1a41889169083eab5a1c9599a83fd7d9f24efef349bad25d00237d52f75495de

Analysis

max time kernel
134s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2023, 03:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e43a69f3bfc9fa9f6878d9d8293bc180.exe
Size

111KB
MD5

e43a69f3bfc9fa9f6878d9d8293bc180
SHA1

81759d08e4cc67e6c710c3aed1b259a4512179b1
SHA256

1a41889169083eab5a1c9599a83fd7d9f24efef349bad25d00237d52f75495de
SHA512

53a7c3228bffd998b948e1ac7d78d1249af1710726a40d0f8490f24d1026abf55a837726cfd667ab372bf8eb031cd6163daef4eabab84949c1173ff42b988f14
SSDEEP

3072:qY35rPWQpcyEuqVeow0v0wnJcefSXQHPTTAkvB5Ddj:qYtPpdEQWtnJfKXqPTX7DB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igedlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lajagj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjneln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miaboe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idbodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnkldqkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haoimcgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahnhhod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhndljll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgloefco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaehljpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihdafkdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knqepc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljbfpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lldopb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laqhhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maeachag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kniieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikndgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfgmnfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmcce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgiiiidd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgloefco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkomneim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe

Executes dropped EXE 64 IoCs

pid	Process
1232	Haoimcgg.exe
4052	Hnfjbdmk.exe
1124	Hpdfnolo.exe
2660	Hkjjlhle.exe
2272	Idbodn32.exe
4796	Iqipio32.exe
2160	Ikndgg32.exe
1668	Iqklon32.exe
1276	Igedlh32.exe
1396	Ihdafkdg.exe
2504	Iqbbpm32.exe
2996	Jkjcbe32.exe
5100	Jhndljll.exe
840	Jnkldqkc.exe
2248	Jkomneim.exe
4432	Kqnbkl32.exe
2128	Kjhcjq32.exe
408	Kgmcce32.exe
1800	Kaehljpj.exe
2752	Kniieo32.exe
364	Kinmcg32.exe
2740	Lajagj32.exe
3648	Ljbfpo32.exe
1932	Legjmh32.exe
4176	Lkabjbih.exe
3472	Lldopb32.exe
4700	Laqhhi32.exe
1536	Leopnglc.exe
4668	Maeachag.exe
2988	Mjneln32.exe
2100	Mahnhhod.exe
3992	Mjpbam32.exe
2876	Miaboe32.exe
3828	Mnnkgl32.exe
2524	Koodbl32.exe
2368	Knqepc32.exe
4352	Kpoalo32.exe
4852	Kgiiiidd.exe
1348	Kpanan32.exe
3328	Kcbfcigf.exe
4540	Lpfgmnfp.exe
208	Llmhaold.exe
1236	Lgbloglj.exe
3332	Llodgnja.exe
4524	Lobjni32.exe
3280	Lncjlq32.exe
5036	Mgloefco.exe
2176	Mnegbp32.exe
4316	Mcbpjg32.exe
3436	Mjlhgaqp.exe
4512	Mqfpckhm.exe
2984	Mgphpe32.exe
2716	Mfeeabda.exe
2856	Mmpmnl32.exe
2180	Mfhbga32.exe
4984	Nmbjcljl.exe
4812	Nclbpf32.exe
1156	Nmfcok32.exe
412	Nfohgqlg.exe
4196	Npgmpf32.exe
3248	Nfaemp32.exe
972	Nmkmjjaa.exe
1620	Nceefd32.exe
3776	Onkidm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jhndljll.exe	Jkjcbe32.exe
File created	C:\Windows\SysWOW64\Bbekbm32.dll	Lajagj32.exe
File created	C:\Windows\SysWOW64\Kdmpmdpj.dll	Koodbl32.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Mfhbga32.exe	Mmpmnl32.exe
File created	C:\Windows\SysWOW64\Ojdgnn32.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Eopjfnlo.dll	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Ijikdfig.dll	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Ekojppef.dll	Hkjjlhle.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcjq32.exe	Kqnbkl32.exe
File created	C:\Windows\SysWOW64\Djaiilmd.dll	Legjmh32.exe
File opened for modification	C:\Windows\SysWOW64\Leopnglc.exe	Laqhhi32.exe
File created	C:\Windows\SysWOW64\Meickkqm.dll	Ikndgg32.exe
File created	C:\Windows\SysWOW64\Kinmcg32.exe	Kniieo32.exe
File created	C:\Windows\SysWOW64\Leilnmkp.dll	Mfeeabda.exe
File opened for modification	C:\Windows\SysWOW64\Offnhpfo.exe	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Mfeeabda.exe	Mgphpe32.exe
File created	C:\Windows\SysWOW64\Onkidm32.exe	Nceefd32.exe
File created	C:\Windows\SysWOW64\Kpibgp32.dll	Ojdgnn32.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Pffgom32.exe
File created	C:\Windows\SysWOW64\Igedlh32.exe	Iqklon32.exe
File created	C:\Windows\SysWOW64\Maeachag.exe	Leopnglc.exe
File created	C:\Windows\SysWOW64\Mjpbam32.exe	Mahnhhod.exe
File created	C:\Windows\SysWOW64\Mnnkgl32.exe	Miaboe32.exe
File created	C:\Windows\SysWOW64\Adfgdpmi.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Conanfli.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Aggpfkjj.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Leoema32.dll	Hpdfnolo.exe
File opened for modification	C:\Windows\SysWOW64\Ihdafkdg.exe	Igedlh32.exe
File created	C:\Windows\SysWOW64\Kgmcce32.exe	Kjhcjq32.exe
File created	C:\Windows\SysWOW64\Bpcaaeme.dll	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Llodgnja.exe	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Bjlfmfbi.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Ofkgcobj.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Akdilipp.exe
File opened for modification	C:\Windows\SysWOW64\Igedlh32.exe	Iqklon32.exe
File created	C:\Windows\SysWOW64\Nbklhm32.dll	Jkomneim.exe
File created	C:\Windows\SysWOW64\Fjqjajoe.dll	Miaboe32.exe
File created	C:\Windows\SysWOW64\Difebl32.dll	Mqfpckhm.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Opeiadfg.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Fmamhbhe.dll	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Qfkjii32.dll	Iqbbpm32.exe
File created	C:\Windows\SysWOW64\Lkabjbih.exe	Legjmh32.exe
File created	C:\Windows\SysWOW64\Ehmjob32.dll	Lobjni32.exe
File created	C:\Windows\SysWOW64\Nclbpf32.exe	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Iqklon32.exe	Ikndgg32.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Ojhpimhp.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Aphnnafb.exe	Akkffkhk.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Akkffkhk.exe
File opened for modification	C:\Windows\SysWOW64\Conanfli.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Hpdfnolo.exe	Hnfjbdmk.exe
File created	C:\Windows\SysWOW64\Lehhlb32.dll	Iqklon32.exe
File created	C:\Windows\SysWOW64\Jkomneim.exe	Jnkldqkc.exe
File created	C:\Windows\SysWOW64\Ifolcq32.dll	Mgloefco.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Coegoe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5696	5156	WerFault.exe	217

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaiilmd.dll"	Legjmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodcb32.dll"	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhndljll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceelqcdb.dll"	Kjhcjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnnkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekojppef.dll"	Hkjjlhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Miaboe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	e43a69f3bfc9fa9f6878d9d8293bc180.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e43a69f3bfc9fa9f6878d9d8293bc180.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfgmnfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll"	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dannpknl.dll"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkjjlhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Leopnglc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll"	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll"	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peaggfjj.dll"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idbodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqnnno32.dll"	Kqnbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefmflff.dll"	Maeachag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liabph32.dll"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Legjmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laqhhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbjqfjb.dll"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkabjbih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmjjno.dll"	Mnnkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihdafkdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklhm32.dll"	Jkomneim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnnkgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgiiiidd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfgmnfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Igedlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Miaboe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1232	844	e43a69f3bfc9fa9f6878d9d8293bc180.exe	86
PID 844 wrote to memory of 1232	844	e43a69f3bfc9fa9f6878d9d8293bc180.exe	86
PID 844 wrote to memory of 1232	844	e43a69f3bfc9fa9f6878d9d8293bc180.exe	86
PID 1232 wrote to memory of 4052	1232	Haoimcgg.exe	87
PID 1232 wrote to memory of 4052	1232	Haoimcgg.exe	87
PID 1232 wrote to memory of 4052	1232	Haoimcgg.exe	87
PID 4052 wrote to memory of 1124	4052	Hnfjbdmk.exe	88
PID 4052 wrote to memory of 1124	4052	Hnfjbdmk.exe	88
PID 4052 wrote to memory of 1124	4052	Hnfjbdmk.exe	88
PID 1124 wrote to memory of 2660	1124	Hpdfnolo.exe	89
PID 1124 wrote to memory of 2660	1124	Hpdfnolo.exe	89
PID 1124 wrote to memory of 2660	1124	Hpdfnolo.exe	89
PID 2660 wrote to memory of 2272	2660	Hkjjlhle.exe	90
PID 2660 wrote to memory of 2272	2660	Hkjjlhle.exe	90
PID 2660 wrote to memory of 2272	2660	Hkjjlhle.exe	90
PID 2272 wrote to memory of 4796	2272	Idbodn32.exe	91
PID 2272 wrote to memory of 4796	2272	Idbodn32.exe	91
PID 2272 wrote to memory of 4796	2272	Idbodn32.exe	91
PID 4796 wrote to memory of 2160	4796	Iqipio32.exe	92
PID 4796 wrote to memory of 2160	4796	Iqipio32.exe	92
PID 4796 wrote to memory of 2160	4796	Iqipio32.exe	92
PID 2160 wrote to memory of 1668	2160	Ikndgg32.exe	93
PID 2160 wrote to memory of 1668	2160	Ikndgg32.exe	93
PID 2160 wrote to memory of 1668	2160	Ikndgg32.exe	93
PID 1668 wrote to memory of 1276	1668	Iqklon32.exe	94
PID 1668 wrote to memory of 1276	1668	Iqklon32.exe	94
PID 1668 wrote to memory of 1276	1668	Iqklon32.exe	94
PID 1276 wrote to memory of 1396	1276	Igedlh32.exe	96
PID 1276 wrote to memory of 1396	1276	Igedlh32.exe	96
PID 1276 wrote to memory of 1396	1276	Igedlh32.exe	96
PID 1396 wrote to memory of 2504	1396	Ihdafkdg.exe	97
PID 1396 wrote to memory of 2504	1396	Ihdafkdg.exe	97
PID 1396 wrote to memory of 2504	1396	Ihdafkdg.exe	97
PID 2504 wrote to memory of 2996	2504	Iqbbpm32.exe	99
PID 2504 wrote to memory of 2996	2504	Iqbbpm32.exe	99
PID 2504 wrote to memory of 2996	2504	Iqbbpm32.exe	99
PID 2996 wrote to memory of 5100	2996	Jkjcbe32.exe	100
PID 2996 wrote to memory of 5100	2996	Jkjcbe32.exe	100
PID 2996 wrote to memory of 5100	2996	Jkjcbe32.exe	100
PID 5100 wrote to memory of 840	5100	Jhndljll.exe	101
PID 5100 wrote to memory of 840	5100	Jhndljll.exe	101
PID 5100 wrote to memory of 840	5100	Jhndljll.exe	101
PID 840 wrote to memory of 2248	840	Jnkldqkc.exe	102
PID 840 wrote to memory of 2248	840	Jnkldqkc.exe	102
PID 840 wrote to memory of 2248	840	Jnkldqkc.exe	102
PID 2248 wrote to memory of 4432	2248	Jkomneim.exe	103
PID 2248 wrote to memory of 4432	2248	Jkomneim.exe	103
PID 2248 wrote to memory of 4432	2248	Jkomneim.exe	103
PID 4432 wrote to memory of 2128	4432	Kqnbkl32.exe	104
PID 4432 wrote to memory of 2128	4432	Kqnbkl32.exe	104
PID 4432 wrote to memory of 2128	4432	Kqnbkl32.exe	104
PID 2128 wrote to memory of 408	2128	Kjhcjq32.exe	105
PID 2128 wrote to memory of 408	2128	Kjhcjq32.exe	105
PID 2128 wrote to memory of 408	2128	Kjhcjq32.exe	105
PID 408 wrote to memory of 1800	408	Kgmcce32.exe	106
PID 408 wrote to memory of 1800	408	Kgmcce32.exe	106
PID 408 wrote to memory of 1800	408	Kgmcce32.exe	106
PID 1800 wrote to memory of 2752	1800	Kaehljpj.exe	108
PID 1800 wrote to memory of 2752	1800	Kaehljpj.exe	108
PID 1800 wrote to memory of 2752	1800	Kaehljpj.exe	108
PID 2752 wrote to memory of 364	2752	Kniieo32.exe	109
PID 2752 wrote to memory of 364	2752	Kniieo32.exe	109
PID 2752 wrote to memory of 364	2752	Kniieo32.exe	109
PID 364 wrote to memory of 2740	364	Kinmcg32.exe	110

C:\Users\Admin\AppData\Local\Temp\e43a69f3bfc9fa9f6878d9d8293bc180.exe
"C:\Users\Admin\AppData\Local\Temp\e43a69f3bfc9fa9f6878d9d8293bc180.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\Haoimcgg.exe
  C:\Windows\system32\Haoimcgg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\Hnfjbdmk.exe
    C:\Windows\system32\Hnfjbdmk.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\Hpdfnolo.exe
      C:\Windows\system32\Hpdfnolo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Windows\SysWOW64\Hkjjlhle.exe
        
        C:\Windows\system32\Hkjjlhle.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Iqipio32.exe
        
        C:\Windows\system32\Iqipio32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ikndgg32.exe
        
        C:\Windows\system32\Ikndgg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Iqklon32.exe
        
        C:\Windows\system32\Iqklon32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Igedlh32.exe
        
        C:\Windows\system32\Igedlh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ihdafkdg.exe
        
        C:\Windows\system32\Ihdafkdg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Iqbbpm32.exe
        
        C:\Windows\system32\Iqbbpm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Jkjcbe32.exe
        
        C:\Windows\system32\Jkjcbe32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Jhndljll.exe
        
        C:\Windows\system32\Jhndljll.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Jnkldqkc.exe
        
        C:\Windows\system32\Jnkldqkc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Jkomneim.exe
        
        C:\Windows\system32\Jkomneim.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Kqnbkl32.exe
        
        C:\Windows\system32\Kqnbkl32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Kjhcjq32.exe
        
        C:\Windows\system32\Kjhcjq32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Kgmcce32.exe
        
        C:\Windows\system32\Kgmcce32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Kaehljpj.exe
        
        C:\Windows\system32\Kaehljpj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Kniieo32.exe
        
        C:\Windows\system32\Kniieo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Kinmcg32.exe
        
        C:\Windows\system32\Kinmcg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Lajagj32.exe
        
        C:\Windows\system32\Lajagj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Ljbfpo32.exe
        
        C:\Windows\system32\Ljbfpo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Legjmh32.exe
        
        C:\Windows\system32\Legjmh32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Lldopb32.exe
        
        C:\Windows\system32\Lldopb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Laqhhi32.exe
        
        C:\Windows\system32\Laqhhi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Leopnglc.exe
        
        C:\Windows\system32\Leopnglc.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Maeachag.exe
        
        C:\Windows\system32\Maeachag.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Mjneln32.exe
        
        C:\Windows\system32\Mjneln32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\Mjpbam32.exe
        
        C:\Windows\system32\Mjpbam32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3992

C:\Windows\SysWOW64\Miaboe32.exe
C:\Windows\system32\Miaboe32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2876
- C:\Windows\SysWOW64\Mnnkgl32.exe
  C:\Windows\system32\Mnnkgl32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3828
- - C:\Windows\SysWOW64\Koodbl32.exe
    C:\Windows\system32\Koodbl32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:2524
  - - C:\Windows\SysWOW64\Knqepc32.exe
      C:\Windows\system32\Knqepc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      PID:2368
    - - C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
      - C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        7⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        8⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        12⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        16⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        17⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        26⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        29⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        33⤵
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        34⤵
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        37⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        39⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        41⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        43⤵
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1228
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        45⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        49⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        50⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        52⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        55⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        57⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        60⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        61⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        62⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        63⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        64⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        65⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4192
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        67⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        76⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        78⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        80⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        81⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        84⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        85⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        86⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        87⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        89⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        90⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        91⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 428
        92⤵
        Program crash
        
        PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5156 -ip 5156
1⤵
PID:5480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ekojppef.dll

Filesize
7KB

MD5
8d6ac8422dd1b426390c5406b87e1197

SHA1
a4d4991d2253539dc15b396ca68571e4104aae00

SHA256
2f7c65f88601459cd8d22200318d96f4cb0c2d33b9930a7bb50d5db989584059

SHA512
b3c3b6ec242250766e32c2f2022c919328b644d87ac2a0c53b0c897f6a85f2cb8d367c07053bc530049e76de766fd76f3db73469f2a23f962560e39bff5a60e8

Download Submit
C:\Windows\SysWOW64\Haoimcgg.exe

Filesize
111KB

MD5
ab17a7378518343ebd065ab35435229c

SHA1
dd62a3507423904620f4b2fcd0d455079c5d249a

SHA256
fc1634fe4d1e15890bc03e5abf185158d91918252af3927f9f75599aa6ecfe1d

SHA512
697080a2afde8100498b5fba827a4b397ddb23cc5cd949e944fc0c46a887cc62ff7de7bc3be8d70220c9f39311be8e44fc3084e2a928516f68cf77249c834b75

Download Submit
C:\Windows\SysWOW64\Haoimcgg.exe

Filesize
111KB

MD5
ab17a7378518343ebd065ab35435229c

SHA1
dd62a3507423904620f4b2fcd0d455079c5d249a

SHA256
fc1634fe4d1e15890bc03e5abf185158d91918252af3927f9f75599aa6ecfe1d

SHA512
697080a2afde8100498b5fba827a4b397ddb23cc5cd949e944fc0c46a887cc62ff7de7bc3be8d70220c9f39311be8e44fc3084e2a928516f68cf77249c834b75

Download Submit
C:\Windows\SysWOW64\Hkjjlhle.exe

Filesize
111KB

MD5
370e969cd868ffb0811036bea5ff7c16

SHA1
1e098b1900ccd4a9bb2e64152a431d3b62525020

SHA256
a3d16bf38d01796758516ecb1c881cc229cf8683f15681b22cc80e647f3efe43

SHA512
14d3853b1cf43157f17efa6217134a6a3dc19d3c8c3806dcf11dbf26e6cd1ea5d155dd289a6168cc2c3ae7f0237e6ed48d276ab4e24b25ba576595b4f4c66acd

Download Submit
C:\Windows\SysWOW64\Hkjjlhle.exe

Filesize
111KB

MD5
370e969cd868ffb0811036bea5ff7c16

SHA1
1e098b1900ccd4a9bb2e64152a431d3b62525020

SHA256
a3d16bf38d01796758516ecb1c881cc229cf8683f15681b22cc80e647f3efe43

SHA512
14d3853b1cf43157f17efa6217134a6a3dc19d3c8c3806dcf11dbf26e6cd1ea5d155dd289a6168cc2c3ae7f0237e6ed48d276ab4e24b25ba576595b4f4c66acd

Download Submit
C:\Windows\SysWOW64\Hnfjbdmk.exe

Filesize
111KB

MD5
f3efc55b43598aa0c47de2962db7cbb6

SHA1
926b04c96a54d819862e6b09c63a27f4a7a80a78

SHA256
66133eceb601edf3c925d960f7da74371268b71b5ce4899dd328b705aad22ef5

SHA512
3776d88f3d6ffe63f886c02a3b09af4d660d01baa799d7d920c2035808458534080a2ad4a9c6f265af523fc6d449dafdf17bee1bcf16706b6e3480b243025ccf

Download Submit
C:\Windows\SysWOW64\Hnfjbdmk.exe

Filesize
111KB

MD5
f3efc55b43598aa0c47de2962db7cbb6

SHA1
926b04c96a54d819862e6b09c63a27f4a7a80a78

SHA256
66133eceb601edf3c925d960f7da74371268b71b5ce4899dd328b705aad22ef5

SHA512
3776d88f3d6ffe63f886c02a3b09af4d660d01baa799d7d920c2035808458534080a2ad4a9c6f265af523fc6d449dafdf17bee1bcf16706b6e3480b243025ccf

Download Submit
C:\Windows\SysWOW64\Hpdfnolo.exe

Filesize
111KB

MD5
74a795e91a2404c3862ebcd3f52b99dd

SHA1
f520c184af4cd593e9e6da7a8b57e2813c82c00e

SHA256
b31ba98e4cc290dbdb688203734560b168ead8e0b4891cff02cd8739e550be31

SHA512
93c8c4f27ccd77aec5459aa38a37a3d378ad108d8e5cc10fc141ebda548a7b51d45b72089a7c4a4f307d9f557f69de463964a990430f8526645ea19eab8546ec

Download Submit
C:\Windows\SysWOW64\Hpdfnolo.exe

Filesize
111KB

MD5
74a795e91a2404c3862ebcd3f52b99dd

SHA1
f520c184af4cd593e9e6da7a8b57e2813c82c00e

SHA256
b31ba98e4cc290dbdb688203734560b168ead8e0b4891cff02cd8739e550be31

SHA512
93c8c4f27ccd77aec5459aa38a37a3d378ad108d8e5cc10fc141ebda548a7b51d45b72089a7c4a4f307d9f557f69de463964a990430f8526645ea19eab8546ec

Download Submit
C:\Windows\SysWOW64\Idbodn32.exe

Filesize
111KB

MD5
ce2006d0ed3fa79dc09862e91c5857a8

SHA1
3053a749174b5792c0d1f717f70533ba6656e1e0

SHA256
4220960e9b50f6c6c0e40507863217f0fb178d53915c71ca926ea675b893dddd

SHA512
8f09908adc52da34f90126899fa58570fd76f767afd3b5f258c24665277da4aa3c2a7d23472f63808139c812856481253765e198031746810d9cb34dc6925953

Download Submit
C:\Windows\SysWOW64\Idbodn32.exe

Filesize
111KB

MD5
ce2006d0ed3fa79dc09862e91c5857a8

SHA1
3053a749174b5792c0d1f717f70533ba6656e1e0

SHA256
4220960e9b50f6c6c0e40507863217f0fb178d53915c71ca926ea675b893dddd

SHA512
8f09908adc52da34f90126899fa58570fd76f767afd3b5f258c24665277da4aa3c2a7d23472f63808139c812856481253765e198031746810d9cb34dc6925953

Download Submit
C:\Windows\SysWOW64\Igedlh32.exe

Filesize
111KB

MD5
979c11ff6a5d792bc9c70bd17dea6590

SHA1
284c6707beef6ffde7c6e50ba1ac19b1f07d4c9e

SHA256
b1d68f0ae1a6cee77b5547ee87238fa94eb4e0876ef7938441554999131d4d37

SHA512
ecd0e72621c58f3f8d672b7a58a2a071c70a59adf3b95ba0c29bfb9171b4daed28f2c5fd719933fde4e6bee8322d2fdd9c5a5578091a82407e5c6657539c8b06

Download Submit
C:\Windows\SysWOW64\Igedlh32.exe

Filesize
111KB

MD5
979c11ff6a5d792bc9c70bd17dea6590

SHA1
284c6707beef6ffde7c6e50ba1ac19b1f07d4c9e

SHA256
b1d68f0ae1a6cee77b5547ee87238fa94eb4e0876ef7938441554999131d4d37

SHA512
ecd0e72621c58f3f8d672b7a58a2a071c70a59adf3b95ba0c29bfb9171b4daed28f2c5fd719933fde4e6bee8322d2fdd9c5a5578091a82407e5c6657539c8b06

Download Submit
C:\Windows\SysWOW64\Ihdafkdg.exe

Filesize
111KB

MD5
f2d8f63f1e94b64349963e88a31008c0

SHA1
c996e51f6af580b87d8b21bb4a828115f3e903f9

SHA256
ab53b2054e5279d0eac2166747837066b896dc37803fa4e23c90cf36239e94eb

SHA512
8ccf68017a1c2527d6e1237fd401f4a0b4eab575e547bded9dc2c6163bc1b93bafbdcd0b0d7914795fb67675aad30c1ac21dd5de6ae36c987620fb1433d67d36

Download Submit
C:\Windows\SysWOW64\Ihdafkdg.exe

Filesize
111KB

MD5
f2d8f63f1e94b64349963e88a31008c0

SHA1
c996e51f6af580b87d8b21bb4a828115f3e903f9

SHA256
ab53b2054e5279d0eac2166747837066b896dc37803fa4e23c90cf36239e94eb

SHA512
8ccf68017a1c2527d6e1237fd401f4a0b4eab575e547bded9dc2c6163bc1b93bafbdcd0b0d7914795fb67675aad30c1ac21dd5de6ae36c987620fb1433d67d36

Download Submit
C:\Windows\SysWOW64\Ikndgg32.exe

Filesize
111KB

MD5
07d669b751037d129f07390f0ee31a9b

SHA1
54d4145e75adaf3ed8c4c7697496b2b66fcc9114

SHA256
01e1ad33de459eda6e7cae102d173b93f108a69037fb37f8a2cf4a366b158c00

SHA512
9d3bb17bee6a57d6d1c22b40751c5a3779b8ca5942ec0b312215f4c0f01a2cc090062092b5f6989c94fb67a7794a51ddc516807da6a7f0520e5b6afb0efeb188

Download Submit
C:\Windows\SysWOW64\Ikndgg32.exe

Filesize
111KB

MD5
07d669b751037d129f07390f0ee31a9b

SHA1
54d4145e75adaf3ed8c4c7697496b2b66fcc9114

SHA256
01e1ad33de459eda6e7cae102d173b93f108a69037fb37f8a2cf4a366b158c00

SHA512
9d3bb17bee6a57d6d1c22b40751c5a3779b8ca5942ec0b312215f4c0f01a2cc090062092b5f6989c94fb67a7794a51ddc516807da6a7f0520e5b6afb0efeb188

Download Submit
C:\Windows\SysWOW64\Iqbbpm32.exe

Filesize
111KB

MD5
1d8402ae3c192796b5bca209faa17526

SHA1
dd0c52c5cf9e84512b05d43424f85888846d5836

SHA256
f670fad0e115f034a6fea9154413695f04d101b6db25bccfaf5c3f08ec63fb71

SHA512
5dceb9aa87fe4d067ea913f3f85722b05915cd5b7881eb0702702b4958fa47fdc8a3a1258297712543bff8f199148751789db44ad98eed2c58ab7e69ed73b2d0

Download Submit
C:\Windows\SysWOW64\Iqbbpm32.exe

Filesize
111KB

MD5
1d8402ae3c192796b5bca209faa17526

SHA1
dd0c52c5cf9e84512b05d43424f85888846d5836

SHA256
f670fad0e115f034a6fea9154413695f04d101b6db25bccfaf5c3f08ec63fb71

SHA512
5dceb9aa87fe4d067ea913f3f85722b05915cd5b7881eb0702702b4958fa47fdc8a3a1258297712543bff8f199148751789db44ad98eed2c58ab7e69ed73b2d0

Download Submit
C:\Windows\SysWOW64\Iqipio32.exe

Filesize
111KB

MD5
89eac6f0bdd5091cb9428802bdaa029e

SHA1
07ba64cacc5a10038f4081b59c0ceae0155eed42

SHA256
5a248fbb6c48e13a584cb8be1def85719265704925cc310f5b6d995c8e0db156

SHA512
a1de1d0ffe293effb3f25bba39c27630cdb52a1ba73e8cbb82ec8e4ba22dd9a1b2cf359fd179ab8bd496d110369d2f8c18af73c68bb5189d178c1cdf2b6b2985

Download Submit
C:\Windows\SysWOW64\Iqipio32.exe

Filesize
111KB

MD5
89eac6f0bdd5091cb9428802bdaa029e

SHA1
07ba64cacc5a10038f4081b59c0ceae0155eed42

SHA256
5a248fbb6c48e13a584cb8be1def85719265704925cc310f5b6d995c8e0db156

SHA512
a1de1d0ffe293effb3f25bba39c27630cdb52a1ba73e8cbb82ec8e4ba22dd9a1b2cf359fd179ab8bd496d110369d2f8c18af73c68bb5189d178c1cdf2b6b2985

Download Submit
C:\Windows\SysWOW64\Iqklon32.exe

Filesize
111KB

MD5
2f5ddff379d811b4a34a1685ecc22404

SHA1
b5e4a9d8d92470614f130af4bc269f16b433744f

SHA256
88e493b6249e1bfafc9f192066362eb671424d3ec0a5fc159d5ed433d63d7e66

SHA512
2c74161769a76ebbe4d8896a86b2c63cb8d7c9b0c28c5475a28bee13c28bdded4215bf0a570baad621ed7682d78f1800057153df21ed60df3b064dd1711d9c48

Download Submit
C:\Windows\SysWOW64\Iqklon32.exe

Filesize
111KB

MD5
2f5ddff379d811b4a34a1685ecc22404

SHA1
b5e4a9d8d92470614f130af4bc269f16b433744f

SHA256
88e493b6249e1bfafc9f192066362eb671424d3ec0a5fc159d5ed433d63d7e66

SHA512
2c74161769a76ebbe4d8896a86b2c63cb8d7c9b0c28c5475a28bee13c28bdded4215bf0a570baad621ed7682d78f1800057153df21ed60df3b064dd1711d9c48

Download Submit
C:\Windows\SysWOW64\Jhndljll.exe

Filesize
111KB

MD5
fc7bbb87fc9459c95bf144ca4accac93

SHA1
6eea2f2ea23708885a318e0ac14df9b382903012

SHA256
e0aaea1e27a76cd751e7c4063ee34e7e722859f2b6efc4de21eea92026a158d5

SHA512
dd73490eb116694870628dffeb09ec120060599ad5d7d0f537df98289f245b55cd1ffbb2654b69191576d23b943d20fb0a8c9af868bedb8135cb16a9b8170853

Download Submit
C:\Windows\SysWOW64\Jhndljll.exe

Filesize
111KB

MD5
fc7bbb87fc9459c95bf144ca4accac93

SHA1
6eea2f2ea23708885a318e0ac14df9b382903012

SHA256
e0aaea1e27a76cd751e7c4063ee34e7e722859f2b6efc4de21eea92026a158d5

SHA512
dd73490eb116694870628dffeb09ec120060599ad5d7d0f537df98289f245b55cd1ffbb2654b69191576d23b943d20fb0a8c9af868bedb8135cb16a9b8170853

Download Submit
C:\Windows\SysWOW64\Jkjcbe32.exe

Filesize
111KB

MD5
6ef1094c10c4465fa48948c4b2fc9184

SHA1
8b678e1f71ccb61d47fecf3ed03b9f02015aa474

SHA256
f15439382395b3381aeb6c04b7f5b2b56ff47861c18977ac56ddd8c46c500514

SHA512
e9b0d1f04f602a78bd98f42d21df177c63db24d902473ea666b106bdff227f24b655b32629cb9d14dc212b27811d569be5f253e19caf5e20ee0e3eaa1d461e88

Download Submit
C:\Windows\SysWOW64\Jkjcbe32.exe

Filesize
111KB

MD5
6ef1094c10c4465fa48948c4b2fc9184

SHA1
8b678e1f71ccb61d47fecf3ed03b9f02015aa474

SHA256
f15439382395b3381aeb6c04b7f5b2b56ff47861c18977ac56ddd8c46c500514

SHA512
e9b0d1f04f602a78bd98f42d21df177c63db24d902473ea666b106bdff227f24b655b32629cb9d14dc212b27811d569be5f253e19caf5e20ee0e3eaa1d461e88

Download Submit
C:\Windows\SysWOW64\Jkomneim.exe

Filesize
111KB

MD5
56dfc744ad4413c64c91fc9cb965c836

SHA1
3e538ee759bff064fc46101ebe46500613ec5269

SHA256
fcb37f4e6fae100a3797750230f06b919a6d1e7d4e1ffeef286b4801e4d87ac5

SHA512
f6f8a8abd19b584158239c09cdf299aac58223f50d61aa9815d90167bfd80b4c6d298041a53b139860b0856bbf0f0164eec28425afba8c0ef1b9993fb51f2e93

Download Submit
C:\Windows\SysWOW64\Jkomneim.exe

Filesize
111KB

MD5
56dfc744ad4413c64c91fc9cb965c836

SHA1
3e538ee759bff064fc46101ebe46500613ec5269

SHA256
fcb37f4e6fae100a3797750230f06b919a6d1e7d4e1ffeef286b4801e4d87ac5

SHA512
f6f8a8abd19b584158239c09cdf299aac58223f50d61aa9815d90167bfd80b4c6d298041a53b139860b0856bbf0f0164eec28425afba8c0ef1b9993fb51f2e93

Download Submit
C:\Windows\SysWOW64\Jnkldqkc.exe

Filesize
111KB

MD5
c630fb3eed34cc7569a92987bc6462a1

SHA1
9bf3731be2bec958c69c10667b8ccf0e5bbbfd6a

SHA256
4631939319cc0f460091f0e7ecb9c31760280cc23c66e3abef0eeb87b73d7139

SHA512
a0e641e783f35001f180ed6f7b3e38931fc1921d0d99b0a8a9b28616e34a097de159454826305c3317802b4b36f3949c3c828a5181ceb30bf35df0ed99bcf642

Download Submit
C:\Windows\SysWOW64\Jnkldqkc.exe

Filesize
111KB

MD5
c630fb3eed34cc7569a92987bc6462a1

SHA1
9bf3731be2bec958c69c10667b8ccf0e5bbbfd6a

SHA256
4631939319cc0f460091f0e7ecb9c31760280cc23c66e3abef0eeb87b73d7139

SHA512
a0e641e783f35001f180ed6f7b3e38931fc1921d0d99b0a8a9b28616e34a097de159454826305c3317802b4b36f3949c3c828a5181ceb30bf35df0ed99bcf642

Download Submit
C:\Windows\SysWOW64\Kaehljpj.exe

Filesize
111KB

MD5
d1a886acc50d05e500a9aaef76136929

SHA1
65ac945d5d900c37c7444f4da73e6550586f49cd

SHA256
836f67c67f0ec6f526e846ce686119c53e923f7cdbb7d4dd392b303263f7af4e

SHA512
1aba4f68a9e88bdf2209e01eae930228a6bd024944981f80d9ef27e80c502cc1fabf37fe4f93467c2d0c1d5b314660e6c5279e7aaa6374b9b37e3cf9b0918fa9

Download Submit
C:\Windows\SysWOW64\Kaehljpj.exe

Filesize
111KB

MD5
d1a886acc50d05e500a9aaef76136929

SHA1
65ac945d5d900c37c7444f4da73e6550586f49cd

SHA256
836f67c67f0ec6f526e846ce686119c53e923f7cdbb7d4dd392b303263f7af4e

SHA512
1aba4f68a9e88bdf2209e01eae930228a6bd024944981f80d9ef27e80c502cc1fabf37fe4f93467c2d0c1d5b314660e6c5279e7aaa6374b9b37e3cf9b0918fa9

Download Submit
C:\Windows\SysWOW64\Kgmcce32.exe

Filesize
111KB

MD5
ddfcd06b8f140a877cf69297fb0b5b93

SHA1
be6e835191cacd57faf523e065685797a9f0b01c

SHA256
d1785f0df1dc8daf17b5a15dd3e88e9ea33fb9d00d6f73471d7609154926c313

SHA512
2e01fab5617a17d621d26533e1b0e64b5bcde864f134c955a60f2b2f7661f58ff760f0d96bf78adfae67d9550890e4473fd3c2df8083f15a83851e69c2ff9189

Download Submit
C:\Windows\SysWOW64\Kgmcce32.exe

Filesize
111KB

MD5
ddfcd06b8f140a877cf69297fb0b5b93

SHA1
be6e835191cacd57faf523e065685797a9f0b01c

SHA256
d1785f0df1dc8daf17b5a15dd3e88e9ea33fb9d00d6f73471d7609154926c313

SHA512
2e01fab5617a17d621d26533e1b0e64b5bcde864f134c955a60f2b2f7661f58ff760f0d96bf78adfae67d9550890e4473fd3c2df8083f15a83851e69c2ff9189

Download Submit
C:\Windows\SysWOW64\Kinmcg32.exe

Filesize
111KB

MD5
528fe42209501b8b765a974d45decf25

SHA1
444371f1c9cf6d5e8066a5792c1e69325edd0e59

SHA256
8814c6bb2daa983c17929732ee3baa89728c82475253e5ff274694414a0e8f46

SHA512
377a28a26f24883c9be875570240d7fe8a40f64c9d0cffd93e1a7e8d7df34f30db4fb5313da68dc74e57a734c28831369f9a5fc0fbb0548d56f8203574cff4bf

Download Submit
C:\Windows\SysWOW64\Kinmcg32.exe

Filesize
111KB

MD5
528fe42209501b8b765a974d45decf25

SHA1
444371f1c9cf6d5e8066a5792c1e69325edd0e59

SHA256
8814c6bb2daa983c17929732ee3baa89728c82475253e5ff274694414a0e8f46

SHA512
377a28a26f24883c9be875570240d7fe8a40f64c9d0cffd93e1a7e8d7df34f30db4fb5313da68dc74e57a734c28831369f9a5fc0fbb0548d56f8203574cff4bf

Download Submit
C:\Windows\SysWOW64\Kjhcjq32.exe

Filesize
111KB

MD5
9121d29a825cea44361a0d2cb672302b

SHA1
21114343fd0ff104847fedb470387638cc7cd7ae

SHA256
2f7f1aa980cde316ef500923d67c7f5b65d66900d00ce59c209435cc4802bc07

SHA512
761580c31305cab963c5979561d149c2afae23caf02e4106b91ea1fb7c3b80cbc2267af0f0ab55cac08a155d5f90836dddd1eafe71f7013411600d27570c01a5

Download Submit
C:\Windows\SysWOW64\Kjhcjq32.exe

Filesize
111KB

MD5
9121d29a825cea44361a0d2cb672302b

SHA1
21114343fd0ff104847fedb470387638cc7cd7ae

SHA256
2f7f1aa980cde316ef500923d67c7f5b65d66900d00ce59c209435cc4802bc07

SHA512
761580c31305cab963c5979561d149c2afae23caf02e4106b91ea1fb7c3b80cbc2267af0f0ab55cac08a155d5f90836dddd1eafe71f7013411600d27570c01a5

Download Submit
C:\Windows\SysWOW64\Kniieo32.exe

Filesize
111KB

MD5
f231c059e4c5a84943293da6da9dc9f0

SHA1
92e538064137b02902a14cad4a72dc36cb55cd47

SHA256
d7adb73a1dd1d7311ffa1d17f3c42736188e0954d0ca09b20d22767bf536b3bd

SHA512
eba988b0f7c5c4099a78a9c42b3ac07a4d3dbf293ca02baa96a3757a23081257ad24a6b4e5ca4736fe584c85cd5c5aecb27a03bbfb1fb7482e09dcbb053a67b5

Download Submit
C:\Windows\SysWOW64\Kniieo32.exe

Filesize
111KB

MD5
f231c059e4c5a84943293da6da9dc9f0

SHA1
92e538064137b02902a14cad4a72dc36cb55cd47

SHA256
d7adb73a1dd1d7311ffa1d17f3c42736188e0954d0ca09b20d22767bf536b3bd

SHA512
eba988b0f7c5c4099a78a9c42b3ac07a4d3dbf293ca02baa96a3757a23081257ad24a6b4e5ca4736fe584c85cd5c5aecb27a03bbfb1fb7482e09dcbb053a67b5

Download Submit
C:\Windows\SysWOW64\Kqnbkl32.exe

Filesize
111KB

MD5
a5832c6ccadd97803abad10069151826

SHA1
50bfcfb6454476c449842f30c4b6c51a193bb359

SHA256
c2fdc53cfe665cd686522975277e9a28eee631c85b0298fbaee6dc08e33d0fd7

SHA512
fdcaf58cd9827111579241dd615a19d0a006b44b65238b690754261e643f6a3df2af46ba5980c34fef071f27d3d931d45444b0a3ad41bf79791ea37254d5e8c9

Download Submit
C:\Windows\SysWOW64\Kqnbkl32.exe

Filesize
111KB

MD5
a5832c6ccadd97803abad10069151826

SHA1
50bfcfb6454476c449842f30c4b6c51a193bb359

SHA256
c2fdc53cfe665cd686522975277e9a28eee631c85b0298fbaee6dc08e33d0fd7

SHA512
fdcaf58cd9827111579241dd615a19d0a006b44b65238b690754261e643f6a3df2af46ba5980c34fef071f27d3d931d45444b0a3ad41bf79791ea37254d5e8c9

Download Submit
C:\Windows\SysWOW64\Lajagj32.exe

Filesize
111KB

MD5
528fe42209501b8b765a974d45decf25

SHA1
444371f1c9cf6d5e8066a5792c1e69325edd0e59

SHA256
8814c6bb2daa983c17929732ee3baa89728c82475253e5ff274694414a0e8f46

SHA512
377a28a26f24883c9be875570240d7fe8a40f64c9d0cffd93e1a7e8d7df34f30db4fb5313da68dc74e57a734c28831369f9a5fc0fbb0548d56f8203574cff4bf

Download Submit
C:\Windows\SysWOW64\Lajagj32.exe

Filesize
111KB

MD5
3c23436c0b1d2ab26e598ea2006f75ed

SHA1
0ba18bed8c2eb5c8d4e37da3b89f535c8ada995f

SHA256
ae63a67b47582a2e0cb8405f9bba36389389a0586c158f1cce10507564e6cf99

SHA512
5b19704d7b9e67f4b7e5209f517f64bc4510ab31591fbcb6ed53a05cd816d3007448bef527ca1ffbc52c9f966230bc25fcdc494ced846eb5c1675459d8234067

Download Submit
C:\Windows\SysWOW64\Lajagj32.exe

Filesize
111KB

MD5
3c23436c0b1d2ab26e598ea2006f75ed

SHA1
0ba18bed8c2eb5c8d4e37da3b89f535c8ada995f

SHA256
ae63a67b47582a2e0cb8405f9bba36389389a0586c158f1cce10507564e6cf99

SHA512
5b19704d7b9e67f4b7e5209f517f64bc4510ab31591fbcb6ed53a05cd816d3007448bef527ca1ffbc52c9f966230bc25fcdc494ced846eb5c1675459d8234067

Download Submit
C:\Windows\SysWOW64\Laqhhi32.exe

Filesize
111KB

MD5
7a0931c2c5717c92ee12037e1452ef01

SHA1
d72ec48f8892e362482251e6762d4026a80d9fb4

SHA256
a4df6ef86f4d81fe726eb54f88cdd938197d29c80e0231de18f046de79586dd4

SHA512
cbb3b1d5db5e1e56ae54cc5e5a2c6c33e83bbbc5792354d24deee136395a06776d22824cd03c90d0993e7c7b317e959209a2769630e50dfd3b7b44a22bbd8e8f

Download Submit
C:\Windows\SysWOW64\Laqhhi32.exe

Filesize
111KB

MD5
7a0931c2c5717c92ee12037e1452ef01

SHA1
d72ec48f8892e362482251e6762d4026a80d9fb4

SHA256
a4df6ef86f4d81fe726eb54f88cdd938197d29c80e0231de18f046de79586dd4

SHA512
cbb3b1d5db5e1e56ae54cc5e5a2c6c33e83bbbc5792354d24deee136395a06776d22824cd03c90d0993e7c7b317e959209a2769630e50dfd3b7b44a22bbd8e8f

Download Submit
C:\Windows\SysWOW64\Legjmh32.exe

Filesize
111KB

MD5
8e1cbe637e1b8e623a0308654c401d42

SHA1
5e7ce0c25e6e851eea95d3d32785c0b7dfa4ce06

SHA256
c0536578611ceb031bc2991004705888b2c0079dfc7929edb7edaaaea2a8b48d

SHA512
b0f8c9b572e5e2973699900dafd180e3a7980493e8fd6882b091b86ae3d63cf65b4ed6a513deefc7b8f1c3f33dfbd40d0c9f775e3a59c73e7c01972b56f1eb77

Download Submit
C:\Windows\SysWOW64\Legjmh32.exe

Filesize
111KB

MD5
8e1cbe637e1b8e623a0308654c401d42

SHA1
5e7ce0c25e6e851eea95d3d32785c0b7dfa4ce06

SHA256
c0536578611ceb031bc2991004705888b2c0079dfc7929edb7edaaaea2a8b48d

SHA512
b0f8c9b572e5e2973699900dafd180e3a7980493e8fd6882b091b86ae3d63cf65b4ed6a513deefc7b8f1c3f33dfbd40d0c9f775e3a59c73e7c01972b56f1eb77

Download Submit
C:\Windows\SysWOW64\Leopnglc.exe

Filesize
111KB

MD5
7a0931c2c5717c92ee12037e1452ef01

SHA1
d72ec48f8892e362482251e6762d4026a80d9fb4

SHA256
a4df6ef86f4d81fe726eb54f88cdd938197d29c80e0231de18f046de79586dd4

SHA512
cbb3b1d5db5e1e56ae54cc5e5a2c6c33e83bbbc5792354d24deee136395a06776d22824cd03c90d0993e7c7b317e959209a2769630e50dfd3b7b44a22bbd8e8f

Download Submit
C:\Windows\SysWOW64\Leopnglc.exe

Filesize
111KB

MD5
1d71e8affeff5fa9e801b5bda3f0de14

SHA1
e4b7ba60929821e632219ebec4bfa5baf49f8d51

SHA256
1b598880f941718ad897298e13bab6d7286fb663da9f0b24711864c29075f504

SHA512
9e3b1e8fd6d86cae307e201fd1ff3a0bd78aff8a2d1d6626b4818565b3d20d9ffe3e365e3da4769ce762096f9880493f3cf0a35b6e105d28c8800895b72e9be1

Download Submit
C:\Windows\SysWOW64\Leopnglc.exe

Filesize
111KB

MD5
1d71e8affeff5fa9e801b5bda3f0de14

SHA1
e4b7ba60929821e632219ebec4bfa5baf49f8d51

SHA256
1b598880f941718ad897298e13bab6d7286fb663da9f0b24711864c29075f504

SHA512
9e3b1e8fd6d86cae307e201fd1ff3a0bd78aff8a2d1d6626b4818565b3d20d9ffe3e365e3da4769ce762096f9880493f3cf0a35b6e105d28c8800895b72e9be1

Download Submit
C:\Windows\SysWOW64\Ljbfpo32.exe

Filesize
111KB

MD5
2765347a5e07d50aaff055d8a291d69b

SHA1
378528d44985abd03fcd640000db95f71d83cd64

SHA256
90bcc4ccbfd3962e4f2a4caeee8e2083041c6bdfe6959e4e3bd6e0c072fdb4cc

SHA512
b3a2bbeaf03837b5a30dea4336030ffa16a2cad525a8057bd3a562648893d2c1adbe92b78d1d0861c56a278ee6dcfdb0e06e2baa0f6ee0c40609804dd07f7544

Download Submit
C:\Windows\SysWOW64\Ljbfpo32.exe

Filesize
111KB

MD5
2765347a5e07d50aaff055d8a291d69b

SHA1
378528d44985abd03fcd640000db95f71d83cd64

SHA256
90bcc4ccbfd3962e4f2a4caeee8e2083041c6bdfe6959e4e3bd6e0c072fdb4cc

SHA512
b3a2bbeaf03837b5a30dea4336030ffa16a2cad525a8057bd3a562648893d2c1adbe92b78d1d0861c56a278ee6dcfdb0e06e2baa0f6ee0c40609804dd07f7544

Download Submit
C:\Windows\SysWOW64\Lkabjbih.exe

Filesize
111KB

MD5
73541a21883539ac845f70ee12bf6f67

SHA1
2feb700cad4ca72fa3c35c4ae925d71d1f4a2e78

SHA256
b4ffd47bdcfb1398c0ee4e4d2eb929111c903a935bc104a34f3928207dfe1c1a

SHA512
ce7c999a1cf86ce8ec865abf4caf0321f6a4228405450a9d8b88a4d4d6e8936086b7c7adda27da35c107eed3c86518db9c0d8c52da7e990c808dedfa8796ece8

Download Submit
C:\Windows\SysWOW64\Lkabjbih.exe

Filesize
111KB

MD5
73541a21883539ac845f70ee12bf6f67

SHA1
2feb700cad4ca72fa3c35c4ae925d71d1f4a2e78

SHA256
b4ffd47bdcfb1398c0ee4e4d2eb929111c903a935bc104a34f3928207dfe1c1a

SHA512
ce7c999a1cf86ce8ec865abf4caf0321f6a4228405450a9d8b88a4d4d6e8936086b7c7adda27da35c107eed3c86518db9c0d8c52da7e990c808dedfa8796ece8

Download Submit
C:\Windows\SysWOW64\Lldopb32.exe

Filesize
111KB

MD5
c05e7fac090f13411bbdd51b2a97d98e

SHA1
28a425834771fb221865a0a82beb7ef384467463

SHA256
6d45282f058ade34956b4636524d3382fd58fd63424da7cada297f8eb99cc292

SHA512
110fc0915ef952ca27b89d60ee9983bfc0db6ca794c7196d5306bf8dd19a5ad2a3ca5067014dfe10d00411ae50eca0f7065f6bfd72ed98941cf8ddc35928b24e

Download Submit
C:\Windows\SysWOW64\Lldopb32.exe

Filesize
111KB

MD5
c05e7fac090f13411bbdd51b2a97d98e

SHA1
28a425834771fb221865a0a82beb7ef384467463

SHA256
6d45282f058ade34956b4636524d3382fd58fd63424da7cada297f8eb99cc292

SHA512
110fc0915ef952ca27b89d60ee9983bfc0db6ca794c7196d5306bf8dd19a5ad2a3ca5067014dfe10d00411ae50eca0f7065f6bfd72ed98941cf8ddc35928b24e

Download Submit
C:\Windows\SysWOW64\Maeachag.exe

Filesize
111KB

MD5
c18d7c0a7f3e68831ac9badd962f8137

SHA1
6d90e0ffad31e5d5bbd55af0f7ea8e4a88070bd9

SHA256
581a6d7aa72894fd53ff92975e4c06d0d92bdcc08fc98847daa8279cb5567f16

SHA512
ea4f87163b58104f84e25f30aa043f1b295b351c8e95726a4db4bc9d945670e993eed008a41d3c85e3794d1561c5ee92eaae6516214b6e18f27d73441989b426

Download Submit
C:\Windows\SysWOW64\Maeachag.exe

Filesize
111KB

MD5
c18d7c0a7f3e68831ac9badd962f8137

SHA1
6d90e0ffad31e5d5bbd55af0f7ea8e4a88070bd9

SHA256
581a6d7aa72894fd53ff92975e4c06d0d92bdcc08fc98847daa8279cb5567f16

SHA512
ea4f87163b58104f84e25f30aa043f1b295b351c8e95726a4db4bc9d945670e993eed008a41d3c85e3794d1561c5ee92eaae6516214b6e18f27d73441989b426

Download Submit
C:\Windows\SysWOW64\Mahnhhod.exe

Filesize
111KB

MD5
96fb1f7bb8dea6ff060a3e59dde523ed

SHA1
b921c08330ea34dea4c6d8b863721bd28940b8a6

SHA256
6ac030a1125471c73f19b9a224b4889a00ad8b2518354bffef9d2bd6a181732f

SHA512
dfff0c16fafecbd3867154424f94326d06fda867b29202761ab3b60e613607dda4f8b6ad9fc1f7d8b0798e448fd968d0483f3636cce98c3ba60f8ec1003eb6c9

Download Submit
C:\Windows\SysWOW64\Mahnhhod.exe

Filesize
111KB

MD5
96fb1f7bb8dea6ff060a3e59dde523ed

SHA1
b921c08330ea34dea4c6d8b863721bd28940b8a6

SHA256
6ac030a1125471c73f19b9a224b4889a00ad8b2518354bffef9d2bd6a181732f

SHA512
dfff0c16fafecbd3867154424f94326d06fda867b29202761ab3b60e613607dda4f8b6ad9fc1f7d8b0798e448fd968d0483f3636cce98c3ba60f8ec1003eb6c9

Download Submit
C:\Windows\SysWOW64\Mjneln32.exe

Filesize
111KB

MD5
ee2873f2b95019495761473aa3568a64

SHA1
51e6428d6b7e6281549297763d3e23ba24b6b77b

SHA256
4ca5dfd917d24db3e5131829c468630d954883c7874b86bf95f9873998d3cf26

SHA512
1957ea06838ff1fbab721360328e4b087c41299c9f0e0ba912b92cc86b4f0cdc01a1ebae9a83809b1f17dd87ad13ddee85f657c98b31609f46f1c9eaa04d23c2

Download Submit
C:\Windows\SysWOW64\Mjneln32.exe

Filesize
111KB

MD5
ee2873f2b95019495761473aa3568a64

SHA1
51e6428d6b7e6281549297763d3e23ba24b6b77b

SHA256
4ca5dfd917d24db3e5131829c468630d954883c7874b86bf95f9873998d3cf26

SHA512
1957ea06838ff1fbab721360328e4b087c41299c9f0e0ba912b92cc86b4f0cdc01a1ebae9a83809b1f17dd87ad13ddee85f657c98b31609f46f1c9eaa04d23c2

Download Submit
C:\Windows\SysWOW64\Mjpbam32.exe

Filesize
111KB

MD5
8637f7985ded46741826eddcf23a459c

SHA1
127d273e4f192e14fb03fa6c4f66d7a961178e6f

SHA256
ccc17c91bd239c6be52ea44e2411c30946daa83affbc3320d2ce159931b599c1

SHA512
934eff01361bf47aad6190a33edd4e5321ba7798b1262b84ff61156dcd23f0549b3d1d7bcaef1d176e7c820f3bdf4432559d78660dd4d670162147778d45a314

Download Submit
C:\Windows\SysWOW64\Mjpbam32.exe

Filesize
111KB

MD5
8637f7985ded46741826eddcf23a459c

SHA1
127d273e4f192e14fb03fa6c4f66d7a961178e6f

SHA256
ccc17c91bd239c6be52ea44e2411c30946daa83affbc3320d2ce159931b599c1

SHA512
934eff01361bf47aad6190a33edd4e5321ba7798b1262b84ff61156dcd23f0549b3d1d7bcaef1d176e7c820f3bdf4432559d78660dd4d670162147778d45a314

Download Submit
C:\Windows\SysWOW64\Mmpmnl32.exe

Filesize
111KB

MD5
c5f0dee36b59248085394f5bea45582e

SHA1
4947daf4e1e9abf85079b7e0ca5e540e9f5dc008

SHA256
d72fb2ea323e3ce0bbee138394d2d358f035f5dd8777ef657bd38c96dda277ad

SHA512
0910498c02913c4483d4454ecef4ff9fd6194bf5791b401fb3407e2b2dbfc8c3156cc6793cbcac308945b70db82d90007a2eda95f3be6b557d6b838cc2a6f1b6

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
111KB

MD5
248ea2753b14b7b3a30f3ff29fa414b1

SHA1
7f4c75033eaccd3edd072644cff04000687157f4

SHA256
f8f43620ac6c5d64a7a5e596b638f1ad3033105723883c2a5eee2e41623400e6

SHA512
40f6271a6282345a1656b079a78d7ff0430d8807fe1e32299e33cc2259039356defeb0d895d65fdd06133187c6eae351d2fc9b67f9ac96949b5640aa2bc6d001

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
111KB

MD5
c12007036aa73eb15296269275db7f4d

SHA1
bedfb6de694d3d9658f30c723470f9601657c24f

SHA256
f326967586e99779bf6429904bdc012cb28a006049312caf2a8fc04e510068bb

SHA512
fe7a76c0eededfee8f2f6b554ef011ebf253af70474915992b668cf76c9e854c76895f40f14b3b3e71f4a8907973f490ca360e49806b810c6274fee228854c69

Download Submit
memory/208-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/364-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/412-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/844-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/972-440-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1232-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1276-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1348-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1396-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1536-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1668-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1800-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-196-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2160-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2176-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2248-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2272-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-283-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2752-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3248-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3280-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3332-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3436-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3472-212-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3828-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4052-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4176-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4196-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4352-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4524-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4668-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4700-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4852-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads