f25727cb79ae6050e1726d4eb6946590f1ed7c53f6093d7b8f68528034fb4d64

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 01:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f25727cb79ae6050e1726d4eb6946590f1ed7c53f6093d7b8f68528034fb4d64.exe
Size

55KB
MD5

c104246c9bda5b0545fa823f4e979e39
SHA1

946790eea68b7a0df6ba9a4a733fd62cd8f91c3d
SHA256

f25727cb79ae6050e1726d4eb6946590f1ed7c53f6093d7b8f68528034fb4d64
SHA512

b7675f72320227c12c7c1f845bbf3a2f10066c2d8071bc370f546cedc138cfadcee8823857f992f3372057cc6b41cfc537598a16ff3a11bf674432cd356da339
SSDEEP

1536:8jVEOwFEWHaqqFL3ZHnCJaOuOHJPpitQvlE:8jVlwKWHaqqFL3paaOuOyWvlE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe

Executes dropped EXE 64 IoCs

pid	Process
1832	Jedeph32.exe
1556	Jmknaell.exe
1712	Jpijnqkp.exe
412	Jcefno32.exe
4696	Jefbfgig.exe
2376	Jlpkba32.exe
2796	Jcgbco32.exe
2916	Jfeopj32.exe
4348	Jidklf32.exe
1004	Jlbgha32.exe
2408	Jcioiood.exe
4124	Jfhlejnh.exe
1316	Jifhaenk.exe
4032	Jlednamo.exe
3776	Jpppnp32.exe
1096	Jcllonma.exe
2888	Kfjhkjle.exe
3620	Kiidgeki.exe
4936	Klgqcqkl.exe
1596	Kpbmco32.exe
1356	Kbaipkbi.exe
1892	Kfmepi32.exe
1592	Kikame32.exe
3800	Klimip32.exe
1332	Kfoafi32.exe
2080	Kimnbd32.exe
2860	Kmijbcpl.exe
4088	Kdcbom32.exe
3632	Kbfbkj32.exe
3280	Kipkhdeq.exe
2740	Klngdpdd.exe
2520	Kdeoemeg.exe
2708	Kfckahdj.exe
1500	Kibgmdcn.exe
1972	Lffhfh32.exe
4328	Liddbc32.exe
760	Llcpoo32.exe
1624	Lbmhlihl.exe
404	Lekehdgp.exe
3396	Lmbmibhb.exe
4420	Lpqiemge.exe
3404	Lboeaifi.exe
368	Lfkaag32.exe
3400	Liimncmf.exe
1964	Llgjjnlj.exe
2992	Ldoaklml.exe
1752	Likjcbkc.exe
4332	Lljfpnjg.exe
5040	Lbdolh32.exe
5068	Lebkhc32.exe
2364	Lllcen32.exe
2180	Mdckfk32.exe
1720	Mgagbf32.exe
2352	Mlopkm32.exe
4892	Mdehlk32.exe
1088	Mgddhf32.exe
2320	Mmnldp32.exe
4740	Mlampmdo.exe
844	Mdhdajea.exe
2296	Mgfqmfde.exe
4268	Miemjaci.exe
4732	Mmpijp32.exe
4316	Mgimcebb.exe
2184	Migjoaaf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Kmijbcpl.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Jcllonma.exe	Jpppnp32.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mmnldp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Jfeopj32.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jidklf32.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7224	6200	WerFault.exe	293

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbedgde.dll"	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memcpg32.dll"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll"	f25727cb79ae6050e1726d4eb6946590f1ed7c53f6093d7b8f68528034fb4d64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll"	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1832	2028	f25727cb79ae6050e1726d4eb6946590f1ed7c53f6093d7b8f68528034fb4d64.exe	89
PID 2028 wrote to memory of 1832	2028	f25727cb79ae6050e1726d4eb6946590f1ed7c53f6093d7b8f68528034fb4d64.exe	89
PID 2028 wrote to memory of 1832	2028	f25727cb79ae6050e1726d4eb6946590f1ed7c53f6093d7b8f68528034fb4d64.exe	89
PID 1832 wrote to memory of 1556	1832	Jedeph32.exe	90
PID 1832 wrote to memory of 1556	1832	Jedeph32.exe	90
PID 1832 wrote to memory of 1556	1832	Jedeph32.exe	90
PID 1556 wrote to memory of 1712	1556	Jmknaell.exe	91
PID 1556 wrote to memory of 1712	1556	Jmknaell.exe	91
PID 1556 wrote to memory of 1712	1556	Jmknaell.exe	91
PID 1712 wrote to memory of 412	1712	Jpijnqkp.exe	92
PID 1712 wrote to memory of 412	1712	Jpijnqkp.exe	92
PID 1712 wrote to memory of 412	1712	Jpijnqkp.exe	92
PID 412 wrote to memory of 4696	412	Jcefno32.exe	93
PID 412 wrote to memory of 4696	412	Jcefno32.exe	93
PID 412 wrote to memory of 4696	412	Jcefno32.exe	93
PID 4696 wrote to memory of 2376	4696	Jefbfgig.exe	94
PID 4696 wrote to memory of 2376	4696	Jefbfgig.exe	94
PID 4696 wrote to memory of 2376	4696	Jefbfgig.exe	94
PID 2376 wrote to memory of 2796	2376	Jlpkba32.exe	95
PID 2376 wrote to memory of 2796	2376	Jlpkba32.exe	95
PID 2376 wrote to memory of 2796	2376	Jlpkba32.exe	95
PID 2796 wrote to memory of 2916	2796	Jcgbco32.exe	96
PID 2796 wrote to memory of 2916	2796	Jcgbco32.exe	96
PID 2796 wrote to memory of 2916	2796	Jcgbco32.exe	96
PID 2916 wrote to memory of 4348	2916	Jfeopj32.exe	97
PID 2916 wrote to memory of 4348	2916	Jfeopj32.exe	97
PID 2916 wrote to memory of 4348	2916	Jfeopj32.exe	97
PID 4348 wrote to memory of 1004	4348	Jidklf32.exe	98
PID 4348 wrote to memory of 1004	4348	Jidklf32.exe	98
PID 4348 wrote to memory of 1004	4348	Jidklf32.exe	98
PID 1004 wrote to memory of 2408	1004	Jlbgha32.exe	99
PID 1004 wrote to memory of 2408	1004	Jlbgha32.exe	99
PID 1004 wrote to memory of 2408	1004	Jlbgha32.exe	99
PID 2408 wrote to memory of 4124	2408	Jcioiood.exe	100
PID 2408 wrote to memory of 4124	2408	Jcioiood.exe	100
PID 2408 wrote to memory of 4124	2408	Jcioiood.exe	100
PID 4124 wrote to memory of 1316	4124	Jfhlejnh.exe	101
PID 4124 wrote to memory of 1316	4124	Jfhlejnh.exe	101
PID 4124 wrote to memory of 1316	4124	Jfhlejnh.exe	101
PID 1316 wrote to memory of 4032	1316	Jifhaenk.exe	102
PID 1316 wrote to memory of 4032	1316	Jifhaenk.exe	102
PID 1316 wrote to memory of 4032	1316	Jifhaenk.exe	102
PID 4032 wrote to memory of 3776	4032	Jlednamo.exe	103
PID 4032 wrote to memory of 3776	4032	Jlednamo.exe	103
PID 4032 wrote to memory of 3776	4032	Jlednamo.exe	103
PID 3776 wrote to memory of 1096	3776	Jpppnp32.exe	104
PID 3776 wrote to memory of 1096	3776	Jpppnp32.exe	104
PID 3776 wrote to memory of 1096	3776	Jpppnp32.exe	104
PID 1096 wrote to memory of 2888	1096	Jcllonma.exe	105
PID 1096 wrote to memory of 2888	1096	Jcllonma.exe	105
PID 1096 wrote to memory of 2888	1096	Jcllonma.exe	105
PID 2888 wrote to memory of 3620	2888	Kfjhkjle.exe	106
PID 2888 wrote to memory of 3620	2888	Kfjhkjle.exe	106
PID 2888 wrote to memory of 3620	2888	Kfjhkjle.exe	106
PID 3620 wrote to memory of 4936	3620	Kiidgeki.exe	107
PID 3620 wrote to memory of 4936	3620	Kiidgeki.exe	107
PID 3620 wrote to memory of 4936	3620	Kiidgeki.exe	107
PID 4936 wrote to memory of 1596	4936	Klgqcqkl.exe	108
PID 4936 wrote to memory of 1596	4936	Klgqcqkl.exe	108
PID 4936 wrote to memory of 1596	4936	Klgqcqkl.exe	108
PID 1596 wrote to memory of 1356	1596	Kpbmco32.exe	109
PID 1596 wrote to memory of 1356	1596	Kpbmco32.exe	109
PID 1596 wrote to memory of 1356	1596	Kpbmco32.exe	109
PID 1356 wrote to memory of 1892	1356	Kbaipkbi.exe	110

C:\Users\Admin\AppData\Local\Temp\f25727cb79ae6050e1726d4eb6946590f1ed7c53f6093d7b8f68528034fb4d64.exe
"C:\Users\Admin\AppData\Local\Temp\f25727cb79ae6050e1726d4eb6946590f1ed7c53f6093d7b8f68528034fb4d64.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\Jedeph32.exe
  C:\Windows\system32\Jedeph32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\Jmknaell.exe
    C:\Windows\system32\Jmknaell.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\Jpijnqkp.exe
      C:\Windows\system32\Jpijnqkp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:412
      - C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        24⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        26⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        29⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        30⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        31⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        32⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        33⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        35⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        36⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        39⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        41⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        42⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        46⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        48⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        49⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        54⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        56⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        64⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        66⤵
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        67⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        68⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        69⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        70⤵
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        71⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        72⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        73⤵
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        74⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3224
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        76⤵
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        77⤵
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        78⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        79⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        80⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        82⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        83⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        85⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        86⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        89⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        91⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        92⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        93⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        95⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        96⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        98⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        100⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        101⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        103⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        104⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        106⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        107⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        108⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        109⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        112⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        113⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        114⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        115⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        116⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        117⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        118⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        121⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        122⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        125⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        126⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        127⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        129⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        130⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        132⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        135⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        138⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        139⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        140⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        141⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        142⤵
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        143⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        149⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        151⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        153⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        155⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        156⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        158⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        159⤵
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        161⤵
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        162⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        163⤵
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        164⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        166⤵
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        167⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        168⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        174⤵
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        175⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        178⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        179⤵
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        180⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6256
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6596
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        185⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        186⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        187⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        189⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        190⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        192⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        195⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        196⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        198⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        199⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        200⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        201⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        202⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        203⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 396
        204⤵
        Program crash
        
        PID:7224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6200 -ip 6200
1⤵
PID:7196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
55KB

MD5
aff2f459e2d1f6675b25e5682d0e39cb

SHA1
15b7bf1f8baa1aef25894020f660d19bbe8cab59

SHA256
156d178fcc9a51f9fa7be1e97aaac909e8294c12ed458fa930bff52e5939c947

SHA512
9035c195a6b064c5db97c540b03f64913fc68f4a921c8461203b9467e3e08a85c947af75a82275c0a694935b989da1273f8be0cd5f483bf116706520bcc225ee

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
55KB

MD5
be475be65556c32d163964eecbc19f1e

SHA1
a311a61f0c2ae4a8f9f48c2c7e8942df8b78f168

SHA256
224a402334230a13bbcb86c954f9b5a9199190eb90d1ab77d7a000b371843449

SHA512
2f49cb892eb83fa6c7de0cc0772175598036c53541298e15954e267bc31911865b0753599ca8f90d181b66a470e196d40a16dccc89394be6d36f71c40d4714e8

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
55KB

MD5
17796705c7026a1abcb52490b99b89eb

SHA1
56479f035099607520c6554a5bdefc8ffd637c18

SHA256
a320cd00e8c483b49b4eec12f0fd37fca73dbd139a0c35f3466235e1e93029b2

SHA512
24b35bb2f33793531499db046336c105d8d5411a43e23340dff03faab0f1378fe266168dad63e53d720489118787789e7d6020301cbadf2b0663650423472e59

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
55KB

MD5
1df9e23037d556f626a1761b8a08e22b

SHA1
fa4e7e9f71532e621e612f3dfacbbe7d6ed41786

SHA256
dfe7b76aca19e0ad202723eca01885b7148981b82eeaa0008ee45a3c07c4c556

SHA512
f13bd52748ac7bffea16121f488ce6c59b8859971e7dc6ff446c8bc5802f01864abedc020ea7563ab1f06c650fabdde08c5836c8faec7b7589ae2b3936f7efe2

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
55KB

MD5
fbf485451040079058beb65498042ec8

SHA1
8c2f4bc45c80997b21e9ba8ef8ad81154b4a6b51

SHA256
0a5c6d4c2a65b7db3e764f986c835119dc06757df327631f8f3ecb3da73211cd

SHA512
fe658b114fca982ccb56d2053251007c63417202a547b9c99eb42e1168dee7a4ba8ee2f41336e0dd847c912e747c1c24d798c58a0940df5ee3aeed3e237f0dfd

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
55KB

MD5
566f93a730ec39fd9efebb5c5b581f33

SHA1
93d8e80085b49ee81643f3b6e76c54192c951cff

SHA256
b7bc7b49229097e460a653c0a962f926bb5251777692e798bd88f6eb211aa9e7

SHA512
21268b05ece3e3b57ba2b17e28e48845636b9ea2c58dea268750aac4e131020650217002a40cb3710678857165416e1794ee75df1ed7a8b07c460d0fa574bb99

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
55KB

MD5
d2caa9c4235c3acda952e423e6cbf080

SHA1
fe52d462feb755298a75c6b8bf28b0621bd3742b

SHA256
2e13af224e78d989d2efbf14b9b2105dd95a33ec2f20ee509c25b9d450672528

SHA512
5d96b5baafa01b09aa84b26fa1cbf822248ba8a38f4e3d2ac5b5324a0d3d67454380090677e10fac69a24f91ce84b7784f4ad101270f47250008e813d9544798

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
55KB

MD5
6f85ddc52fba595e5e9f9d839bb3ae86

SHA1
2002db717b9a949d4795cfe9394c54ca4a0bd7b7

SHA256
5bf4478eea57a8ed3eeb1efb4ec13896824c5865114b173357f262794affef35

SHA512
2bee83bbc6a6d14bc39f1f65c7dd51d8f77f75b25ba7edd0411f8142f5a3e7cf4bae8f21d2a405b28b1cc048076a5731ea7359e2b1ca243a36556f50f21a04e9

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
55KB

MD5
c8b3d2ea64e73aea411bac61ffb55492

SHA1
a78391a4f3c7fd8688fbae20f4ffbb5b8079cc9f

SHA256
b230fd7fe0e169050afea4664a8c4bf1fa0e418280bec7e929dd32849c70de47

SHA512
2af9151a09243ddd3354b02de96a2302a2b351be7d7ce7dba8718725d0357bf956f1693c87329aff423bc7ccdc865c93702c65d3821ce4d1079d3ad742dda974

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
55KB

MD5
78ca9e520e09f1d0088de2d7dfc78873

SHA1
a0e9000ff71bd37ac095f9601380cc68fe227f0c

SHA256
e4dff2192ec5a14688213ed0f9ed521ad7b18d155dd21295c4162bfeb573553a

SHA512
e3d466e1099fad7151bbb62e52cd9a598f860956246534762e144fa3f72a2fe8f4bd39eec261593d9d9fea52209ce4c14dca9498abf04390888cb972107144f1

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
55KB

MD5
a525feffefc0cdf210539482c8220031

SHA1
0dc805b459e5d025a14f19f36bce149911ccd9f8

SHA256
51391efba2539b0073c00d2be06227239171318f5340c000939a56e8d062355c

SHA512
e18530d8b40d9b8481d9c57c9e647c420e9003bb0fd9dee0481e4a67d6811eeb422fa747983fffbef07bf37daf9faf7e37b3759eea726bacbc15eef4c1d6c046

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
55KB

MD5
d30c8eb3de2e8b725f2e12a457bbb672

SHA1
7bec954ab1860bc06ee2cfdbeb6591866839eb19

SHA256
c7a53c10d6eb68235dbe2527984f6e5d0e050e25ed5d26796cec8f7e3ebdc0f4

SHA512
bea280f2548e883c291ba2da5a39a3805762e92cfefe2cc0207c56989bf3a9d865595845c7ceb4ec3bbc82233f66e9569a791241b9d03024e71abb81ab36fc35

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
55KB

MD5
9081bb22b273b88468c96fa2a1945fe5

SHA1
8f1b0d36f59aaee3a7d24ddfedd1aac57b4a6662

SHA256
54be9ad45225d97a98e39f7f462af1185c785391bcc7cfffee16f5d570793b89

SHA512
6aa5b5b62c26e788b868b6bb6ae416c6fd7881675dd7a1f6d124623d861d5f35b493c43f77d9fe07dc3c0da2d45c2376b967a8a4a39c47e9ff59e7f5853e34bc

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
55KB

MD5
6a62ac9ee13d39c94db14ab04d68aced

SHA1
aa2e13620fd784c2616cc72b181ee0f262b65856

SHA256
6b292ef5fc6f67a85d99613fd5e9b8fcf1067fd39e9a21bb75825534ebd6e046

SHA512
d03d1c9118773295212b1db3fe67a00d6f50d4a0db62e95fec7864c6cdb62f984ed812b81d2655ecf6270cb90491165a81ebaa8ec8ce6b43db833818ba3bf131

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
55KB

MD5
7c64b47ea0f3e6960f6ad461736c7af3

SHA1
252e7738c3004d2bff5c64a39d46033c46d4321c

SHA256
e7d549134eb87e3dcefea5e3b6b706c49c86a7a7b06352a25ec0b0823878d1aa

SHA512
aafecaef003a428695f1211ec07a8e4f120adac7dc068f130ea50ee3b00035e52a55a01e14f303ebfd4d6519b71b2cc06be1aa088622e5c004b70c66e57d3faf

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
55KB

MD5
76c4c568710c435b12ab408ba4a53b02

SHA1
73ad6ba1a3e009cb22481f40a6de0c9846866bea

SHA256
af27db052bb54834643ea3f140942031a4901b4570f9296bfd8169703a410268

SHA512
ae3d0515f87f93062674db221f76bc54567bd9c769beb132c7910570d82d94bc3385e1512b8beee16dbe0c3bea923fc92a4e661bc0ab7538aee4957789ac0a5f

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
55KB

MD5
31bee9dffa76773a5df9b7f39ecb5d43

SHA1
f5b3f51fec911fcd5299f0636f0818516c0ea559

SHA256
c5206b05b840b2f89b14175c96639a615838d34f2cc6fffae2a0aeaad766f4fc

SHA512
1fefc3585c60ab9474052381e3e71a39fd85e4ba3150d0dbb53577834b56f00ef4ffe4d9d7561fcb8455ee306a2b7ce09cdf1d2fb9a1eaba5e59ddc822168ac1

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
55KB

MD5
786cd2770c72a7199c22923ea491329b

SHA1
88829ebda5f0091362b29ff07f3fb1ff86b31103

SHA256
a9bbfcb7307e2d3035840acf62d055165de1f6be0b97d541e31b0a83e29ee364

SHA512
07919cd6b3c036e7c5c2155b8c88c6a851c5474d93d3a2789f1fa4d9b8a8ce83a0622fd9adc9372e9e7aa17b0f8e2de3a927321deccf8e6e1dd6a5820059b3be

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
55KB

MD5
cb8fcbae85028f0bd73acaa01db59801

SHA1
7b5c4b5cdf4cefd8701cc7ac1522a791de530565

SHA256
4b7095810d12892e38225f70281b8c62f3a73e8cc0e145c995d3afbe4fdbde7b

SHA512
eef141b9eea0be16c2085011d4e4944c0dc0f8ca5223158acf1d6d634ce62750af614256a757a2ed564f36462b119ecda72bcd3e5194b3706e28fec199a38d1c

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
55KB

MD5
1df28d8c47886f6133f5f525e568dae6

SHA1
572bf258f8cc383fb9aec993b71898776db0b85e

SHA256
967995a412f0c1eaa8d3733a279c6979871c77e80a5003676426c355dbfbf135

SHA512
68fd16e6e6839a084c09bfa7a071f67ed2fcf6d370fa529e0acb384636bf4581471e046c95087d0cae7b89db147d1435d5ddd7711d17c1a705dc4dd4de8fc309

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
55KB

MD5
fb675f59f2de6a4745681229d9ce9001

SHA1
bb541d1f1784ba302f87dce66d3ee445dab1a5ee

SHA256
2d1320614ad422cce288863af9aafdaeef8c5ddbcd1a364227531b53d9c804c8

SHA512
074fc754359bdff86df9dec5c191b4b7a390fa9deb4d5b6892b8dba86bea6fc902c74f78ef15e841bb7dce724e392c53050b55ca24a2f242b2f1fa6f45542e2b

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
55KB

MD5
9923c3e5da8fad2b5b70c226447b3d9a

SHA1
bdfdf1b5930d2d5c87b78255ee22461ac87063a1

SHA256
610eada1accbc0b4280552edb76502c64b5c275d8b4956a6b9b4c7ecce02335b

SHA512
051f7dbd3ae5f4242c8198c5f5f7877b65d6b4cbb726dda3c4529f78bc0f58dfc2f65fd5f733554568453bfe766472d61700f9d7a1b99925ca8f4b5900553664

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
55KB

MD5
e40bfbe4b5bc494fff5ec80c915471c9

SHA1
0ad814859f49f97269feea51b092073835b32298

SHA256
1a13e6fc99dbdcc6ab840559bba652bbea099440c49f65d5d7d357002baf28a2

SHA512
67805c4d639a2cc709f88e81c1e31c43599f2d40721b88b4c581ca835016358037cf584e959aa33f5b3c2aa737e5ed6544fa4b2664e1f5f5468a2c6866c9dd28

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
55KB

MD5
56235ed01364d5bf7ea7e3b11a87b0b6

SHA1
13b62b4e54ccd4513d36e27d3f90e862c8c70eda

SHA256
85ab331e996c36f97141fe9c1416a43a7eeedaf0d37508953d19ac68106fcf06

SHA512
62ac95a89dc7a88e02358fbfc2686158ef658516e935d4877b92ade843e97c44e7ae420cac197379c4dc80f534ec64650d45a5e545053bf099cc0d0674c692c2

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
55KB

MD5
09c35f4d729f90485d44ad4dbb5b04f9

SHA1
ea817e25ee6d0f7c3feeabd5e2f10d083ccdb619

SHA256
bdeb0c8f5468d891d198e669c71e54d780106c14b988dbfe6c82fa24429df3f4

SHA512
c82563c120bc5aac0842d7473533dac76c1654a8315b96e3d82d944af0ce86cd3461a650aa7980dda59c4021a2e86d8cf5d8d9d8b1249e1d04b53ccf4223b87b

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
55KB

MD5
7a4c1e052d97d34a6270097d2490099c

SHA1
968a1f0abf03b7a0f7a32d3c1a16731767e746b9

SHA256
1905c619746601bcfb8f70f6a27c35f1f7d8f2e9e8f30a067f3cab537ecb8b92

SHA512
ab8f441c60543fb5d0a74165e6c52e6b192a3f962259e6a6a3618eb3af58342fd30c99c48a602bc25b85d5f56042a76d093811f541a1e478e181ee8c1271c323

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
55KB

MD5
604d80164f8c91202ae5b721627f6896

SHA1
0b56d9f933e16d104f9536f99d5c93e384c5674d

SHA256
5015f1b056e3396f6f5f3ff414bdfc49f505da36d3e0bac4efbd526fc5ce434e

SHA512
4f3e2aefe09f5adf19162e531a5cd879b1e76b40fc25f77e3ff6f0416065533e07a7dae461857a5cc2688d5b487a9a1caaa84c3546c4e86fc0ff7ea006bb7b26

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
55KB

MD5
b36487f588b56d2808054d815326fbc8

SHA1
d0f631550f440a67c6da328c98e6ca7c1fb6d1a5

SHA256
c5382dfafdb3aa325d32edcbd39d6fcd6992c83c84ff27ad27ea2a90c256283d

SHA512
57b8ca1e9618efe2cf55cb1598fc1e8019f87e4978fd33b46ffe62f18c7afbb32caccd8674f46642591a39594da9952a648b436d2b151d2bca352a1949d28eaf

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
55KB

MD5
78d84b53895ad0ec84681230c2291249

SHA1
6a86fbd4f72e5f2cce1fd4d0cec49c396797c647

SHA256
c5e075197593660bb0ee4187353b618e852ac22091d315a7c4773835d3c786d1

SHA512
34b7523a931017b462759fc3c8241b0814b64f8494e0702a2750c407046304d6aa371c596722c20565c4e9c64d8775490b3face92bfd7ca61d8e986f419a5df7

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
55KB

MD5
c296bcae46c59bab9f1e322c68f47798

SHA1
e2a8ab4b48aaf071c83922c6bfebf9ceb7a77845

SHA256
cae210911af8676bbc91bc9fcecd9ee955403b6021cba22e22463c27947f4015

SHA512
64f79beaa8c8b5d8607cd5ee7d25d5c5725c16d846f91714e433116677cdf7516fce1c9803f708dc3e5f99b9040536c9a5cc38a0970c2f914edc907351310c84

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
55KB

MD5
e574a833726c5625e5fc90663a5156ab

SHA1
5f71114ac4fed8a68da1a8ccb6bc6d2165d8d2d7

SHA256
8029be3040feba91aee4f874a520055cf6c7a70c2dd437a1dea5accff7d65d5e

SHA512
1312a3ef9589c3be73b7f443ab681295355350456b0d60b18a5f83c49f43250233493274e3e220bff58c5ae488034029b7b445b8567c2f227fc66b955b3d1c91

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
55KB

MD5
0d5d21d407eef3c0b4321eb14a1a2134

SHA1
9d270b3a98a296301aa427f8e34b0b51f1d4e493

SHA256
e8b75bd3f407a63e032b193eec9072a7f9f9fc2b18ff7e8079ee5aef90c70332

SHA512
e93ec7ca09cf41c3bf0bc4c9d147a4933420a80c45f214065726dcb83546ba4baef50fdaf37b841ce20bb5422b7f0f5f1d0f46fe3341efac2b8dd64f84fd8985

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
55KB

MD5
f81096cd0e8a1016d7f5dcb7e068691d

SHA1
60cebbc6078e7563f1fa970ed06c0df5030d9a0b

SHA256
2ae2bf364517af7415514bb1abb22f54afda50044e7f0912929cf300b01dc8f3

SHA512
08b8d70bb5b3ce87a2d1cac8f0edd43c679f8eececa0b1063b27e87b994315c687edd869f7b632da5273d3c8bcd5130eba7ba0bd2aea97bde3d51ebce4912391

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
55KB

MD5
89e196b9f2fdc5c958fcdf126e21594b

SHA1
0ba9bc4fad2a46e580973008b31f213d24abda4d

SHA256
8169550b8961460789ab054dc083602bbe42a0755f407b288dd19d588d72e1d9

SHA512
b8b26f5c6d1dbc27a5a947d5994e8f02f65f481823e8b951fbc5cea94e93a7bd374a00cc7a4e4c30a486e5e984968eea31c011ed6140d5ce373d9e89cf8b66a5

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
55KB

MD5
6fdc328006c815eedbfe42b7e2d4aa47

SHA1
e0ab558844285fc28a59647c99343019486e4f33

SHA256
206774fdd7e1ddaee80bbee9772387793b5cf992e4b24bb014a9678095ff28b2

SHA512
16fc15b75fb46fc55ca9bef95933a36ccda6ab3e4a7a4052222d5cd94d58f6af0b9e736d3b9256a465735e0a439e8b00a46d38fe566b2529b8a4b305a06546a2

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
55KB

MD5
16a56a1ec067cf3c27eaca83063ea760

SHA1
3aad10415e5b92558638f08591ff00db7877248d

SHA256
06e8098863d55835ba73c4106473619deef1522c906607b1a426fd66be414f5b

SHA512
2c70413b252362a8f499dc00984c23702033a3ca1bf02c8b12007a34279c90b3060a2bf91faab116c650ff724461b47240608e5262216b9470a15c5b21de4d6f

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
55KB

MD5
cbdd76dd6131d120c705afbc9af24a66

SHA1
481179db2857aead567bbed5b7a70d9e38eec5c5

SHA256
ecf183d1296b0c9335aa914f56e02bd81c25008533aabe562d7e5844b957720b

SHA512
a8c3717c3c4cf69b3138c29b2fbc364f4b1d975c0771a698f194ec7609956481b3d5627ed220359a05223d2736b799d8366b64581cbf2c82abd740b615dbbdd2

Download Submit
memory/368-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5720-1378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6172-1392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6200-1355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6256-1377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6340-1390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6356-1412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6432-1389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6552-1387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6564-1407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6596-1374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6612-1406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6628-1386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6676-1358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6680-1373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6684-1385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6744-1403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6832-1383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6884-1356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6908-1382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6968-1381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7028-1370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7032-1396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7096-1363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7132-1369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads