.exe
PID 3188 wrote to memory of 1472	3188	Jbkjjblm.exe	Jfffjqdf.exe
PID 3188 wrote to memory of 1472	3188	Jbkjjblm.exe	Jfffjqdf.exe
PID 1472 wrote to memory of 3872	1472	Jfffjqdf.exe	Jidbflcj.exe
PID 1472 wrote to memory of 3872	1472	Jfffjqdf.exe	Jidbflcj.exe
PID 1472 wrote to memory of 3872	1472	Jfffjqdf.exe	Jidbflcj.exe
PID 3872 wrote to memory of 4756	3872	Jidbflcj.exe	Jmpngk32.exe
PID 3872 wrote to memory of 4756	3872	Jidbflcj.exe	Jmpngk32.exe
PID 3872 wrote to memory of 4756	3872	Jidbflcj.exe	Jmpngk32.exe
PID 4756 wrote to memory of 1356	4756	Jmpngk32.exe	Jpojcf32.exe
PID 4756 wrote to memory of 1356	4756	Jmpngk32.exe	Jpojcf32.exe
PID 4756 wrote to memory of 1356	4756	Jmpngk32.exe	Jpojcf32.exe
PID 1356 wrote to memory of 4064	1356	Jpojcf32.exe	Jbmfoa32.exe
PID 1356 wrote to memory of 4064	1356	Jpojcf32.exe	Jbmfoa32.exe
PID 1356 wrote to memory of 4064	1356	Jpojcf32.exe	Jbmfoa32.exe
PID 4064 wrote to memory of 1176	4064	Jbmfoa32.exe	Jfhbppbc.exe
PID 4064 wrote to memory of 1176	4064	Jbmfoa32.exe	Jfhbppbc.exe
PID 4064 wrote to memory of 1176	4064	Jbmfoa32.exe	Jfhbppbc.exe
PID 1176 wrote to memory of 3416	1176	Jfhbppbc.exe	Jigollag.exe
PID 1176 wrote to memory of 3416	1176	Jfhbppbc.exe	Jigollag.exe
PID 1176 wrote to memory of 3416	1176	Jfhbppbc.exe	Jigollag.exe
PID 3416 wrote to memory of 3604	3416	Jigollag.exe	Jmbklj32.exe
PID 3416 wrote to memory of 3604	3416	Jigollag.exe	Jmbklj32.exe
PID 3416 wrote to memory of 3604	3416	Jigollag.exe	Jmbklj32.exe
PID 3604 wrote to memory of 4760	3604	Jmbklj32.exe	Jpaghf32.exe
PID 3604 wrote to memory of 4760	3604	Jmbklj32.exe	Jpaghf32.exe
PID 3604 wrote to memory of 4760	3604	Jmbklj32.exe	Jpaghf32.exe
PID 4760 wrote to memory of 2232	4760	Jpaghf32.exe	Jdmcidam.exe
PID 4760 wrote to memory of 2232	4760	Jpaghf32.exe	Jdmcidam.exe
PID 4760 wrote to memory of 2232	4760	Jpaghf32.exe	Jdmcidam.exe
PID 2232 wrote to memory of 3868	2232	Jdmcidam.exe	Jfkoeppq.exe
PID 2232 wrote to memory of 3868	2232	Jdmcidam.exe	Jfkoeppq.exe
PID 2232 wrote to memory of 3868	2232	Jdmcidam.exe	Jfkoeppq.exe
PID 3868 wrote to memory of 4968	3868	Jfkoeppq.exe	Kpccnefa.exe
PID 3868 wrote to memory of 4968	3868	Jfkoeppq.exe	Kpccnefa.exe
PID 3868 wrote to memory of 4968	3868	Jfkoeppq.exe	Kpccnefa.exe
PID 4968 wrote to memory of 1520	4968	Kpccnefa.exe	Kbapjafe.exe
PID 4968 wrote to memory of 1520	4968	Kpccnefa.exe	Kbapjafe.exe
PID 4968 wrote to memory of 1520	4968	Kpccnefa.exe	Kbapjafe.exe
PID 1520 wrote to memory of 4516	1520	Kbapjafe.exe	Kgmlkp32.exe
PID 1520 wrote to memory of 4516	1520	Kbapjafe.exe	Kgmlkp32.exe
PID 1520 wrote to memory of 4516	1520	Kbapjafe.exe	Kgmlkp32.exe
PID 4516 wrote to memory of 3164	4516	Kgmlkp32.exe	Kilhgk32.exe

C:\Users\Admin\AppData\Local\Temp\e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exe
"C:\Users\Admin\AppData\Local\Temp\e71d162be4770970835adb86db442b75fcc6607f37fd921b778ecfb8b2d78ef5.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\Jbhmdbnp.exe
C:\Windows\system32\Jbhmdbnp.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\Jplmmfmi.exe
C:\Windows\system32\Jplmmfmi.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3164

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
24⤵
- Executes dropped EXE
- Modifies registry class
PID:4940

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
25⤵
- Executes dropped EXE
- Modifies registry class
PID:2968

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4048

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4732

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3540

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3192

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
30⤵
- Executes dropped EXE
PID:3044

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
31⤵
- Executes dropped EXE
PID:3616

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
33⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3368

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4416

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2912

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
37⤵
- Executes dropped EXE
PID:3084

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
39⤵
- Executes dropped EXE
PID:2056

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4592

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4644

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
43⤵
- Executes dropped EXE
- Modifies registry class
PID:432

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
44⤵
- Executes dropped EXE
PID:3772

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2860

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1160

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4700

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
48⤵
- Executes dropped EXE
- Modifies registry class
PID:2972

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4036

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
50⤵
- Executes dropped EXE
- Modifies registry class
PID:1268

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3952

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3776

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1560

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4368

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1844

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1324

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4256

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2708

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:544

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2240

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
62⤵
- Executes dropped EXE
PID:3536

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
63⤵
- Executes dropped EXE
PID:1788

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3172

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2288

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1852

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4876

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4344

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3520

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4136

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
71⤵
- Drops file in System32 directory
PID:948

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
72⤵
PID:2876

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
74⤵
- Drops file in System32 directory
PID:2852

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
75⤵
- Drops file in System32 directory
PID:4164

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4384

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
77⤵
- Drops file in System32 directory
PID:2488

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
78⤵
PID:1836

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
79⤵
- Drops file in System32 directory
PID:2112

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
80⤵
- Drops file in System32 directory
- Modifies registry class
PID:3828

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
81⤵
- Drops file in System32 directory
PID:1856

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1028

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5056

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4868

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
85⤵
- Modifies registry class
PID:4432

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
86⤵
- Modifies registry class
PID:3040

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2704

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5100

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1624

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
90⤵
- Drops file in System32 directory
- Modifies registry class
PID:4372

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5112

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
93⤵
- Modifies registry class
PID:3444

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2272

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
95⤵
- Drops file in System32 directory
PID:2800

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
96⤵
- Drops file in System32 directory
PID:3888

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
97⤵
PID:5032

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
98⤵
- Drops file in System32 directory
PID:4408

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1408

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
100⤵
- Drops file in System32 directory
PID:740

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
101⤵
PID:2848

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
102⤵
- Modifies registry class
PID:4688

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
103⤵
- Drops file in System32 directory
- Modifies registry class
PID:3904

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1436

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2680

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1204

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
107⤵
- Drops file in System32 directory
- Modifies registry class
PID:3356

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
108⤵
- Modifies registry class
PID:2768

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4620

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
110⤵
- Drops file in System32 directory
PID:2840

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1340

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2796

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
113⤵
- Modifies registry class
PID:2116

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1728

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
115⤵
- Modifies registry class
PID:1524

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3940

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4932

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
118⤵
- Modifies registry class
PID:2880

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
119⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 412
120⤵
- Program crash
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5144 -ip 5144
1⤵
PID:5212

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaimbj32.exe
Filesize
93KB

MD5
4660fd1636dec4fbe91811cddb352284

SHA1
f87079a6723072ed4cdb2ac6fd950a4a9eca20e8

SHA256
77f9183f55c3ac3667c6b17a8017b0e5ff1a43b6229efef23462a04c3151c57a

SHA512
71e1a71112bb0c4486baff3956da9df464004aad8ed6f28411163c2dcf81b1d63520f21d9f8f95b95da100b8dabb5a2cd5c1deb97e6db99a3ce8072659795890

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe
Filesize
93KB

MD5
f2eba4f97e18165c9e8e6ad152547def

SHA1
60d80b7e2693ec0ed1631b415a331d1eee04ef47

SHA256
6a7d7eddb79cd23213332be1b83622369d9cec6cdfef700b9300725187d1d398

SHA512
3b8e0850e2440237c2c779d292c975825df3c154ea3564674f5b4de84f2b5623dd0b36096ff3bfb26cad0c8c62e5c1c564248a3f4f81daf147f385f99ee1dc61

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe
Filesize
93KB

MD5
a1777ca0c629ff6c5703d36aa8e11e6a

SHA1
23e7d901dc631fe5aa2842fb3a8df8b86fd09b80

SHA256
aadc20fe2bab5b7f454fc1bef360a368ede2b78c1a0e692170910a8498f7361c

SHA512
6f92dd3e39a1785a707eefcbc9dfca9ee90feece25e3d232184d90a8b3d6d167714bbcec02e7375859b03607edd1904bdf4c123b48cb7dbc7e0c46bc55579894

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe
Filesize
93KB

MD5
9a146295a6e3fa0e1ec129a908dca8bb

SHA1
5a69deb52db8b4650ecb8c04937511914839d7ea

SHA256
d6eca4a0e4a66a8f03209b92717cbaecbf6f154b8f4b8f05e85d5bbec5819a74

SHA512
2a465a0c947a9d109f80f7d33d73faf0957d59333a1beba2592e97368271db8d53203173edb0f42f7e50f92c1914fe4b57efdb7a88d0607a299272eab8429d68

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe
Filesize
93KB

MD5
4b282018fbd610d36fb9a10df8f11fca

SHA1
86554675dd1fca9f9e59cb4f461bfffd3d66054b

SHA256
4053b85a167f03a892b77c3d87e5aa692c45de767f6e6510a3a31626ebaac72c

SHA512
b6ea6001b788569137a50f6aaf8d35e41f39c897c8ace578af2d8207b9b44436c3c02dc95e818fed8216528ec0bbf213d9c54efabb84a7fa23d1344db012b8db

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe
Filesize
93KB

MD5
ad2c813bb793f29553089c896a95aa57

SHA1
2e5b0b9e2848d69f68475f304b82ea0db9ad4288

SHA256
ad297dda080599696dee590d467d086cdd2111b2ae95a65007d3ecde0772da91

SHA512
9361a97d33be02da762355cbdd43e828b239e6423ca3ba40f0785ed69c5ce93ea3d50e09a29c8a7410c355aa2567d49a5208e606baafb44aa1585209cd3d3eb2

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe
Filesize
93KB

MD5
51a739929a7cd173b2b1ce0101f69abb

SHA1
efced84e112d18f9cef3288aeff4d71618e66eb1

SHA256
050b69e808ee21c9360a6d991d2f2b80c580f27cd805acb69309537203b09f52

SHA512
6a70942c38083eb839e835a03d0fb6846a736b49e79f304a89eca5275de64a83b33fa27dff907f6fa8430c4e6f16556bdf7d08eb4a6aecbb5c99aa9bbaaaf4c6

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe
Filesize
93KB

MD5
85dda82b4157dfc4c35e543b8a8047bb

SHA1
478790bedfa44507cdd01046cc1d029894e39e43

SHA256
48a383764ed9216fe34b1a9a7fbc0ffa8c737836bccfbe4af224cb933fa60fb7

SHA512
56dbcf70c19a150fdeac89a25bbedb9a4822f088e24d7a60a39982e39b9d7ca3be84a9b4a66a21e438b6b4bdb025204782931a20ccc4bf83b785237c3ce7f6b7

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe
Filesize
93KB

MD5
b2ff2f113a5905958e0eff176f28fcbe

SHA1
44675e2ddb88ecb57e38a408ad49669be10d8a63

SHA256
9cf8e1bf05c456ec728f1c698d1408607da08789bdcbef8f267017c6ec0c7c8e

SHA512
bde9059b5de7eec89b9c5024f59eeb74893da37415dda51cfd3442c676edcb13d6db75d60bf5c0f02bc1eec54b268566221061869eec2961679bc5e80b1ca5ec

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe
Filesize
93KB

MD5
198daf2eaf8ce1f56c122cbd54c0b994

SHA1
3e88d3fbb82a084c80851636e1012d36239cddcb

SHA256
56311ab98700794e96fc9d1d1f63aa38d9c3125e7d931e80fd1d5194ac5286db

SHA512
835d5c664d913186279abcd355e147b1af2d5e30c50d147c785f398db61b2c10e3bceda2f5095465930bb272f16d6c57a0cf57390bdfdeb7aaae79412dd68982

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe
Filesize
93KB

MD5
d763bc99eda7bf5f66ce271b6965cba0

SHA1
c88d146392b0ca8a4f3842c9b99ac13ae5fe98ad

SHA256
3630d4f64fef224aba1d4dc5d3be43ac234796a9f9db6e25c425d909a28b3da7

SHA512
c25dac958e1d95b9189476fd47a1a943a020802a2164d36a3f05c4af0154cb7988566eb758509343b7f8776ff349147fde56fc95008becbbe79d434cf4b7a0a5

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe
Filesize
93KB

MD5
ff5b0d31c721d3af05cbf08b26eed3ae

SHA1
80257b10b96f6f7c8b8dd9facbe69a5d97116194

SHA256
96b9913669087c58628cc107af43211e22ba3194982c9aa1a78dc3a3ccc0e9b0

SHA512
d8ec7c9f2af5cc27f7ee1f32f6d653a98c8509d94951d7c3bf2c761c6b72b852b6284bb3fa82660b4971d28e066a097b66311e9ef8d045db4bfd6be7256f6883

Download Submit
C:\Windows\SysWOW64\Jigollag.exe
Filesize
93KB

MD5
0e9ba2df82ae3c3ce08dd858670bc276

SHA1
fd3aa58e2a6b5324ef584645a8d77ccd7b819a0c

SHA256
79871d75465446ee4bccebb9a2643687e680b02a9ef1e18b8ef7faaac0f4d045

SHA512
e06598de8282c7319a67dbb0be743385f7ed39b58176f764e44b91afe439fee125ef077f62a8431cac6c238d63242a99124280a581ea8e076111f280922367ea

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe
Filesize
93KB

MD5
c33d5a968f2067fa52f64d08f417a8a5

SHA1
26c03c17a1f69ac5cb8705c830b39a28dcaf6e90

SHA256
e08d3e5fbc6fbd434631b81d8618a3c34d566b7cc6e17529db2005919ebe0dbf

SHA512
714120217ffc272d3d3ead4ffc465d8c321a023537005992925a97efd7b3b5f4da43ec7e939db9435a9badec99e1beafeea624c648dd33b12183af1840ddb791

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe
Filesize
93KB

MD5
423a5b136728adf256e29111f57d6e4d

SHA1
144da5d928b70f5744c2d1e264d0db4de7b1db70

SHA256
a21497511e0bfb91f32a69a6f50e345c8a9de3b9d68c5f0b0ff0af27cdf5d3a2

SHA512
fbf5d7d3a3b9ca9f83b70bbcf19a4de7fb6ba3ccb48ac7b134fb9f18913fd85aa28c3133ac5d7ac61aada90ab5dfeaac6cc332e194e26a017487ef849faea2ec

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe
Filesize
93KB

MD5
d40311dd94ae25f86f5b50b4177968fb

SHA1
910ecc0bc2b2b30f14069a557bab1e9ee16b0a69

SHA256
95d0a86b1938c08527ea4b3064ed369182d6c319b14e38eeddab74ae0eaa97af

SHA512
0a890799d8c51cb9f7e8971f445722caf191ee94958dd99679cdcbb3910fa1a90147c157aaa756abbb3556840a565881fc1e314c66f9e0d3e454aa95097e1d45

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe
Filesize
93KB

MD5
4e086e6c2264ef2cd9b6b10276e13e65

SHA1
e001b5c8fee296d3f2e7eb42907a0d5c24ce2881

SHA256
499a05c85fcbc37d5517f10099991283b484e6470e7b94f97527e6a3fca3962c

SHA512
fb13fb16ef0ad050f713aa2ce4b9b794422f814378b7fb68bb67ecbbc77a3f2fc10da4c3177f9b07ee0c8192b8097af250012d9e032f697f25e6a684eb4441cb

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe
Filesize
93KB

MD5
dc4dfb060f97e5225904aada08b59d2c

SHA1
087c30d08b729051cf2dad99d09b99170b3c6ada

SHA256
2be657508f7b557ede4d8ea2b930dcff66a5768908271a5b5e89cde97badf2b8

SHA512
d60f8407834460a4e9019e844b83ab4b7c3db59051598e2883039961421a8300b9a62a4c9e389061d5b1d6a204fe09973150eb0d6156e9a8b3efd5a0102eedc9

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe
Filesize
93KB

MD5
5696beb13de2fa6b53db0fd353cefeb4

SHA1
c64b9862bfa9d7322f19b699bec07601877ca415

SHA256
8e8cd7cae80fe3e0990dbe03d4663c073fb59b4b1a919ac14c883fdaf8265629

SHA512
d350a58f9041caec4b3bbcca35cfaa945798aea8b6393624ff926d9d4cc330dfe4d7d723a645b087fb16e2e5547289d867b0a98eb24b7b4d932d767a64edc60c

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe
Filesize
93KB

MD5
bc6d00607a9ce547f5ff256a1d5b2fe0

SHA1
6353d9cee08eeeda9bb6a64df1b923a2e40526b8

SHA256
9a6f057686623302a41e47bd855be4a4275861af3dc9e8af288e4908bb8f06e5

SHA512
a2a452bbc651fe16a5db57c7dff38e543fd08e46f957f6f89ea4d59dfed66651056cced031b04f889405dd8b319b85a1f53cfeabcd0445cfe2344521c59efa49

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe
Filesize
93KB

MD5
f35b141003c7338c14f9703141bbeb89

SHA1
c0c8b733a89f1f46f2b2aa2a87191e93fc7ae513

SHA256
3b254c41dd4fe486193cd7e0488dd1630afbe67452ff2ca60d49a5bd6ef4e948

SHA512
4f95d8f1e601b6752eb105da653369dcd4e06c622db85e371b395234b5102798514b34a063ac1556f802085ada80e247facc0e0d7f158510614e1aae19e59899

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe
Filesize
93KB

MD5
7d743f4acf67ee0df3e732b44132071a

SHA1
4bac48a3a0498230aa0f747837c842aaad385e5d

SHA256
fd074d2827a26f639d11ae27827579945d7e785a3adf8a5e0e3dd2927352de21

SHA512
88ce4792730774b612011063d3dd14dec61327452842daa9306b805050975370ad97b641ee9ab2ac3f4c3e2fca0787f99de84c34e13e5ffd6c1b277bb4efa902

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe
Filesize
93KB

MD5
45f32920eb7b9cc4e84f984b582da25b

SHA1
4cb7ea928122fa476fbbb8de0ec76b657834e8b1

SHA256
49da111868a119ddd90beb1555b3e4bf3198000bc97a8208d7f173b2eb481210

SHA512
93a76e48f74940fd1b1263b0dcb03b6bc7563d40ddb7b339e926c7617d0f036a3541486d9391f94186bb6e794bd3cdf363c0086096dc125a672d9ec62e521d36

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe
Filesize
93KB

MD5
124d3a3d162118925ad443b06e3d3b7d

SHA1
a0b28039e03828f823f746aed1e7112f170c7302

SHA256
4c47d185b1243e6aced7f853918f1af3d0af034686a3adfda04187dc08265a51

SHA512
0ddaa2f99c21b00af1a08d6cfbd2b10073720a456fedda74e3050374f1faa58e4b96bd9774b0f71d25a89af56a903faad1b518b9ae9c753ce439184d54196d8d

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe
Filesize
93KB

MD5
f463d210d9082c45f22c62c2b2a85266

SHA1
d8c8ebeef96e39f8e4b976d486598133a65249f0

SHA256
f9ea18a4ae3df3fc43afb9e1dca8d8a74e7873dab1c135009d11c0015130467c

SHA512
e842470f3488abd89451cf3cc18ec5547b60560ec90007ebc1b0bf019a060f1046ca739d2b06b7bdf02dc53d2ec5007107ee03df5c707c8797848e67be7adfc2

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe
Filesize
93KB

MD5
b066f6aec11c3462159970b3f71d76e1

SHA1
cb8d9b7c9b38c2532e4e8edfa60af24d8699e6b5

SHA256
6a3f86124cd305606727c99fc7be80f6198f8aa480c40bdfc6dd185e683b648b

SHA512
5532d62774eed19dd32117b61677de45d61e2eeab763b0a88f28b903b4bd4ac5ee92b41905621d0a4e88f70057879cebf9e4733d678842f56bbe1cf1e85be07a

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe
Filesize
93KB

MD5
5ab40f7c1a8888241de32959ea45ad20

SHA1
320483b75ae8908bed41cdb6746ba47bf726abcd

SHA256
472f65dff123ac7b3f47929017fa22233bc01195f757c5393e8babf7016081f4

SHA512
128617ca4460916a084962254e2bd4ed0871297ab34862d5b493dadc2f50d53b1cf84c664af9b890faeaff27f60c8ea2d5855d841e664cc56c9b07450dccbcea

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe
Filesize
93KB

MD5
34be5af4f8eeafa13b7f054d34d26964

SHA1
d2896b778a1b23e34af6c739f28cf61c3401f806

SHA256
264edb87f4d8690722e624aa737bcceef3732b436610fd9bd26607e66b55aae8

SHA512
32b6d4b084d1f1af5e0400a39f650dabc2e5e859d18ac172112b624358733cafcde01ec70ab59f2f70305fb10d8d47e312778245df0104e98f951f539c90f7ae

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe
Filesize
93KB

MD5
d4c114fe08c8d676c9e10068fcc1a345

SHA1
f6e95294d51caf157ac8fc223b44c2ff7b016d97

SHA256
dda2f511db4ffdce5a097f3f623349d8ffa0bcf18f4973bebd4767b66d776ad3

SHA512
e90a3e6f42c2b6648931cfbf5feb7d0084ddf11eaec0bad826d3bfa1a3f0a79d38926eac4640e67c16fbaaef47fb6ca42370415739998e767d5ed36f94fb150b

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe
Filesize
93KB

MD5
3f592e51d8eafdb580ccaf112dd21404

SHA1
4c514c2079b8b9d0de98629f6438f53486e1e91c

SHA256
8f70d0a601b08fe5784fd116fd8ab06d1521b64af81e6f18d2bc55d82e4ec57e

SHA512
07f93725e02131c0d3e1463b9bc9395875a68a00e05c478da5f37961f89bd46e2e44ffe3562c9bdf670a4b2cd45d841b26533493aeb81d2a6b8c23851cb72e65

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe
Filesize
93KB

MD5
c14d59bee620dcdae2c46c424b9e2e35

SHA1
09eaf0d0617faa553e80eaf9c1a49578a30a6c7c

SHA256
f47eb18f864e6e1b6cf8237c96e1ac03104c7714f93288a8a80f6bef0dd9c891

SHA512
4bf32562d028e8b7e79dc670e588c55aaa87aa849b3510d5fc99173b0f4a2a2747f752c2511398e957eb7e42f2dbb925f0cc17241216c2c7836f3634fbd4e110

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe
Filesize
93KB

MD5
e445f911212aa80ea4deffe172e99d12

SHA1
52b2677a24035a6a92f24fb747f6861eda53eb46

SHA256
67b9c4efb2c21ca4a411b02bc250d6c07c84b5df4c7ebfc21f0e5f1ea5719318

SHA512
cb267507c6b0ca261aecbb9da4a458731ccfdb37695d2dca57abc51f583bde8d9b90fc1dffa816e5813e7eb48ccd634dfc74216cf2910255a38f5ef2c24cb033

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe
Filesize
93KB

MD5
c957c8b323c0e548de8977fb4dde7353

SHA1
891b67cb91325dad4c37650e52d265259f33652e

SHA256
0ea11e2af27a31a542eccd569aa136a04ae2c0e3899d02f0c76ff92faeb80f6c

SHA512
c44d2bb3d7b3a9783ff139cc92ac41cda4af1fcba87025e9259bc1588e7a202032c5013142d8cf71db3cd64afcad3c44f38227d8c19e9b7b16a358d237cbf05d

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe
Filesize
93KB

MD5
e5bdcfe476ed88caa064f69e97d35c41

SHA1
8c8006bcb6d5574ff54c355457b4d203693da72a

SHA256
b949981f34db6bb1e60caca7ff48bd00a95775221f6ce8245454543faed134a9

SHA512
574a8fd3b0dd55800218fe8d21ad3f1e626f70a42a7b46e8e698a141e99def4424f0833465e586ce638a1dfe0babc72528d6a3e0cc705cffded09a05b7eb3ecc

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe
Filesize
93KB

MD5
4af54328ed4c158e074e028b24610134

SHA1
8c6570871238bb270b5978bf5ff74667b180938e

SHA256
ffba19a89a7220c16fd12adce32d42d9871ee6fcd92142dfa75fd39c0019ce5a

SHA512
2829acff216b70821cf6c62697097d70ce38681e3fedd660121ff31a363d7a72eca3e3b187aad198a82cb7960bba796ef326372dfc3dae2a9b73b39a71659074

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe
Filesize
93KB

MD5
645500396363703bf84a43f75ea67269

SHA1
bc24d61f32991ee7619d7ced6fbfc8f2a326c1d2

SHA256
6683c90830a0738e1278a8db73f505d7ac121ca99244d3be0c3283ebe44b34fe

SHA512
5f28ff93b1ae1663d481b93db76108603b2077fad8b27fdc1537572e4a67c062d9d249ac5568878ea26d8d568d53e4f241419c8ea0788a417be541e050141316

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe
Filesize
93KB

MD5
d4868a14c4d993aa4e9cd6aff6b26190

SHA1
5e02dc2a8bd30678e17390017fd27a831864b606

SHA256
28d5f68a598a929b137a1483ca63b89284aad2adc81061969e1baeff9bceb397

SHA512
3f6780f2a5998753f113ef3a778faa926da77604b0340c73abc95bf16a605dd8df71d992a7fdd0c3a14ee2cd06237bdcb59719023bacca6e84612736c41bdb8a

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe
Filesize
93KB

MD5
02eda5a72d40629af40d18ae8fe45c1c

SHA1
45fc001b866553238dd9dc215e89382ef81a9062

SHA256
4860a7a77dc6b3711a2c9062e6e1d3d251f0d042a08b1c0818633f10ad3b41ec

SHA512
5caa3afcbed1623290eed7df8e7af60020c0cf87843c4ea36e688f5ff5b3b6119d9694001885a8b2b428821b1fd16efcffa87a487fbfe8b1759128fa3362a7d9

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe
Filesize
93KB

MD5
c2a68cd1ad64d1f187534d010c5225d8

SHA1
31a09b40db8a73f2ac8c3aa9f3d7a33f75af3cf6

SHA256
32c7d2bbf139e16c7d4223c6eeddc6e30d68ec46ebcedc753a05d4639b114410

SHA512
cb9e236c74332d89420403ec2061545185f5c08f19425f88ae0c16ac48abd5ddafea5de23781d41e9b5a3f2faacab8d9d3df39853cfacfadcddf4430e34bf41f

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe
Filesize
93KB

MD5
9c8cf4ceaaa6657e583c91bd1c5cb11c

SHA1
60a298049bba171d6885d339b578f7f4790c80e8

SHA256
2fda9876657333a57e83788fa9f293869d9b22efa3e8f94fda107016c5f30292

SHA512
30f5393e533e0d523736c42af5478c3bd03a3b2488bb599aaceecdaf67191da26ea0077b16485773ac2f1d124c48fbb81ea2518906dc6456f5ed8fea9540e849

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe
Filesize
93KB

MD5
d6e58236ff765ba4050d610ef82ad074

SHA1
9695de64988d239341a1ee91fe0f8a54b2d5fc26

SHA256
3acd56ade9d7e363a4a68642f67f2ec29394ad3051cd5d36bb13d640ed15d9b3

SHA512
48fe0b7a7216abe3e178657ce4bbf5c4820dcc15094a0f2d170360f95677caeb5b30da5607b709e49d18cddc0aa0411e853f4b51afdb37cee7f8e3eaefa894fe

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe
Filesize
93KB

MD5
60bd4090a8d22e193cde6d5ec6b0867a

SHA1
22f7c2c15934fdb9bdf1386085cdd61086c83863

SHA256
c2385edeb670fc725f03f953f313736c82a342724bc22415a2affb2dae6db3e7

SHA512
10c29a44ef0472afebbbcc3aab7d5cad055ea310e72dd368fe40fa269cb27b2db6d4f7687e96bb04219758b837f842a684bbb309db776988c07c69cd0a0a3964

Download Submit
C:\Windows\SysWOW64\Leqcod32.dll
Filesize
7KB

MD5
a1196c3577043c8056883c9bdfb7391c

SHA1
c58cda997a03adad9cde46b534d71196fb07f285

SHA256
2398556cb9dd2d74f58e6ec621fc7ceae65a42c1479372b24da4f9c114bdb458

SHA512
0956aea020f6325bee31e11a8a49b712c6cb75e045ef0ef157c339357c4a64b5f0efd0364b28f92af89fca85e8e13e6e89620e5e597fb0a4e466852e30cb68b3

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe
Filesize
93KB

MD5
de8d051cdaade9aec3bc108ff55c8d5e

SHA1
f0b5c88c0580cedf0a08142634cae53ed72a6637

SHA256
667bb84ecff1c5759319b2d5291817704ebb3ff8a14ec1b74c406e750d1d2ddd

SHA512
736232bafb308970cecc6c66c3afd9af5c7536d2756b5f45248e3772dd9c814a28108a491cc0042a67f37f74921615c0bd9ce032ab2bf383004406130ff2c473

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
93KB

MD5
48107c1b7d35a0eef1c8ecfcb457c16a

SHA1
ca9976ac0fb8704e2a401ff4d46b996850b0cf44

SHA256
658a78d7e6b507b5ef3675c0f11fb70972ffe4ed179e27beb40875bf7f04e38e

SHA512
84218425da49e6419378c8cfa51ca7e80b8c2ad291bf33217214b9c138a5a6cd66b7dca1ffe2c75b8c64e83e64fd3018924fe5e8c658c108d967c802c1149de8

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe
Filesize
93KB

MD5
15e3516486ddcf078bfb88c24bf4a131

SHA1
7bba350f9767fe5d955451688e2fe3f1de5fd88f

SHA256
a6d74e5726dcf81d13abad1e05b7269272abc9c26b468c7383a374ac12de4536

SHA512
15279b8b3fb3b4260952f087bc8f021f7e5487094c9804763704498cb6fd50d60d6f66a723097e9831bfa4dd9ade6387a8776765ce1f3d7bf11e90e1ccdd9ed2

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe
Filesize
93KB

MD5
91197ad43180efa8e2b8f1a8a89999e1

SHA1
af51815438b73d5c7ca52b2e1394bce07e0e038e

SHA256
b19944ffe5635bc7639f8655e2f2c5778681c6b9e471cb4fb59afcc9e6f8b076

SHA512
06df059e40a64564cfaa7042c3fc00c0088528a8ba069ad78a1b7cc1ecbf742d5274bef963dc77cfd88813f771f915146105564150391459bd900b3588dfa522

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe
Filesize
93KB

MD5
ecec606da4b1d82e319b769412c2c16c

SHA1
6ef38788b6833f405723ebfaea5d21c6f6a08d51

SHA256
6a1c284448f50119681ebff3c36d2633abf213031bf395ee3610e108910bfd4f

SHA512
37bee1b1956980474377ad415c83dd4aa5e408195936c24ae18775116abb97ef650d4b606102f2edf154ad08459d83b94e2afd0e173a291a14300b58921ac3d4

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe
Filesize
93KB

MD5
11c88407e2be7e0c9977cfbd7a9bd4db

SHA1
a7a93d5c369555848d633e95d5cc49172e4a5e0f

SHA256
9385f0c9588a66701f6fffc1e9dd5b60475e57b00799e64d7f0d0d4548f11e82

SHA512
cc502d1cc99c1278353655337fd04d13d8288e2ddda714c9da77b1a0ce036f11e3a6822dc77d489c9852332caf014bb9eb230416d6a2565cfce14388160666b7

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe
Filesize
93KB

MD5
ef26926279d737c82f58d78f300f543e

SHA1
c9ea3f9ee3e7cf10a2929a078d44f71e9ac83ac2

SHA256
8226ef5cb7435a1dcf1bc057583b211d0ce6cb53b2fc88af2fd34d610e6546ac

SHA512
fd7fd85cab3eb0e26b882b409fd061f15d5d1694b990bfd998c8b8f643e59bf2b59af146ad32dc86dedf4ba3f540f6e2589d6d767f033f365ba276268b7c4378

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe
Filesize
93KB

MD5
259f808297364e0d8d168ebd061cbe6f

SHA1
a96282d1037b6bb7b687442e17bfb5aa854cb4a9

SHA256
974b3883a8aa51e473102c0399774c8669c858908dc2f66b7dc16554dd63606e

SHA512
aceb11e5f0a08ef7d573f9201a4c8a9a540a51cc0115339127c3f02ff70fcb56ac0680e2e5e6d8177dc10d035a0843c72ecc0778f40e3a3897fc3125252a2927

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe
Filesize
93KB

MD5
eaaf3eecc910e5970db9143c87c4af87

SHA1
6f1974313b47922d09c75d4087f113f3f7ecfdfb

SHA256
373c1d85588cc6f0d181513bfcd70a5ef23fa77d93b7e77695acc39821eabbc2

SHA512
e953ec1ef9ff8cad97c972ed3b82d1d40274fbbf054aec58b2f828aadb0cb6ec2135c97bba89ce3557384fbe1c9ab297964c8d0a4be69ef601b06061def2190d

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe
Filesize
93KB

MD5
038cad3e8db38d5368dfe1b0307a8b25

SHA1
d262826c18b13c3c61a682309391937c4ef6dbad

SHA256
c7dd81bb6adb8eef3fbafcfc8f2cbffac9637befec1d000d1a724c56c0f046ad

SHA512
41e21ddc0ff6aa68700c56c08fdaf0bf1aa8500b5f3f064858419c8346f680434ef7ddb3fcc347544dc3da4409e3922d385137f2e99a90f39dba4928e29f764a

Download Submit
memory/432-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/432-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1160-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2368-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4256-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4416-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4416-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4732-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4732-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads