086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91

Analysis

max time kernel
164s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe
Size

80KB
MD5

1ce1e3bc1534b0327bb02d6e33f1e6cb
SHA1

8bfa0e78226310bf4fe57308d889d7d82decb14c
SHA256

086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91
SHA512

d5d374c481a1374c1f0b9954bf82404936f9c807a82a9b7c7028c9d1efccbb7d93dee3bae1e6496e83ed118c1d2dd64b32262ca123a1b83b33a0f24a0fba03ae
SSDEEP

1536:oBx+oWq3MwJ0Dzs52b6jLAD5yfd2o5e1ux3vCGVC7ZNfA:8X3MEkbbkOy1XR3vA7ZNo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipkaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedcml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaleglc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebeapc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfbhflj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmadco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clbdpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagcndq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijqmhnko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niipdpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfgpblda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikfbkbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djomjfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgcjmjho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlilh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpffeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqmjen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coepob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbmclobc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpqkcpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbhhkoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpecbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcmbee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlipomli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpgplej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbmclobc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knnhdied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpogkhnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coepob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koaaaaip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bljlfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmlaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkgpbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdhgaid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlipomli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Komhfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hplicjok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doaneiop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lagepl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmdekf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilafiihp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilfhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmgjbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eehime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjponk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalnfooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmojep32.exe

Executes dropped EXE 64 IoCs

pid	Process
4052	Aoofle32.exe
4756	Afkknogn.exe
2496	Akhcfe32.exe
536	Bkkple32.exe
5024	Bljlfh32.exe
4440	Bmlilh32.exe
4100	Bkafmd32.exe
1824	Gpecbk32.exe
4492	Glldgljg.exe
5044	Ggahedjn.exe
1432	Hkpqkcpd.exe
4560	Hplicjok.exe
4552	Hienlpel.exe
836	Hcmbee32.exe
4452	Higjaoci.exe
1468	Hcpojd32.exe
3332	Hlhccj32.exe
2392	Iljpij32.exe
3728	Ikkpgafg.exe
4236	Iphioh32.exe
3204	Ijqmhnko.exe
624	Ipjedh32.exe
4932	Igdnabjh.exe
4516	Ilafiihp.exe
3736	Iggjga32.exe
3064	Jpaleglc.exe
3048	Jkgpbp32.exe
1704	Jdodkebj.exe
4352	Jjlmclqa.exe
2056	Jcdala32.exe
4056	Jcgnbaeo.exe
3020	Jdfjld32.exe
2212	Akglloai.exe
3704	Chlflabp.exe
1052	Ckjbhmad.exe
4680	Cfpffeaj.exe
1960	Cljobphg.exe
4964	Cdecgbfa.exe
3624	Dbicpfdk.exe
4608	Dhclmp32.exe
3792	Dnpdegjp.exe
908	Dfglfdkb.exe
4596	Dmadco32.exe
3032	Dbnmke32.exe
2860	Dmcain32.exe
3800	Doaneiop.exe
1788	Ngjkfd32.exe
368	Phfcipoo.exe
4724	Adcjop32.exe
1228	Afbgkl32.exe
2420	Amlogfel.exe
404	Ahaceo32.exe
1720	Aokkahlo.exe
4108	Adhdjpjf.exe
3244	Amqhbe32.exe
4512	Adkqoohc.exe
5084	Agimkk32.exe
4676	Bdmmeo32.exe
1640	Bhmbqm32.exe
3228	Baegibae.exe
5136	Bknlbhhe.exe
5176	Bdfpkm32.exe
5220	Boldhf32.exe
5268	Cdimqm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hlhccj32.exe	Hcpojd32.exe
File opened for modification	C:\Windows\SysWOW64\Igdnabjh.exe	Ipjedh32.exe
File created	C:\Windows\SysWOW64\Jcgnbaeo.exe	Jcdala32.exe
File opened for modification	C:\Windows\SysWOW64\Adkqoohc.exe	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Qmmekboo.dll	Gmojep32.exe
File created	C:\Windows\SysWOW64\Jdfjld32.exe	Jcgnbaeo.exe
File created	C:\Windows\SysWOW64\Ongbqjjf.dll	Dmadco32.exe
File created	C:\Windows\SysWOW64\Ciipkkdj.dll	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Cdlhgpag.exe	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Kinefp32.exe	Jdjfmjhm.exe
File opened for modification	C:\Windows\SysWOW64\Clbdpc32.exe	Cehlcikj.exe
File opened for modification	C:\Windows\SysWOW64\Hbnjfefo.exe	Foebmn32.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Kdehpnep.dll	Ocopncke.exe
File opened for modification	C:\Windows\SysWOW64\Eehime32.exe	Diclff32.exe
File opened for modification	C:\Windows\SysWOW64\Fihnhc32.exe	Eehime32.exe
File opened for modification	C:\Windows\SysWOW64\Cpogkhnl.exe	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Pedfeccm.dll	Dckoia32.exe
File created	C:\Windows\SysWOW64\Clbdpc32.exe	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Mpbaipdn.dll	Bckddn32.exe
File created	C:\Windows\SysWOW64\Hhcmlj32.dll	Igdnabjh.exe
File created	C:\Windows\SysWOW64\Qgngnj32.dll	Jcgnbaeo.exe
File created	C:\Windows\SysWOW64\Lielhgaa.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Ddifgk32.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Bfaigclq.exe	Baepolni.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Ohpiphlb.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Lpamfo32.dll	Jdfjld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcain32.exe	Dbnmke32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Boldhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ilfhfh32.exe	Hbnjfefo.exe
File created	C:\Windows\SysWOW64\Jhcjmnhi.dll	Midfiq32.exe
File created	C:\Windows\SysWOW64\Jmbhhkoa.exe	Gmojep32.exe
File opened for modification	C:\Windows\SysWOW64\Kcmmap32.exe	Koaaaaip.exe
File created	C:\Windows\SysWOW64\Hplicjok.exe	Hkpqkcpd.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Ecbeip32.exe	Eaaiahei.exe
File opened for modification	C:\Windows\SysWOW64\Bgoalc32.exe	Ocknmjcf.exe
File created	C:\Windows\SysWOW64\Jkmgladi.exe	Hbmclobc.exe
File opened for modification	C:\Windows\SysWOW64\Jkmgladi.exe	Hbmclobc.exe
File opened for modification	C:\Windows\SysWOW64\Gmojep32.exe	Fihnhc32.exe
File opened for modification	C:\Windows\SysWOW64\Hcpojd32.exe	Higjaoci.exe
File opened for modification	C:\Windows\SysWOW64\Adhdjpjf.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Pfmbaplc.dll	Ocknmjcf.exe
File created	C:\Windows\SysWOW64\Mociom32.dll	Ijqmhnko.exe
File created	C:\Windows\SysWOW64\Pjllddpj.dll	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Nbpiochc.dll	Lalnfooo.exe
File opened for modification	C:\Windows\SysWOW64\Dhclmp32.exe	Dbicpfdk.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Akhcfe32.exe	Afkknogn.exe
File created	C:\Windows\SysWOW64\Qcpcmogh.dll	Hdcnpd32.exe
File created	C:\Windows\SysWOW64\Bgoalc32.exe	Ocknmjcf.exe
File created	C:\Windows\SysWOW64\Pdcbqcjc.dll	Jpenoe32.exe
File created	C:\Windows\SysWOW64\Jlmcka32.dll	Hienlpel.exe
File created	C:\Windows\SysWOW64\Cfpffeaj.exe	Ckjbhmad.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Ppklijpk.dll	Ohpiphlb.exe
File created	C:\Windows\SysWOW64\Cmmbmhdc.dll	Ebeapc32.exe
File created	C:\Windows\SysWOW64\Pbfglg32.exe	Oqbagd32.exe
File created	C:\Windows\SysWOW64\Fihnhc32.exe	Eehime32.exe
File created	C:\Windows\SysWOW64\Qnidao32.dll	Ikkpgafg.exe
File created	C:\Windows\SysWOW64\Ejnnldhi.dll	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Cdlhgpag.exe	Cifdjg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjlmclqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbhhkoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfcnkn32.dll"	Bkkple32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loeebgbi.dll"	Nejbaqgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcjmnhi.dll"	Midfiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfagnn32.dll"	Eehime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfhakoc.dll"	Kedcml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgpgplej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehpngogl.dll"	Diclff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfimhkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkemhbc.dll"	Cbdhgaid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkkple32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcdala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdfjld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjbhmad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppioondd.dll"	Dbicpfdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcpika32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbnjfefo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalnfooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnlj32.dll"	Ckjbhmad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lagepl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niipdpae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdfjld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcplf32.dll"	Dnpdegjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caajoahp.dll"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipkaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedcml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glldgljg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cljobphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doeaaj32.dll"	Mmdekf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbegg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijqmhnko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll"	Dmadco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbqiak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilafiihp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmmekboo.dll"	Gmojep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iggjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkgpbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmbmhdc.dll"	Ebeapc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnppabn.dll"	Ggahedjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iljpij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojjf32.dll"	Jdodkebj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdecgbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hplicjok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgngnj32.dll"	Jcgnbaeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmdekf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjccl32.dll"	Ilfhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalnfooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnohemjm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 4052	3488	086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe	91
PID 3488 wrote to memory of 4052	3488	086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe	91
PID 3488 wrote to memory of 4052	3488	086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe	91
PID 4052 wrote to memory of 4756	4052	Aoofle32.exe	92
PID 4052 wrote to memory of 4756	4052	Aoofle32.exe	92
PID 4052 wrote to memory of 4756	4052	Aoofle32.exe	92
PID 4756 wrote to memory of 2496	4756	Afkknogn.exe	93
PID 4756 wrote to memory of 2496	4756	Afkknogn.exe	93
PID 4756 wrote to memory of 2496	4756	Afkknogn.exe	93
PID 2496 wrote to memory of 536	2496	Akhcfe32.exe	94
PID 2496 wrote to memory of 536	2496	Akhcfe32.exe	94
PID 2496 wrote to memory of 536	2496	Akhcfe32.exe	94
PID 536 wrote to memory of 5024	536	Bkkple32.exe	95
PID 536 wrote to memory of 5024	536	Bkkple32.exe	95
PID 536 wrote to memory of 5024	536	Bkkple32.exe	95
PID 5024 wrote to memory of 4440	5024	Bljlfh32.exe	96
PID 5024 wrote to memory of 4440	5024	Bljlfh32.exe	96
PID 5024 wrote to memory of 4440	5024	Bljlfh32.exe	96
PID 4440 wrote to memory of 4100	4440	Bmlilh32.exe	97
PID 4440 wrote to memory of 4100	4440	Bmlilh32.exe	97
PID 4440 wrote to memory of 4100	4440	Bmlilh32.exe	97
PID 4100 wrote to memory of 1824	4100	Bkafmd32.exe	98
PID 4100 wrote to memory of 1824	4100	Bkafmd32.exe	98
PID 4100 wrote to memory of 1824	4100	Bkafmd32.exe	98
PID 1824 wrote to memory of 4492	1824	Gpecbk32.exe	99
PID 1824 wrote to memory of 4492	1824	Gpecbk32.exe	99
PID 1824 wrote to memory of 4492	1824	Gpecbk32.exe	99
PID 4492 wrote to memory of 5044	4492	Glldgljg.exe	100
PID 4492 wrote to memory of 5044	4492	Glldgljg.exe	100
PID 4492 wrote to memory of 5044	4492	Glldgljg.exe	100
PID 5044 wrote to memory of 1432	5044	Ggahedjn.exe	101
PID 5044 wrote to memory of 1432	5044	Ggahedjn.exe	101
PID 5044 wrote to memory of 1432	5044	Ggahedjn.exe	101
PID 1432 wrote to memory of 4560	1432	Hkpqkcpd.exe	102
PID 1432 wrote to memory of 4560	1432	Hkpqkcpd.exe	102
PID 1432 wrote to memory of 4560	1432	Hkpqkcpd.exe	102
PID 4560 wrote to memory of 4552	4560	Hplicjok.exe	103
PID 4560 wrote to memory of 4552	4560	Hplicjok.exe	103
PID 4560 wrote to memory of 4552	4560	Hplicjok.exe	103
PID 4552 wrote to memory of 836	4552	Hienlpel.exe	104
PID 4552 wrote to memory of 836	4552	Hienlpel.exe	104
PID 4552 wrote to memory of 836	4552	Hienlpel.exe	104
PID 836 wrote to memory of 4452	836	Hcmbee32.exe	105
PID 836 wrote to memory of 4452	836	Hcmbee32.exe	105
PID 836 wrote to memory of 4452	836	Hcmbee32.exe	105
PID 4452 wrote to memory of 1468	4452	Higjaoci.exe	106
PID 4452 wrote to memory of 1468	4452	Higjaoci.exe	106
PID 4452 wrote to memory of 1468	4452	Higjaoci.exe	106
PID 1468 wrote to memory of 3332	1468	Hcpojd32.exe	107
PID 1468 wrote to memory of 3332	1468	Hcpojd32.exe	107
PID 1468 wrote to memory of 3332	1468	Hcpojd32.exe	107
PID 3332 wrote to memory of 2392	3332	Hlhccj32.exe	108
PID 3332 wrote to memory of 2392	3332	Hlhccj32.exe	108
PID 3332 wrote to memory of 2392	3332	Hlhccj32.exe	108
PID 2392 wrote to memory of 3728	2392	Iljpij32.exe	109
PID 2392 wrote to memory of 3728	2392	Iljpij32.exe	109
PID 2392 wrote to memory of 3728	2392	Iljpij32.exe	109
PID 3728 wrote to memory of 4236	3728	Ikkpgafg.exe	110
PID 3728 wrote to memory of 4236	3728	Ikkpgafg.exe	110
PID 3728 wrote to memory of 4236	3728	Ikkpgafg.exe	110
PID 4236 wrote to memory of 3204	4236	Iphioh32.exe	111
PID 4236 wrote to memory of 3204	4236	Iphioh32.exe	111
PID 4236 wrote to memory of 3204	4236	Iphioh32.exe	111
PID 3204 wrote to memory of 624	3204	Ijqmhnko.exe	112

C:\Users\Admin\AppData\Local\Temp\086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe
"C:\Users\Admin\AppData\Local\Temp\086e6f8663c57de3f260722822fefcf8460aa25fd6678124ca92d71918329e91.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\Aoofle32.exe
  C:\Windows\system32\Aoofle32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\Afkknogn.exe
    C:\Windows\system32\Afkknogn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\Akhcfe32.exe
      C:\Windows\system32\Akhcfe32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\Bkkple32.exe
        
        C:\Windows\system32\Bkkple32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\SysWOW64\Bljlfh32.exe
        
        C:\Windows\system32\Bljlfh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Bmlilh32.exe
        
        C:\Windows\system32\Bmlilh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Bkafmd32.exe
        
        C:\Windows\system32\Bkafmd32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Gpecbk32.exe
        
        C:\Windows\system32\Gpecbk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ggahedjn.exe
        
        C:\Windows\system32\Ggahedjn.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Hkpqkcpd.exe
        
        C:\Windows\system32\Hkpqkcpd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Hplicjok.exe
        
        C:\Windows\system32\Hplicjok.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Hienlpel.exe
        
        C:\Windows\system32\Hienlpel.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Hcmbee32.exe
        
        C:\Windows\system32\Hcmbee32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Higjaoci.exe
        
        C:\Windows\system32\Higjaoci.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Hcpojd32.exe
        
        C:\Windows\system32\Hcpojd32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Hlhccj32.exe
        
        C:\Windows\system32\Hlhccj32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Iljpij32.exe
        
        C:\Windows\system32\Iljpij32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Ikkpgafg.exe
        
        C:\Windows\system32\Ikkpgafg.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Ipjedh32.exe
        
        C:\Windows\system32\Ipjedh32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Igdnabjh.exe
        
        C:\Windows\system32\Igdnabjh.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Iggjga32.exe
        
        C:\Windows\system32\Iggjga32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Jpaleglc.exe
        
        C:\Windows\system32\Jpaleglc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Jkgpbp32.exe
        
        C:\Windows\system32\Jkgpbp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Jdodkebj.exe
        
        C:\Windows\system32\Jdodkebj.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Jcdala32.exe
        
        C:\Windows\system32\Jcdala32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Jdfjld32.exe
        
        C:\Windows\system32\Jdfjld32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        34⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        35⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        43⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        51⤵
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        52⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        53⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        57⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        58⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        61⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        63⤵
        Executes dropped EXE
        
        PID:5136
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        67⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        68⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        69⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        72⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        73⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        74⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        75⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        79⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        80⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        82⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        83⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        84⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        86⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        90⤵
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        92⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        93⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        94⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        95⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        96⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        97⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        98⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        100⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        101⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        102⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        103⤵
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Ohpiphlb.exe
        
        C:\Windows\system32\Ohpiphlb.exe
        104⤵
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Becknc32.exe
        
        C:\Windows\system32\Becknc32.exe
        105⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Ebeapc32.exe
        
        C:\Windows\system32\Ebeapc32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Hjbhph32.exe
        
        C:\Windows\system32\Hjbhph32.exe
        107⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Lagepl32.exe
        
        C:\Windows\system32\Lagepl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        109⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Cbdhgaid.exe
        
        C:\Windows\system32\Cbdhgaid.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Fbqiak32.exe
        
        C:\Windows\system32\Fbqiak32.exe
        111⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Iapbodql.exe
        
        C:\Windows\system32\Iapbodql.exe
        112⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Mmdekf32.exe
        
        C:\Windows\system32\Mmdekf32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Kdpmmf32.exe
        
        C:\Windows\system32\Kdpmmf32.exe
        114⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Nejbaqgo.exe
        
        C:\Windows\system32\Nejbaqgo.exe
        115⤵
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Opgloh32.exe
        
        C:\Windows\system32\Opgloh32.exe
        116⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Bckddn32.exe
        
        C:\Windows\system32\Bckddn32.exe
        117⤵
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Eqmjen32.exe
        
        C:\Windows\system32\Eqmjen32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2176
        
        C:\Windows\SysWOW64\Hdcnpd32.exe
        
        C:\Windows\system32\Hdcnpd32.exe
        119⤵
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Dabpgbpm.exe
        
        C:\Windows\system32\Dabpgbpm.exe
        120⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Ijfbhflj.exe
        
        C:\Windows\system32\Ijfbhflj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Jdjfmjhm.exe
        
        C:\Windows\system32\Jdjfmjhm.exe
        122⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Kinefp32.exe
        
        C:\Windows\system32\Kinefp32.exe
        123⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Oqbagd32.exe
        
        C:\Windows\system32\Oqbagd32.exe
        124⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pbfglg32.exe
        
        C:\Windows\system32\Pbfglg32.exe
        125⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Ajbegg32.exe
        
        C:\Windows\system32\Ajbegg32.exe
        126⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Ahmlaj32.exe
        
        C:\Windows\system32\Ahmlaj32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1092
        
        C:\Windows\SysWOW64\Coepob32.exe
        
        C:\Windows\system32\Coepob32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:416
        
        C:\Windows\SysWOW64\Foebmn32.exe
        
        C:\Windows\system32\Foebmn32.exe
        129⤵
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Hbnjfefo.exe
        
        C:\Windows\system32\Hbnjfefo.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Ilfhfh32.exe
        
        C:\Windows\system32\Ilfhfh32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Kipkaj32.exe
        
        C:\Windows\system32\Kipkaj32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Ocknmjcf.exe
        
        C:\Windows\system32\Ocknmjcf.exe
        133⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Bgoalc32.exe
        
        C:\Windows\system32\Bgoalc32.exe
        134⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Bjagcndq.exe
        
        C:\Windows\system32\Bjagcndq.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Dgpgplej.exe
        
        C:\Windows\system32\Dgpgplej.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Hbmclobc.exe
        
        C:\Windows\system32\Hbmclobc.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Jkmgladi.exe
        
        C:\Windows\system32\Jkmgladi.exe
        138⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Llbinnbq.exe
        
        C:\Windows\system32\Llbinnbq.exe
        139⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Mlipomli.exe
        
        C:\Windows\system32\Mlipomli.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1016
        
        C:\Windows\SysWOW64\Midfiq32.exe
        
        C:\Windows\system32\Midfiq32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Nockfgao.exe
        
        C:\Windows\system32\Nockfgao.exe
        142⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Niipdpae.exe
        
        C:\Windows\system32\Niipdpae.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Ocopncke.exe
        
        C:\Windows\system32\Ocopncke.exe
        144⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Djomjfde.exe
        
        C:\Windows\system32\Djomjfde.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1404
        
        C:\Windows\SysWOW64\Epjadk32.exe
        
        C:\Windows\system32\Epjadk32.exe
        146⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Halmaiog.exe
        
        C:\Windows\system32\Halmaiog.exe
        147⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Jnklnfpq.exe
        
        C:\Windows\system32\Jnklnfpq.exe
        148⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Lgcjmjho.exe
        
        C:\Windows\system32\Lgcjmjho.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4440
        
        C:\Windows\SysWOW64\Lbinkb32.exe
        
        C:\Windows\system32\Lbinkb32.exe
        150⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Lalnfooo.exe
        
        C:\Windows\system32\Lalnfooo.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Bkmmkj32.exe
        
        C:\Windows\system32\Bkmmkj32.exe
        152⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Ffobbmpp.exe
        
        C:\Windows\system32\Ffobbmpp.exe
        153⤵
        
        PID:60
        
        C:\Windows\SysWOW64\Jncobabm.exe
        
        C:\Windows\system32\Jncobabm.exe
        154⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Lnohemjm.exe
        
        C:\Windows\system32\Lnohemjm.exe
        155⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Nmgjbg32.exe
        
        C:\Windows\system32\Nmgjbg32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1124
        
        C:\Windows\SysWOW64\Aojepe32.exe
        
        C:\Windows\system32\Aojepe32.exe
        157⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Diclff32.exe
        
        C:\Windows\system32\Diclff32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Eehime32.exe
        
        C:\Windows\system32\Eehime32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Fihnhc32.exe
        
        C:\Windows\system32\Fihnhc32.exe
        160⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Gmojep32.exe
        
        C:\Windows\system32\Gmojep32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Jmbhhkoa.exe
        
        C:\Windows\system32\Jmbhhkoa.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Jikfbkbc.exe
        
        C:\Windows\system32\Jikfbkbc.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Jpenoe32.exe
        
        C:\Windows\system32\Jpenoe32.exe
        164⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Jcdjka32.exe
        
        C:\Windows\system32\Jcdjka32.exe
        165⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Kjnbhkqp.exe
        
        C:\Windows\system32\Kjnbhkqp.exe
        166⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Kllodfpd.exe
        
        C:\Windows\system32\Kllodfpd.exe
        167⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Kokkqbog.exe
        
        C:\Windows\system32\Kokkqbog.exe
        168⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Kgacaopj.exe
        
        C:\Windows\system32\Kgacaopj.exe
        169⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Kedcml32.exe
        
        C:\Windows\system32\Kedcml32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Kjponk32.exe
        
        C:\Windows\system32\Kjponk32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2980
        
        C:\Windows\SysWOW64\Kloljf32.exe
        
        C:\Windows\system32\Kloljf32.exe
        172⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Komhfa32.exe
        
        C:\Windows\system32\Komhfa32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Kfgpblda.exe
        
        C:\Windows\system32\Kfgpblda.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1368
        
        C:\Windows\SysWOW64\Knnhdied.exe
        
        C:\Windows\system32\Knnhdied.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1072
        
        C:\Windows\SysWOW64\Koodka32.exe
        
        C:\Windows\system32\Koodka32.exe
        176⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Kckqlpck.exe
        
        C:\Windows\system32\Kckqlpck.exe
        177⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Kfimhkbo.exe
        
        C:\Windows\system32\Kfimhkbo.exe
        178⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Klceeejl.exe
        
        C:\Windows\system32\Klceeejl.exe
        179⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Koaaaaip.exe
        
        C:\Windows\system32\Koaaaaip.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afkknogn.exe

Filesize
80KB

MD5
a376ed6530ae8b1d4eeeb90cb2f5163d

SHA1
07531ebe54e0efde7d80c2acfc4248f1555b8451

SHA256
9a95513dfe8672d868424f3e128c41e751eb35885593155e669299a890b898f4

SHA512
d1e8cd0e61a582d19d15b8ee234dda064d1faaf8dd2da122b7e246878dcecb3b12cecba6f96bbbf554d5f36aed3c56e8475e3f738d63cc1d6527b112cd3f1a42

Download Submit
C:\Windows\SysWOW64\Akhcfe32.exe

Filesize
80KB

MD5
72e2956fcc1da2b36513203f1ffeb4cf

SHA1
87e514b9a8d05e00d70734a2c2c630e11517ea2c

SHA256
6e1858580014d1d879049d8e205f8851dbd566c40207a43327b76345655550a8

SHA512
4de797af1912fc2d9ce74676756a0e194f785ab19c4ab8448cb94106df1b26cf7195a6a2ace92c92fe330daeb7d5610baa7a4f5ec75513fc1ad9f41d69a26c3e

Download Submit
C:\Windows\SysWOW64\Aoofle32.exe

Filesize
80KB

MD5
68110d2555aec6229c66ae2d3ad8e23b

SHA1
df9a9522505e39e06824e1d7ef49daeba4e093e0

SHA256
000ec551a00a02b042f3a78b328de254dce3109d737aa2d4f30a09ee98a48fcd

SHA512
fc9737a191945ed5bf4809b3c4537a27a72e4a354530050a4058c08131c8e7d82d16588d64385e2fd7990dcc7d6579041487aa0261b8fb9fa6259942a7c04822

Download Submit
C:\Windows\SysWOW64\Becknc32.exe

Filesize
80KB

MD5
d8d94da9ce5bc71d26bfa16ca35a721b

SHA1
ff727ba99b31122fc0203571c79241dd8d873b48

SHA256
7a196b3e6296616d5ca5e0bdcfe7380c467cc766c165398b4630ccbd72c83401

SHA512
72ce7501f4553023a28584439d4a4e1f481b09a8f4ec0dc9af12fe5a2900662faa6db50292b439dfa8d618956b4f466be69262bb34cc8816a5a954282963ba4b

Download Submit
C:\Windows\SysWOW64\Bkafmd32.exe

Filesize
80KB

MD5
c454d8afb29b266f7d27a6ec718b06a3

SHA1
472477c966c5dabf1aef48fad3f65da19a08fa9d

SHA256
39a29be879a3945a4ab6932a225a43d0abe2c33ecb82efbb8569fa2769e3256d

SHA512
68e0308069d7004cd4f7be84a36b6fc43a77931adbfb9b878028d831085205f1e1eb8f15a786da1b439885d0390fa9fbf235d0354fd0919a328fd0d6170dc51e

Download Submit
C:\Windows\SysWOW64\Bkkple32.exe

Filesize
80KB

MD5
d4e3f4906b7b82d28a6f1152088c841f

SHA1
b537fb37d04ca1aa0fec798c237fcb8af4b68d69

SHA256
01d7a25a971a51052d1676fbc61d1f78b59a5fb34d534d0168443c215dd44045

SHA512
6e3aed2e828f4f4c09f2589efd261f8c25acbf9e0ec26cb25d5d8b39fab0a6dfe79b6a640ffa8b56f3e0dcaefe5fdbb0a71d7275a3d5cf453390b8c20f2b33d9

Download Submit
C:\Windows\SysWOW64\Bljlfh32.exe

Filesize
80KB

MD5
c3088c23725cba3f6aad9753d7003523

SHA1
5e284d5445dcc6d9f9881551d06a720994e88047

SHA256
4ff5f8f5332a1e6868987c13a4b968946c5e8ce5eb4d3fc63fa827853e60e1f7

SHA512
cccbf9243a8c7d33cc3869422b92d280b2239f447c54731e837301ea36e15ce8549abd76737ca01a59ef24aaddf8c464ad451641602dedcfefb2918528bf8f35

Download Submit
C:\Windows\SysWOW64\Bmlilh32.exe

Filesize
80KB

MD5
91bd9212d63d9dd6083524e15c5cf575

SHA1
4af8ecba672d98aa31899a08be30f6b5ccc56734

SHA256
b85e6f76204afbf3d765da58c800b951cf4c38a74db25d5b96a73be7021e6aef

SHA512
861ce0995e00e72b182633fceb1eb4e40856568e8bdbe00aa546e9d7b8c6b8bd58ceacddb81ad5a5613ada00ae1111e63704cab62762fcec15c1285f7f2eb003

Download Submit
C:\Windows\SysWOW64\Cfjeckpj.exe

Filesize
64KB

MD5
2baab6a40cc317754ed5aea18218ac24

SHA1
b690f7c1d4a52394fe3192fc576f320333f6c607

SHA256
4a1ffc2219ea0d379ddfcd57ca0bbfd2a5eb7a14792ddb54cc367f3a822ce575

SHA512
bc3ef151639566ef0ee0b669ffc7010a2e065128846daa4b8d4f80abd8d391c9a52d4042aee0dec6238005677f425e4454ddb84d98f9305d2de903b10c6ba364

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
80KB

MD5
a0d5ddaf151706c7fc7160146fa88c7c

SHA1
3be16a9fa731b770d5fa5cd31af1760b2e44e983

SHA256
f175bc92047f7f3af16ab29330ee126704cdb3e70a4727bf8cfca47fb115da7f

SHA512
653443eff9b80e91d2c7676c1abc01f746530b3b85d1da2a2aebe92711a231f8aeade42f8c9254a73c039e6e41957f6c514ff3953cebdf08b63ef4a7427427e9

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
80KB

MD5
77d4b87832f3dddf60d6f1fc1f942c57

SHA1
de75da5b366557976604e7873b9f0beb0e442945

SHA256
4565fe35294f3c0adac113b251a70a27bec33d8b62de43b4d5bbcb37470c540f

SHA512
df6a311616e15683a7756cd5bfe99642182631e8575385488b31db43b50a78940dccfdcdfa12ab67f7812c35a431a93ca7ade5922660b9aa933d433a96438599

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
80KB

MD5
fedf1923d6e692d9d86690f3f5a7fc4e

SHA1
54a224ffb8827f9365396eaa5536a39cf41fe9f7

SHA256
ec6cf1e29853ee90acc0293013dc7348fffeccf48dd18f9c9f689baa2e75ba76

SHA512
93f82418efba5edfee3fb07c25f4c411bef90f7ddf1ea3ec46a3261684119ba2c8a2a8394956c8b1fd8e784fc6f6244ee666fbe86cfb6d387b62e8f792950edb

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
80KB

MD5
8ab9cb6279aaf9e0b604d2f7d14c824f

SHA1
8322e2e7fb5f5fac71036082ac74bf86c2d5c06f

SHA256
6dbc5de3dd518cdc78f35949cc8390c60415c55495200a3d3c920c5bfe59e145

SHA512
be9b013dafc4839319d976cf788fe75f42486ec9b49c00b759f433aa2ff69c702a2fa7254bc4e15fbcce69d95530a390d92d72413b7ef15e51b2804176f21175

Download Submit
C:\Windows\SysWOW64\Diclff32.exe

Filesize
80KB

MD5
4fee992dc2c35c46c22fc30228414c1d

SHA1
e9722fbe7c4c69fb873c4ecd05c1712d8b98f418

SHA256
b38dea058cabf4873aacaae651eaffc6e98c9ab5f3d5a5a42d236acb0ae54eda

SHA512
ff2cae578943dbc486292f6e6dfdda033799ecf72856c88e6ddaa60d6ed5700ef1b11514a42aa61caf2781284f97563b616dbc74dff7876fc2280c262a2ae4a8

Download Submit
C:\Windows\SysWOW64\Djomjfde.exe

Filesize
80KB

MD5
56e26179d58eabc465548f5f5690c02a

SHA1
4df153ca7c4adfaa7355dd617310cd0959a09e60

SHA256
bb9b896412b6dfe6f749a82f656223d965c750eb7d9fafc319fd0d067ece06b7

SHA512
39c6c26f261ee804c611a21d5faa77c70c1eff50cfd7d8d7bcd6f10e1be00732348b485b695325c4f5298752dc4a8b959b038cde518ef31c9d465af774f8233d

Download Submit
C:\Windows\SysWOW64\Eaaiahei.exe

Filesize
80KB

MD5
4d4e05686d61256d58ffb17c57b02662

SHA1
31d844a9ace7210eaec2f05e4a44afd6577b2b80

SHA256
3e588bb814e71145da27faea3210b91559c644b5921f946187438f2fd7c40e34

SHA512
0d3673dd6527919d5e2aaa27c9ef623a1ac5b1ae9bda9d1a8d2d95b9a69959d782b9bc4174056bbdf5ae104d69e9684cf8b5b222130194965f2517ff7314811d

Download Submit
C:\Windows\SysWOW64\Ggahedjn.exe

Filesize
80KB

MD5
16140ed4dc0e1170bff88daee7e729a0

SHA1
f013345b178ca2a4e6645e8cfbc33521bbd8b74b

SHA256
09ec75f6fc2ae2546da09c22e5ce04e3d210ad5f175db2f9b7820a5d91cbd0b5

SHA512
5e87035175ad5d2ee9466f884afa46195e22e458a4130378445c06c0ad6122dcd30f947b767a18f387c6897d65906763a83cbc872e9fc2e6097a6acc0f4d1e0d

Download Submit
C:\Windows\SysWOW64\Glldgljg.exe

Filesize
80KB

MD5
b0094461d761c167c1f032f67ee93924

SHA1
3ba9439c02dce55bbdada6a8057be22c6b5a5608

SHA256
c26151a8ef8c50d5d43a2d6ec71392a39c381a9db94620963b2be06cfa073936

SHA512
e60cf4df34854f5358349dec0fbf2d7e1a0a9ffdef98396113d64fc43d78bb97b5de0c26e39f532688fa35dacc3dd4cf47f02aca8c531746e2d047ce454bcc8b

Download Submit
C:\Windows\SysWOW64\Gpecbk32.exe

Filesize
80KB

MD5
f22adab48a4da750a3a70c5d90651ea7

SHA1
70d0fe7e43227687628c3702e65f4f2b9c4f2891

SHA256
a73be33d16896188a247a6c33c4fd19be499026187d062188cc0c10187e2baa4

SHA512
82835df9a12e5045877129ac55b09c0a721bb28b74a5e49dd0ccee6d4d398183b995bb8f7bc7b8c6e41f84ed66b6f68ce006a8f367ad855756850a5fc27873cc

Download Submit
C:\Windows\SysWOW64\Hcmbee32.exe

Filesize
80KB

MD5
53c6d851bf3425fbc37dc735bdf79a15

SHA1
014718870cd61c0d7d9c0f2aff7e57456ba582e4

SHA256
bd4d8b48bca5a715e0b20c54b6c11d3080e21a6696be04f72c4706bb9a8ae29c

SHA512
5dc582b98bafb10799c9cc09fdc45850ac7ce9cf135dd343580531c817773781a6d7a08a294b89901a90783fd69c79d26a9c1ea776f3d89b70cc54410a970d99

Download Submit
C:\Windows\SysWOW64\Hcpojd32.exe

Filesize
80KB

MD5
4b041f217a0719c80a7123c62be3e419

SHA1
46d539d8ecf66e360ed713df3b5f7c275bdb3b92

SHA256
98480eb436d9bbb89b25d35ffae21f74b24fd90c2d0cd4d88817846ada513888

SHA512
128ef30966250e79ad220fadbc3f51e61f295fc097c7283a21e5b4dba51c989bbc8810e9b134565df16eb58c584af880b31561f4a0c0f3ea680221bbc2270286

Download Submit
C:\Windows\SysWOW64\Hdcnpd32.exe

Filesize
80KB

MD5
cf823f5d5aee91e05208bc6e1d9bd6c3

SHA1
2158c60d188893c87c7930c362bb5bf87e40ebe5

SHA256
7aa19d35383d6315fea549b5df6b94d4522bbcd7cb0f2b77917709aaf69dd0f0

SHA512
de8c59035e8ec51adb57f5c4a48273c2e7b7a014a0c5d2e32953fc72fc99bc049ecde3dccd82384c3edc615212ea710bda68042413b04f8bd6adc2311f5ab064

Download Submit
C:\Windows\SysWOW64\Hienlpel.exe

Filesize
80KB

MD5
773424f6fa9aefd3f8680df94f995061

SHA1
861518f1d7fcea33e050aa943784d95e6538cca1

SHA256
5e81d68dcf48519f44b52ca626f8e3cdac971e0865ff26ba13508918ba4b38e9

SHA512
7371fe4559dfa4ce58fee5c95235cc1f65691a87ba85bc7dd055b64b49d386f324d429aeb825d3ad42acc6f2098b13c1df6c8d6a107d4bbafc805a96c619564e

Download Submit
C:\Windows\SysWOW64\Higjaoci.exe

Filesize
80KB

MD5
c612edfc75f2c7342493ad854f7e9ef1

SHA1
6a92e7336023662b6cae584bfe0dca4428716aec

SHA256
6570741770c37a077074a3ef44a4952003432e1e995a9daee1d63f370d685ea8

SHA512
d6e2bdfd41c8eaa87ede637d7939ffd1b2d4db72ed1c6f7aa5ff69c9aa3adaf77f9d710afb05064614015c49b1427c90de03c517aab6c0ea57865c35b6f2ad07

Download Submit
C:\Windows\SysWOW64\Hjbhph32.exe

Filesize
80KB

MD5
8e903d701b81bc851e8de705da350d25

SHA1
e04a1a3895c865efa653c597baf5e10304d30a86

SHA256
a0e9743a98680f9862fd2757a410ece396cb2bad9cb2a0cfe7d163d8b7153005

SHA512
4d2c2e15806a02dc095e7ab3c0f9a5954f49df204f420139e3da61fee6326cf6c4cbc0f6a16eb550eb64e03313bf20c5ecf1b1413a849165355810e693ba238b

Download Submit
C:\Windows\SysWOW64\Hkpqkcpd.exe

Filesize
80KB

MD5
b8cfb87be9850cbf4f072d8c05e81bc2

SHA1
596300100709c07a73b78e44b764b32872faa91b

SHA256
fe9669a9272fea4e54d3475714ea1896d55fa25a8c39f0625c05238f88c312e1

SHA512
2c02d4c15a218d9ccb54fd9f3589149d7813348b9de3c6fb131099535541d0a8ee6b0efaf88c3d0470b7f9827fd2b9aa24cd451235496d2864dd1a4fd624e910

Download Submit
C:\Windows\SysWOW64\Hlhccj32.exe

Filesize
80KB

MD5
7853006669e3ce36953ce32927f34869

SHA1
f4b576b44645034d844990cf9bd135f372a1b857

SHA256
242f6598e9470e7bc832d1832d282982bcb6f8ef84ca0c63dc077e552ed1e073

SHA512
a49fcd35cfa937c555cce90ee5bf2afdcc0ed748dec568334ef1f17b40adedd292c2c1c13da11910a7094467cc8030c07dfa9f6fde9335055421c00a7b041486

Download Submit
C:\Windows\SysWOW64\Hplicjok.exe

Filesize
80KB

MD5
87458bfacf3cd726c640406b2dd3ca68

SHA1
eb67894e960565481bf2481babc9fda2aa58ee31

SHA256
c8e82c48824cfd931e6c47c6bbffcc7df8e4d2391b411f9cf3cd405733b1a0a1

SHA512
da347293e73d4bba7c6d67f911522fd93dda9016e9bc833d7f3ddb95e133769da09348be64c97ff82f782ee6ef61fc561f8f08ba4b5593986ec26fba5e80660a

Download Submit
C:\Windows\SysWOW64\Igdnabjh.exe

Filesize
80KB

MD5
590f7ddf13cd33893c9c6fe69a1388d7

SHA1
677a21e1a263d9d524f0c459224913f2705c40e9

SHA256
286b2923c0c701a2cd2e8e2b9d267f0d219d2f6e1d634f0f39c9fc348d3b31f0

SHA512
17bfabf641df5411a6fdb7b09cea922a5af3fa698679ce8fda20c85229759735465ec874aba0c97ef9ad544505596777d166d3b7abff7aed5f0e9fe9c79409eb

Download Submit
C:\Windows\SysWOW64\Iggjga32.exe

Filesize
80KB

MD5
f9d7b6931fe2da4064c6edcd18303e19

SHA1
587827e43e105d78f4b07609cfd739a456419caa

SHA256
ce132b0d17853a1f81c56ecd61800ed3c40bd6c2a9b2bb58422a8ce13a00f06c

SHA512
89f16a4fad3cd9577e9cdd9edfb54ebab5eb2c7485c6494662e9015294960f960639217efa617c2b4ce78a07e30f9ebcedf02d5ef9b39526a2de29e0c34596fa

Download Submit
C:\Windows\SysWOW64\Ijfbhflj.exe

Filesize
80KB

MD5
459b4e5e798c39d6c80fdf8d0e155ad2

SHA1
7d870b656ca4feedeb4263eae31a526689ae602d

SHA256
4a21b027286fad99dc0e614071d57535a3ef425f6758b1675121e2f647bdf55a

SHA512
d2649cb9d16e91b45bd7cdaaf463103155e405c0bb48380fe0ef363b94de1009cecda645acdfdb81ff6dead66375013768814e4d14548490230c820c5689c2a5

Download Submit
C:\Windows\SysWOW64\Ijqmhnko.exe

Filesize
80KB

MD5
1aec92a0ced847823a982a4c9333b09a

SHA1
7a5ecefe4b17ec42f381a0b64511b1e69c6c6fdf

SHA256
55e02c02a84db1140649e2ff831ff93b44f5a165bf24e54cc600f76feb3e4880

SHA512
39b530b5c84e9e35f0a5ea9d4e9e15d52d1aec98ef928181b959ecc6140794db27d165a1c584f2ac12de4bdd4f5f07e158f6bc9e4abc24662f360a6ed67fd3a7

Download Submit
C:\Windows\SysWOW64\Ikkpgafg.exe

Filesize
80KB

MD5
c632d5d812270139d2c15026fee1495e

SHA1
8195aa40c815ebf45381bfe383b4225aa6eaf651

SHA256
3ab0785721c7bc557676f3806e4ba5da2b85c8798c00659c5895cfb59e8cf50d

SHA512
2d99610976580078ff0e0ce032d8508b1b1528efa0baa3117e6038459a3babc4b3c674ec57091463fcab3de6256f08b1abe3b6982317eaaf8aae848c7ffa1a2e

Download Submit
C:\Windows\SysWOW64\Ilafiihp.exe

Filesize
80KB

MD5
9bfa2fdab9d383e242aebe8e763b85e4

SHA1
a3dcc231162fe8aa2acb4aefb5f8f7e44d758374

SHA256
b15505612971324d7988bdbf42770d69901535d995ad2af4e1a5f10d81844435

SHA512
2d3cfc2fdb1ad59db73cf8fc22d35749ac784dd48452cec3b99aaf596857c796c08675628cf22597f7af9b4463705cec677d4a6257fc2c386781e24c39017f20

Download Submit
C:\Windows\SysWOW64\Iljpij32.exe

Filesize
80KB

MD5
d9c82d6f83ca196a51efbb0ca2664bd4

SHA1
84fa3dc7d83c8332502a36bc24eb60189e7a545c

SHA256
71d3629d07ff8929cd27faadce2b919e93fbc5c8075aad69c607f868fc4e5314

SHA512
63096b1eeccce60a06fea82b929d1c44370886d81c32003ac689793958a53a2dd5bbc588c24d7a0b2010f8c0537874d8c15256189067f5f79a6580b38282a0e1

Download Submit
C:\Windows\SysWOW64\Iphioh32.exe

Filesize
80KB

MD5
a798c289da3cba68e8442a986c8a7a6f

SHA1
f601504167e131573da4d53cb05c4a669997c3ee

SHA256
a5b1d9ba6430b147699d23e5a931fcde39e052731cc2fc8ea958fad8a464c836

SHA512
8d93fab4a71c9af1662b9747cfd0218c13df65fe247a93a0e25430e4f6088a696eeb698b3790f92237964e15399820c6a7c009ff092ec4d11486cc252f122fb8

Download Submit
C:\Windows\SysWOW64\Ipjedh32.exe

Filesize
80KB

MD5
4211726a58fa63257ed3530db0a6a7a4

SHA1
0c92e6572d5045a5c15a64f8beeb37735b14ff30

SHA256
22895f1c6500cab64b74ca2d70cd7039b70defa3865b1b173ac7a4c787e200aa

SHA512
a5375cae2634f122724a41fda67fec16a1a8a28b0d97e79b3568272ae73521a68ef5fc4d477a81848680cf1ea702bf977131506b5f5ad1c01248b57b4280a494

Download Submit
C:\Windows\SysWOW64\Jcdala32.exe

Filesize
80KB

MD5
a43abb3d91efa3323bc4dd25a3a8fe1e

SHA1
0ca2341b0072ac45e44e4b13153d2c716241dd03

SHA256
7cf3facb23bb548e1660246643445d5c1108c27595aeb806e2190d8494fc37e1

SHA512
1878b1c47d8125826d037dd889cb798f0100d445ba9784f0d9ffd2e4ae22fe396e2f5b13748329fa6a76e86ca6578ba771dfe8ec2d31f5ce665cf6f830c28fce

Download Submit
C:\Windows\SysWOW64\Jcgnbaeo.exe

Filesize
80KB

MD5
773846ae154f1a048dee221ef1ff7e3c

SHA1
50bb7d3dcd85b6766820e12f07fafd2ec63757d7

SHA256
e4ec98a4b2b75d1454695037586a3fdce6f4b93ba91ba5336bc0f8d6f66d87d8

SHA512
dc539e14ee1edfe07567d0f0232e6bd74320d3b56178f3830197586ecd42720e875ab3be1f7823f54acb9eb92df0486ba2801a8260a6442cc0090f284158e6da

Download Submit
C:\Windows\SysWOW64\Jdfjld32.exe

Filesize
80KB

MD5
fb8fddf59643d08226f3546f14662496

SHA1
2902ce9f53e452a5ad8362b4ce22a36e3efccfc0

SHA256
697c1b9474f45a60f3acd1eed8cd3be7c71772c4e37318348cf3faed7fe12c97

SHA512
36c19b0e4b00d5e9c5200223b8f287de9b8d1efd34255b84db51b3f17e46d2a1e88fdc61a57f9468277050ca3409227243ac31665f23e1ab161140689bb7c7a2

Download Submit
C:\Windows\SysWOW64\Jdodkebj.exe

Filesize
80KB

MD5
7124f68596b8c3fc5c8735aaa8ababd9

SHA1
8e81519fc57873c75f2c942a01d59ba032f49f45

SHA256
5b0f0f9017ba8e883c20a3cfc8dffca30ff03c2a766c60805d3fad3e98354048

SHA512
597b08eb855db92fb4d8d23dbbfc13c3c0f2ef3c2299fce29236ea8717a729220a775474937e0b9d79f55f2bf5bbdbf49cfd489ebdafd0ecb14b962666c81087

Download Submit
C:\Windows\SysWOW64\Jjlmclqa.exe

Filesize
80KB

MD5
d024c10ca9f657f59626f48a57643727

SHA1
053b2370c53686e29d9dbd90fde6b4b6ee227341

SHA256
b897f481dbeb6b6744aa7253d612b701a38631040b0bb659f2f2fb8c92df4612

SHA512
f64e2c226fb6269a95fa6d54999de0c9928130270d995acd58de23bd7d8b4cef4d16334a462e3a86f24e395a36fd593235cb945f8dea3a6db1431d3cb082c9d1

Download Submit
C:\Windows\SysWOW64\Jkgpbp32.exe

Filesize
80KB

MD5
f7206bd01c453ed7c87bbd850030282b

SHA1
38343c68066567232bce6b39e364f97cf6c626e2

SHA256
b90e9e5eb252b95586ed776dfddfd6dc75094be7395966a5b0ff040dd2d5a61b

SHA512
f637e645ae814b5455f0e8eb72094fd9e4c1ec747ce4339ec17bcc35f553eded5ee006738d0a11231885006afd542c42a7cb564b393c4043aaf011f9ef827e14

Download Submit
C:\Windows\SysWOW64\Jpaleglc.exe

Filesize
80KB

MD5
43956b1a5f16a5cc2a271b5a4e26457a

SHA1
2cc5ec3d07d05cee0534fafc3d7f117c9a7741af

SHA256
d0b1475f1016a2a5f4c742ce0c4e61fe956e13caa4874ccac196d715131372c1

SHA512
b0d6d63983755be83f0d63f944d6864df685c0671e3cfac9595ba150f0ec216bfd2c50a40412e7eb49aa9305de2e1ab2e4b8592fd2967c75d6a34930b050ba37

Download Submit
C:\Windows\SysWOW64\Kinefp32.exe

Filesize
45KB

MD5
360f8e43de4afb18ed82716666bec4e0

SHA1
809c64b7a53d4f2e55e8faf45130df8c7127deea

SHA256
4964b224e057d397dc76d2b5bd1cd49532b0248f13f50897761e6f8a6f2a9aaf

SHA512
6c4ba0f3e3cf20d97d549a0cc2431b2fe25ad4b7b84b8ebecf3e514fbb3c8653f85df21114072098542058fcc3f4aada03af92b2abaaac24882aac4a243ad5e2

Download Submit
C:\Windows\SysWOW64\Klceeejl.exe

Filesize
80KB

MD5
5dafd7170e2a47917308e5629972b6b0

SHA1
0ba0bfb9a2f76688c8094871eebe2f87b651a35d

SHA256
7763f90ced26f7f96a3c0f2e34ed80537164f1894ea5702dc59548c027957d2f

SHA512
d9867538c1c12701497bcd139df53c2aba74d4a9aad499ff640ce7a21a1beb0a86cb13d7a9213d114decc58c583a70e912e75b37a785f7b843a0bd2eeb7f3f32

Download Submit
C:\Windows\SysWOW64\Nmgjbg32.exe

Filesize
80KB

MD5
484a60da9d4281e90af9bb63b70435f3

SHA1
298a8c0008e56fa7550da4f19691c0b023c9c0bd

SHA256
baab9ad4f63c7d9028a6aef0a80e9d8485ab3d61a0885f4c427f5873471bb4e4

SHA512
4a67524bd2caf1d8af105eb248f0c9f945427787908ace1287b63fc59c3944d20fa0d866f789bf7e39a74f8e749bdc31fa8a7d4c2569421077d5d32caf3bb9b4

Download Submit
C:\Windows\SysWOW64\Pbfglg32.exe

Filesize
80KB

MD5
242b4e35ace2b9dc53c7ecb847891886

SHA1
e931c8377c4abd147979fe06868e040db73cf2a3

SHA256
31f5af2006cb10c1447082ab732e6411f065995812f844bb8648d21d0065fc25

SHA512
a6a1bd47ce4d92e286d75535eb38fe42e4e3d73a18f013e9978e5fb3d6d05478ad86e4590b4d5de4a7d4b5532aed4cbd4c3e4c05f7b9b404e2b807a845e1b7c4

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
80KB

MD5
67083c9c9da257ab8c334abbb7fac65b

SHA1
03e8f23c83b04783b9cbaa5d9494b8265ba901ed

SHA256
27359c2891a33ec0db1b4a3abbc3264fbe5d38ec97fa2bcd460eab272b1424a0

SHA512
8403403e120b4739b448df3b025f83c43cece86700661909322a8f62ba2a4c696e8dc01fc82774df7f4be822bd6e8a9f41b64c4ee601e4c6b48b199ff2a38314

Download Submit
memory/536-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-194-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/908-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1824-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1824-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1960-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2392-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2392-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3624-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3704-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3728-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3792-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4100-62-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4236-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4352-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-131-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4452-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4552-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4680-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4932-203-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads