96fcc23e0e4c368aba1b25ceac76c2fa16cfab4d39397484a9fcce67b0a9efe8

Analysis

max time kernel
93s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Proxy.Win32.Qukart.exe
Size

136KB
MD5

eda86996a251efea93e5da4599fb3386
SHA1

dc50fcbb4c1a0c318bdcb089bb407c3ab3335b3e
SHA256

96fcc23e0e4c368aba1b25ceac76c2fa16cfab4d39397484a9fcce67b0a9efe8
SHA512

c5012816100657fdb57fbb67a82101691cefabf03349b78b0f8fd3bb4a7812c44418d70b9c55c021e22a7edbf4af35cac21674b8195e5a34779b3c4c6a574e1f
SSDEEP

3072:XEsjxRcZCvutc/ijmusohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:LRs2ijmusohxd2Quohdbd0zscj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Trojan-Proxy.Win32.Qukart.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe

Executes dropped EXE 64 IoCs

pid	Process
3092	Hadkpm32.exe
2756	Hfachc32.exe
4476	Hippdo32.exe
2256	Hcedaheh.exe
2260	Hjolnb32.exe
4412	Hmmhjm32.exe
1232	Icgqggce.exe
2056	Ijaida32.exe
3216	Iakaql32.exe
2572	Icjmmg32.exe
2116	Ifhiib32.exe
4856	Iiffen32.exe
3904	Ipqnahgf.exe
2596	Ibojncfj.exe
3832	Ifjfnb32.exe
4892	Imdnklfp.exe
3036	Ipckgh32.exe
4896	Imgkql32.exe
5004	Ipegmg32.exe
1332	Ifopiajn.exe
4364	Imihfl32.exe
1468	Jdcpcf32.exe
4128	Jjmhppqd.exe
536	Jiphkm32.exe
4876	Jpjqhgol.exe
1980	Jbhmdbnp.exe
3144	Jmnaakne.exe
2096	Jplmmfmi.exe
4300	Jbkjjblm.exe
4840	Jidbflcj.exe
4436	Jaljgidl.exe
3188	Jbmfoa32.exe
4648	Jkdnpo32.exe
4996	Jmbklj32.exe
4520	Jpaghf32.exe
4628	Jbocea32.exe
4260	Jiikak32.exe
772	Kaqcbi32.exe
1012	Kpccnefa.exe
2700	Kbapjafe.exe
3252	Kkihknfg.exe
1448	Kmgdgjek.exe
3496	Kacphh32.exe
2796	Kpepcedo.exe
3164	Kbdmpqcb.exe
4236	Kkkdan32.exe
3120	Kmjqmi32.exe
4112	Kphmie32.exe
1724	Kbfiep32.exe
2988	Kknafn32.exe
1224	Kipabjil.exe
2420	Kagichjo.exe
2400	Kdffocib.exe
2124	Kcifkp32.exe
1640	Kkpnlm32.exe
2812	Kmnjhioc.exe
4492	Kpmfddnf.exe
4248	Kdhbec32.exe
2416	Kckbqpnj.exe
1184	Liekmj32.exe
3416	Lmqgnhmp.exe
540	Lpocjdld.exe
3396	Lcmofolg.exe
2032	Lgikfn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3840	5888	WerFault.exe	211

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	Trojan-Proxy.Win32.Qukart.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Trojan-Proxy.Win32.Qukart.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3092	3240	Trojan-Proxy.Win32.Qukart.exe	89
PID 3240 wrote to memory of 3092	3240	Trojan-Proxy.Win32.Qukart.exe	89
PID 3240 wrote to memory of 3092	3240	Trojan-Proxy.Win32.Qukart.exe	89
PID 3092 wrote to memory of 2756	3092	Hadkpm32.exe	90
PID 3092 wrote to memory of 2756	3092	Hadkpm32.exe	90
PID 3092 wrote to memory of 2756	3092	Hadkpm32.exe	90
PID 2756 wrote to memory of 4476	2756	Hfachc32.exe	91
PID 2756 wrote to memory of 4476	2756	Hfachc32.exe	91
PID 2756 wrote to memory of 4476	2756	Hfachc32.exe	91
PID 4476 wrote to memory of 2256	4476	Hippdo32.exe	92
PID 4476 wrote to memory of 2256	4476	Hippdo32.exe	92
PID 4476 wrote to memory of 2256	4476	Hippdo32.exe	92
PID 2256 wrote to memory of 2260	2256	Hcedaheh.exe	93
PID 2256 wrote to memory of 2260	2256	Hcedaheh.exe	93
PID 2256 wrote to memory of 2260	2256	Hcedaheh.exe	93
PID 2260 wrote to memory of 4412	2260	Hjolnb32.exe	94
PID 2260 wrote to memory of 4412	2260	Hjolnb32.exe	94
PID 2260 wrote to memory of 4412	2260	Hjolnb32.exe	94
PID 4412 wrote to memory of 1232	4412	Hmmhjm32.exe	95
PID 4412 wrote to memory of 1232	4412	Hmmhjm32.exe	95
PID 4412 wrote to memory of 1232	4412	Hmmhjm32.exe	95
PID 1232 wrote to memory of 2056	1232	Icgqggce.exe	96
PID 1232 wrote to memory of 2056	1232	Icgqggce.exe	96
PID 1232 wrote to memory of 2056	1232	Icgqggce.exe	96
PID 2056 wrote to memory of 3216	2056	Ijaida32.exe	97
PID 2056 wrote to memory of 3216	2056	Ijaida32.exe	97
PID 2056 wrote to memory of 3216	2056	Ijaida32.exe	97
PID 3216 wrote to memory of 2572	3216	Iakaql32.exe	98
PID 3216 wrote to memory of 2572	3216	Iakaql32.exe	98
PID 3216 wrote to memory of 2572	3216	Iakaql32.exe	98
PID 2572 wrote to memory of 2116	2572	Icjmmg32.exe	100
PID 2572 wrote to memory of 2116	2572	Icjmmg32.exe	100
PID 2572 wrote to memory of 2116	2572	Icjmmg32.exe	100
PID 2116 wrote to memory of 4856	2116	Ifhiib32.exe	101
PID 2116 wrote to memory of 4856	2116	Ifhiib32.exe	101
PID 2116 wrote to memory of 4856	2116	Ifhiib32.exe	101
PID 4856 wrote to memory of 3904	4856	Iiffen32.exe	102
PID 4856 wrote to memory of 3904	4856	Iiffen32.exe	102
PID 4856 wrote to memory of 3904	4856	Iiffen32.exe	102
PID 3904 wrote to memory of 2596	3904	Ipqnahgf.exe	103
PID 3904 wrote to memory of 2596	3904	Ipqnahgf.exe	103
PID 3904 wrote to memory of 2596	3904	Ipqnahgf.exe	103
PID 2596 wrote to memory of 3832	2596	Ibojncfj.exe	104
PID 2596 wrote to memory of 3832	2596	Ibojncfj.exe	104
PID 2596 wrote to memory of 3832	2596	Ibojncfj.exe	104
PID 3832 wrote to memory of 4892	3832	Ifjfnb32.exe	105
PID 3832 wrote to memory of 4892	3832	Ifjfnb32.exe	105
PID 3832 wrote to memory of 4892	3832	Ifjfnb32.exe	105
PID 4892 wrote to memory of 3036	4892	Imdnklfp.exe	106
PID 4892 wrote to memory of 3036	4892	Imdnklfp.exe	106
PID 4892 wrote to memory of 3036	4892	Imdnklfp.exe	106
PID 3036 wrote to memory of 4896	3036	Ipckgh32.exe	108
PID 3036 wrote to memory of 4896	3036	Ipckgh32.exe	108
PID 3036 wrote to memory of 4896	3036	Ipckgh32.exe	108
PID 4896 wrote to memory of 5004	4896	Imgkql32.exe	109
PID 4896 wrote to memory of 5004	4896	Imgkql32.exe	109
PID 4896 wrote to memory of 5004	4896	Imgkql32.exe	109
PID 5004 wrote to memory of 1332	5004	Ipegmg32.exe	110
PID 5004 wrote to memory of 1332	5004	Ipegmg32.exe	110
PID 5004 wrote to memory of 1332	5004	Ipegmg32.exe	110
PID 1332 wrote to memory of 4364	1332	Ifopiajn.exe	111
PID 1332 wrote to memory of 4364	1332	Ifopiajn.exe	111
PID 1332 wrote to memory of 4364	1332	Ifopiajn.exe	111
PID 4364 wrote to memory of 1468	4364	Imihfl32.exe	112

C:\Users\Admin\AppData\Local\Temp\Trojan-Proxy.Win32.Qukart.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Proxy.Win32.Qukart.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\Hadkpm32.exe
  C:\Windows\system32\Hadkpm32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\Hfachc32.exe
    C:\Windows\system32\Hfachc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\Hippdo32.exe
      C:\Windows\system32\Hippdo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        25⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        28⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2552
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        34⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        56⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        67⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        69⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        70⤵
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        72⤵
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3668
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4496
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        79⤵
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        80⤵
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        81⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1696
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        85⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        86⤵
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        88⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        89⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        90⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        92⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        93⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        94⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        100⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        103⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        104⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        111⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        112⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5436

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
1⤵
PID:5524
- C:\Windows\SysWOW64\Ncihikcg.exe
  C:\Windows\system32\Ncihikcg.exe
  2⤵
  PID:5576
- - C:\Windows\SysWOW64\Nkqpjidj.exe
    C:\Windows\system32\Nkqpjidj.exe
    3⤵
    PID:5624
  - - C:\Windows\SysWOW64\Nnolfdcn.exe
      C:\Windows\system32\Nnolfdcn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:5716
    - - C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        5⤵
        Modifies registry class
        
        PID:5792
      - C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        7⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 404
        8⤵
        Program crash
        
        PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5888 -ip 5888
1⤵
PID:6060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
136KB

MD5
2cc9aa885e5948c1b2f49f4759800837

SHA1
b3223b7a6ad169f31a97103b6d9431b0316f0dc1

SHA256
2c18a6c7b0b80c5c8d1b37b11a3fc2aafc13a5ebb23071922ad868794c65ad08

SHA512
2461b70a5b25296e9567e3cdecff8e02b2cea9aad04444f8fc2df966a6d2733e84f12f17a5973f7fcbd2e4df9c6bd500b2a66ec762467b36703c56b32f36193d

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
136KB

MD5
c7d64aa721b0a86102a40fe5a67ceca8

SHA1
0b1da85a76a91203bd57b31a171fcd2cd70573aa

SHA256
ce4b2988841435b403bbc75f423fbe96e4998de2c9a13ad9fa6ab56521383a28

SHA512
cb66e4f1946417d0811f6cec04d6e80c12e82d40bf1227c65c1c2c518dc46cd8fad660badf867073e8bec9bb9d01f971826df0ad31a37a122b602225904b5166

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
136KB

MD5
1a4a3c02d34e08cadfe7f70694249504

SHA1
394952123311d4830764ab8615f8533f02dbd884

SHA256
c102735a9aa1f5a1a5a8a84a912253d1cbb5b048060a567e35d61a9468868d0a

SHA512
a6b81fdc2b8a21d697be302ac8a5b782c79bfd2910bca8a0b13c1a0273fb847c015e123ac7d68200bfebc2ec2f95a3c9ccbee5ea6dab7bb2c87f3f8844f6b59e

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
136KB

MD5
705e536a4785ffa0bc4d19f160affe6f

SHA1
19d98d001e244027050e0794b57f15110f9b098c

SHA256
232ad549b144c939e45a5e8d2823d5e5385ffb107118549e7fc1eda936a55d19

SHA512
22d9e0fd5745a6d0dde347f867b3cc2e8bfad52e1b6ff8775eeb1d104fec34ad0aeabf1043aaf26b2aea1ee0558adf69d7e306ad375ae7fd4f760f3647ea4184

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
136KB

MD5
5db49d198a3a9579023793a56fd376a3

SHA1
50361e91a3d6d24f85a27dd734267fff4683ddfa

SHA256
2cc4230f8c4484a055a19aa970a49c04d54b40b76beda6d2ebec618929b52237

SHA512
3e066e212376986bcf3b3c185ef77bc3233079222c2cfe6b78e85c429bad397493a463f0c2e6201232dafb430f8aecb8e023d3185e03358064754463ca8356f1

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
136KB

MD5
75aeacdf96fc8f67435d99dc9ea9666a

SHA1
8550a5d6c2640ba7ea86fb0da8094db3c72e03ba

SHA256
49db54dff798c34304927707eb9acb33fbf53c8561fad39a90e623be688306cc

SHA512
e195c3c4e561026a7e4600c6eeebc93d781f198ca445ef5e8c25b9a169a2014cadd9147085a49927694393d5a167bf0e94a68a8310c76235cada2bbb695a8728

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
136KB

MD5
2aeeb7337c1796df6e03d262e7112213

SHA1
0ff23b7c9cb713480c0b304bc80762005e941089

SHA256
432e9b60a15c3c74811733c647772305cce334798b04ad0e4879ecaac00c04d3

SHA512
528aa5bc8edf5e5b724802eaa1884594df0b97215fab96185775f0369c9d7fdfb357aabe4140e1d54bf81ad6bb56b00e05032cd52e048ee31db076577efa5a06

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
136KB

MD5
56b1d4bab2de221f38d5ca07e887a7f3

SHA1
c195b20f680a7b1690a3411db0de1b9f44950b3c

SHA256
4ad7ff91124a4988f5bb2daa90ea80967e3d95d1771835858fae8a6fe7162ed0

SHA512
93fdd5206e78a799b63fc13cf369deb8bceade4cd81a463d896bf654da613a87a9a6bc5f03a3400c7b7b604afc4605400bbd92f4d450ac2f5402f01830d6c388

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
136KB

MD5
5c74509faa9cf4845d708df6f1cc65f5

SHA1
93083d6c97a19b543ba400b701acf45c58a374d2

SHA256
8066e003c6f6fb18eaa44c02807ab7b9c3381fe66d9d7fcf00bcf234665c55b1

SHA512
f0b39ad6277a2c375d98cc7118e8ce0e5a85ffc1486676762045da43d718e7387a59ec2e5e30adf567f41c8dc4cabbd98afc855fad2406223e7d3efb54360fd5

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
136KB

MD5
ee601ff7610192bd234d15fae351d71c

SHA1
726e4cb90c25b5c012ad8e48964e345c5d122a56

SHA256
a1edb05a1d0f10d1a3ed1b685202f27e4b57631584e4cd629608494f87fef97d

SHA512
200e6f1f20eaa201228dc99373ccd540268f35aab13c9fcf564f5a5f9c4a10c15bd41fc11af58b9b8319668ec2e832d59ac472e9da73f2c09b28b1a4cc442c7b

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
136KB

MD5
acc035322edb441e690001c7365d59f9

SHA1
7f43baeeab6f3b1e24bae245ad0ecff8924bc4e8

SHA256
098b4c727cbcd9b1076e83cce6ffd0232ba1c1683772b4ef1d43970c66c886d0

SHA512
9e60b68bc1f7be778c76cdbfcca5b2e94916fa665387b3aa62a6a0f7aff839997b662824a29315ab1da03a48abd029ec2cd597037d16f211fdc18355098ab58b

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
136KB

MD5
34d77a11f2277ea5c956bda022ec7e12

SHA1
4a8e0fd65520bf5132fc563fb4f394b5195e994a

SHA256
6df0c8af2c0409a886b2220a61f0b2738bfee673c88df0294ba1ee7e15324049

SHA512
cbcd87933a22fbdc7728e2e70bba6796a017a4be8dad7a699ddb27b866f648b6b8bd17924b800e22c233daddf20e9fd07e2ba9fb29734b926b9de2f1f50716cd

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
136KB

MD5
4237f1b71cd4c452800ba04909d6c638

SHA1
75cc8e661fda202b2f85e019f1f5a3f527ac89dd

SHA256
ec067b52dfe3111d94a7991cd4eb074640e8e45c55fa26d0a60f9ae27423b69e

SHA512
2831aaaa191f3165c03c049dba9c322e6e6feda6d9080954765240fb83602c2fc6084e8aca353c8d1bc512cf7494e984904daa4175574a8855ce73c68f4a54c6

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
136KB

MD5
04e6f760f9a9a9e9dbda246388bb937d

SHA1
b69c11ca5d393314df15a4034fb093b4833ca822

SHA256
85be8afb684f665b9c09e0111ddf19172486d3e12a6e99356496bb741c801526

SHA512
d30df3aabd4cb408d0013099e58ea54150cdd8755e300342666180712dc80ed88f8cbb89ee5a876b844bc182c6bee584a4b82bb2196be3ee7293eca9ba21cd83

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
136KB

MD5
e15db2f992575a8c96013abb416897ec

SHA1
27c0516b6c36b5fee5156eb0ac4b550424246915

SHA256
f1865ccbce144f8f6ffe25e983e4ad614adfca314c338c835f7564646f4cce60

SHA512
4ff3ae9eb3284e0adc1ba97bc746fd9f9f3b94814007141ef71d639bd0bd7dc2b85144ebafb31532d1ee9bff008f8ede893d3ea9ea7e016f326b334eb5d38bb9

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
136KB

MD5
02a4314d691417487a25fb5adb1a1c84

SHA1
1214f61e31bd32bace485bb328f20aa1a25617ee

SHA256
8bc5790f392a698c154243eac35934f1c11a43bacaba2ebf27f7841f5fcee321

SHA512
e199e1f0b9c8c4744667a215ffea2513b12f149d50407587e9563e74f328000652549bbb7d5d349715e5dd25da2f639a9aa21750a3d974ca04d902d2bc44f03c

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
136KB

MD5
ff550df84c9ed2884994301ea0e64236

SHA1
4126f2c4f1cb701e144e0afbb7bf0204b49d0343

SHA256
8146261e3b820b0951163eea3f976e239dc8d2141465c2a09b33926a56873a9e

SHA512
62fe5ae3bca6d1e6f291911ef7ae0dc6bcda32426cb1195f65e03d7b315f2fa942bc72435139d09d0375a868f5e45b72472e7fc3d4c6ac05348aaab1277a9abf

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
136KB

MD5
d94c70f040934d7b700b4f598f3e1e5c

SHA1
f342096e88060c87853ede2aa57317c765bb7786

SHA256
be1d381c660580af5479ecc3fff8d9d8939d5713bd83add4d7cc6cf2686ddcb1

SHA512
81341fc5ae8ad306bacaa4926b07fa617b17bc0ee566f29d22a63e265f1f6169408fc6b7b88357eb3efe6dbadf78724d782ebc4cbd39987653b3ea3b9ae32f92

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
136KB

MD5
9a99814dc21e09903b9897f240aad55a

SHA1
9585daef418ec6b99b368d2f8ea019b8060dfb11

SHA256
6264f5d0771e68c4d9f808971bb2f5dc43914bd524b994eca4ad97239959a5ce

SHA512
207fbe3882964fcb1f38c717c914ac7583a12ef8e6362bd74333da4f2b08b846339a1e8b94a0db5156babe12ba971c99f821bd35ceca04bf1280f7a7018a7cfc

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
136KB

MD5
5e8bcadadae95b550753715b8824eecc

SHA1
706216e92a9d4273990f4f00265b44074ffc8916

SHA256
8d92b9b84a3f84a13329b216348b2ce245bdcdef1999273bfb2b178f0bc5555e

SHA512
deea45ef81bccce6afde7370843b07c10e312521db1795828a0e68b2b0b7bed39f103634fd79dab42fb7dbfedab90769373cab81af9a2d91b05bc4e85e3478f7

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
136KB

MD5
b05f7ef0fee15d45610e1e784b3e2974

SHA1
03435dbeeb7398c8b1f354190ad6c256bb6961da

SHA256
5af4f79863ce26209d101c2141dad7ada9c9648fef52aec6ca80ac3e7476850a

SHA512
690e0b74596ce8f4acdef2471e71a8620c9091696adeac7eb93121aaa99c23cbba85348a4f4029a0c3b337079275b3cd518d9bcdf82102aef8073445d9cc3194

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
136KB

MD5
70a26cf63c47de32a15a69a2a2be11e7

SHA1
d10774b98a195672b97be38f9a983e8bf3df8100

SHA256
ec669bfabe257ed011b8fa714101b0d9226cdef1e1ed47a548f46bad3085ca37

SHA512
0a2a3c2e4108ca4da3e692cccc37c52bac06eef8237fb33c7a5fcbf783c8df19b0e5d375c3a05f28420e2d1e7134413450aa21d307f70088644c85b1b44f72d2

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
136KB

MD5
29474cd8bbd9db435a7445e6a9911f0d

SHA1
4f5c25d8f5d9a98b1d2fae01e790556f0ffe4925

SHA256
c47f49a7951d665d4e6685daf3bb02a57de59f73d811925c01ce0481585f8014

SHA512
5f59e386e6a088545ac04d5ec07d12bc2aebb6f6300b75566fda593a849ad585fa25cd72d3f0678de31ef07d29b0516de41ba024cd4c6b8ec0412c4cad172774

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
136KB

MD5
983bb964f2a2b7ae7f1c89616e5ef92c

SHA1
9359f24799075c02548a2f67e1f252458c8b1929

SHA256
47a7ca70fbdb7d5a50806d112d0523bebd14bf6870f91626c04a3f830da1f51c

SHA512
242c8a05700e20d70d44378cb5f9060667fa2f9e4877c520c8016eb9787611eb95dcfe7fc97c768958bf7f61c0b6a1467dbfaa3a1ef567e56388b00d5443ad52

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
136KB

MD5
6414fa96b6454791325a179b0114db0b

SHA1
6fda0286117c533563da754b4b406c5fcb5b9bfd

SHA256
754cccbcd8bad63708bd8eed1fe569791ba8a0ca7f94943a8fd5379437c8250d

SHA512
632d9498dfc0d3ab030dbe45bbfd2f2e60b4e66b244620703ca02c8d5607d1f07add2d5914712b27d85f6661cad815db9518286648f2731bf02e59fd48d2e772

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
136KB

MD5
b1fb526031b058076368d81935d8fca3

SHA1
e94f4ad9a35c3973816e27564d3202a3b1cfae7e

SHA256
8e31731cac87f2ad9d7dc4c168dbe86bb6a927c92872e35a08debef41526c8d1

SHA512
6bd944558ea42aad368d31436ceb4cd4a815c38987cd9f9eae51e59229cdad8d60c7b56e5269e738782245167d69efd161bf247f6e9da283496ca8136f7b912f

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
136KB

MD5
06b2703a3676fc4419f77ff85b1097be

SHA1
70f0eafa733e4b167fc6ad3a8651ad41766eb867

SHA256
5ab9caa18f24975b49a44299fdf92497c9040434f7f60a8fb946554e4fee7dfb

SHA512
95a53e50b3ca3f0cd9c2359d433160add83eacf94c9c56b4a5edbd7a5b0411ad25dad9549f6eba124b6659088aebd0fd62f87e49f39ff473fcb8c3eb7c101d30

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
136KB

MD5
e2c3681df91ebdcb40d38222c9cf8b89

SHA1
0c61cdc4d3c68c4bf66556049226693f93b2a1f5

SHA256
5fca3dc06cdbdd69ad9359f092a1e4ed12bb020d58521e3286c2e671bc65ae15

SHA512
086e5be775dda754bc6363369203b02629af4ce4d41e6163aee6b3c2a35eeb338ad346d463205e99b979a6757a11fd75bb249aedcea014118fa54a942c6f2921

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
136KB

MD5
40beac8f4a805bcd2e32163d850c0e47

SHA1
2be01a853e84b680c74ef2a57576c90510c9e726

SHA256
53283fa308c9b6a37d48a51d230766fa2df790c67e562a1adef9fca4fd52d7aa

SHA512
7d96878e234468c025e45f7cd61c9902fdd96dc46386f54bdd0e797e107805fd019e123958a021b0e5603327f9fdb32ed9b0624ace50706d9dea38c29157b75c

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
136KB

MD5
929059379b0a3e8321695d364a3e6595

SHA1
7b291dbb7de8f48c9f15419ec7b89ba099c1f5f5

SHA256
e1d13563c151e773a5e00e767cb2d4619e8322df42d53734eb705144005d5213

SHA512
56616925e82a9a7fba65259f9ff54ec665f07347c1f7ff3826568bf5a49708d8ae6e57753499264982f707b62669a9a99bd34e2668c5d4bc0a16886e1232d88c

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
136KB

MD5
3246a0fe9aefd210c522cbeebb4206a8

SHA1
05fa62e12e69f1240877e7963336bab07248a73f

SHA256
a2c1fec394aac8b4f42fc9140f0ae15db6cdc823a893955f6fbfb3f482bb3a90

SHA512
398d6d8d9c14debb9543fdc1d1f8ebcc8304df65b207e387df08e5e0c50165852c88a794a8908a3538aad8f891d8367cad553ae2daade57f5d3605739fd3c050

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
136KB

MD5
b3adc16efdc8236574f0505d2afc5a72

SHA1
fd0497e4c0c29d83c476266308e66613339de917

SHA256
343fa005a1cc2432412fe6b368f3fb2190c9ec730355a92a2e6f6951c9eb7f1a

SHA512
669a720244ef77ac1e5e2a1523ca9298379418face06d1bf84688560350013d30804d0fd5853cc95fac860dd6684d24d1e6ef548b100fe477d10433f5060b358

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
128KB

MD5
3fa6820ecfb16b90a9e97fab9ec7e185

SHA1
e2f2317521fdb6b899fef57bf418b52d21b21502

SHA256
c369ba16bdef9d8b5805b638dbfc50de0c994e2e679702e993933aeb41cc425b

SHA512
aafce4f2635b2b616be57e9a47c71ee2544f08133d84826fc233e4f6cc2e3d7613d04f6604eb9ed2dd8fa3d883119e8abb59c783ffd7cd1d55def0858f5c578a

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
136KB

MD5
a490f3de2fcf7104ec1aa203b587ccb9

SHA1
00a1d120e91c413c53d17b6e0d028a65f3b4e7d7

SHA256
ed714f9a2a39d8d4718331afee8897fb8474b5869885bfb3aaef69c1e0a352a9

SHA512
3fe8340f62a36275f4ac6200db4d43ef3a0210f88e2bfaf5b86a24f77d178cb419023c558208e001ae2cfc45473d30c216b20fd6b86635d8ee61f88edec32131

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
128KB

MD5
a85ba3b274523764ae275a2bde72d588

SHA1
e4f7ac692ee008e2ce67aa7b2b514ed7a01ec03f

SHA256
43bd1257fcdad5ac2021082ced347ee7aeb9ea490f89470f21c316dc4a64d256

SHA512
9e5dfc12c8751bc18bf7b9e30523f1861d701fe5a5d33d46befefaa335b32c6f94be1c37a8874e8f401622c0d9e572ced580992f4a942645b8d9436a67cd75f7

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
64KB

MD5
4e164cc76e46f05e0728503538685dcc

SHA1
5d50d2e51e6360385431d0fbe4f3acc32aa61edd

SHA256
0981a1c9125af7cbbf6b4a043af0c921f825d0d38e152630028482808edd4e5a

SHA512
4d2ffa7baef9db1ace19d13ca8861103271b799daf1e170fad120242edd90cf0475e87149ade42f703b0e8085d852159e604db87457fcdef9bbeb972a976dde1

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
136KB

MD5
99e3dfc063d3c160106690467c03ff67

SHA1
291592e4fc2df0abe2889f26d798a2108aa6e093

SHA256
7b67c1b1053473d520a64d4c4e0ce94537a2d346b28a2bb94d78e242182e8bc3

SHA512
ccbf8a9883512441ad8b07a35435b53b819819031a2ab7dd927709bb2bc676aaba6c1b276025d9382aae69d51d5f5f200c3edee72d403a2eada4bb384dd2fa5c

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
136KB

MD5
56fed7c7efb9af623e8c02e3933e468e

SHA1
c368c944b1c48097d043cecfefc1bfcaa60950a7

SHA256
72b63f519913d9b603410017a08cdb2071dffef0fd7a153af24f99c2c05ca783

SHA512
d970c043ca83d4dc757739a78e39747244e3cdf6e84b160f7eb9d152dd57f6d00857c69e58280af80b6e294a201c1d659b061f93cc911c7535758080dfdf92d1

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
136KB

MD5
1bb3d096fd39740dc76829cc88fc732b

SHA1
04c8e53bf3d7100843cf5d6966c9707afae238c8

SHA256
b1add64c1a73dec2dfc778d389ca7198149935eac571a5f8a4c30c2712ddbe77

SHA512
44287dc78493184118355169150bb085671e4667ccbe19a43f30199288fca030ee3d9b7dddc1e3a930eeea5bf0be41a6135ea377c17d87aab9517d2e77cb0b52

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
136KB

MD5
9bfc44ed2142eba93cdc232f486aaa7b

SHA1
6463c87eba751c23f7ae35537020bd1506fdf991

SHA256
b60edd415361feaac7a06e961c11fd737c4bd3e30ba2e0fb690b2bdf94f42834

SHA512
165c2ccc88e60b8251732f331b2b874ec22705e41b25baf93668cb43a5018668979b8a6c9e8d7a7d2381818c885f7c99f29d359d6f48a4e328e18ed8eb50b6bf

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
136KB

MD5
e544e1c2a7fc8529f0897d6095d742f3

SHA1
583f1768de3f0282e0280d8ec3b70b799a5d1068

SHA256
7a5f82e2c47dc534e51742772cbf548014b8c1bc374fe1e08d2a480b33c857c7

SHA512
028880054ddea93a7b5b81e66e028d8dcadd9ce85a9c72b05988dcb04d5e3de0e37202509b79b786c6b7aae2003b46e2a82968bb516d6b9e7aa85a899c8cdbe8

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
136KB

MD5
d329a732b5b34907d25309ffb601fe44

SHA1
c2cb55868e524b9fc784d729d917151a1064d55e

SHA256
1d04f8c4de5f905fac85a98910b30801a473d62c7e424c88464d107ef4d349c1

SHA512
4ec3a8d632c1aee716a8dfa07bb7cb9ef2b4f87ad981b0c22f4771876f5be365675daabdf33f1811adf3f25c252bdc1084d2b608194796dda3865d11ad8108c0

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
136KB

MD5
63e40f9113b39373e65406d87e911c1b

SHA1
64b62a4cc11279264bdfc7562096fd8f096aa6f4

SHA256
2cf67a840b5108dc2e209089e70ce8d8c6a150f03a162fd0523d7e649dd997e0

SHA512
23afbbc1dc0f53e421f29ec846da5d9ae33e626ac67a7883cf49a32a36ef01d04cd3bb1c0aead30d94426f738b259af4d8dc76bc8190c6b8359e034279d9fb9d

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
136KB

MD5
8d2a7f7032ddaf4517eccb8f37dab779

SHA1
e680363849023dbf380496115d2bdb0c101f3edb

SHA256
44d2a0767e09e4c4edbe31a3b293669a57c18442ecd42db68ef399d1f491af56

SHA512
6de1a0102fff0c8ae175dc980e79927ada658339e87650c12dc19a809cbf803f7d17ddf902ddf1a238ceef6cd7dbfcf14e7ef2289841c6c0f0ec869deadf7664

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
136KB

MD5
e30806b835f9f1e0da5b10515390160d

SHA1
4020b61bb2c353a0014760699a61c3df2436d0d3

SHA256
87aca9cab7f305339b457b1867b1c12beb4618fc697d29d2e451ceec8f670d43

SHA512
05ee7f295988b8464aa46a3c565c34aeea7f37440dd7d1992fdb573caef2088c6b2c9ae3c4b8d5df807aee51d2b069fcf64fd1eda5e2f6214cd7d7a7ae58e1cf

Download Submit
memory/440-855-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-871-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-861-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-850-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-856-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-862-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-867-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-872-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-875-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-870-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-851-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-858-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-860-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-852-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-849-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-873-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-853-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-864-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-863-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-857-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-865-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-859-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-866-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5292-843-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5300-821-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5344-842-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5424-840-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5436-819-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5516-838-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5648-835-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5716-815-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6008-827-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6136-824-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads