d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a

Analysis

max time kernel
92s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a.exe
Size

80KB
MD5

53f9683c8263d6c44dd5cd4703b80909
SHA1

15d7f80ecfccefb76679f6b4a25d81ac50574707
SHA256

d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a
SHA512

6b3eff75f10f265348969fe1a3e6635ee3df58a7125f293b46a6b8bc4dd963a93bb7499a2063e968c7a5aa3675ef3221d7f0f5a499bd011e8769317825f2fff3
SSDEEP

1536:KZEqbWj1Nu/bDm3CJRiiLUfSYgbIJEiCEHn+8PuZm2LIS5DUHRbPa9b6i+sIk:oEpYe3CJYiwfSJMvvJKIS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe

Executes dropped EXE 64 IoCs

pid	Process
4980	Ibjqcd32.exe
2984	Iffmccbi.exe
552	Iidipnal.exe
2644	Impepm32.exe
1488	Iakaql32.exe
2940	Icjmmg32.exe
4876	Ibmmhdhm.exe
780	Ijdeiaio.exe
4972	Imbaemhc.exe
2360	Ipqnahgf.exe
4724	Ibojncfj.exe
2028	Ijfboafl.exe
3432	Iapjlk32.exe
3096	Ipckgh32.exe
1912	Ifmcdblq.exe
1924	Ijhodq32.exe
1812	Imgkql32.exe
4216	Iabgaklg.exe
5064	Idacmfkj.exe
3932	Ifopiajn.exe
2604	Ijkljp32.exe
860	Imihfl32.exe
4240	Jaedgjjd.exe
1036	Jpgdbg32.exe
3672	Jdcpcf32.exe
1308	Jfaloa32.exe
4168	Jjmhppqd.exe
3172	Jmkdlkph.exe
2712	Jpjqhgol.exe
392	Jdemhe32.exe
2384	Jfdida32.exe
4356	Jmnaakne.exe
2756	Jplmmfmi.exe
1500	Jdhine32.exe
4976	Jfffjqdf.exe
1588	Jidbflcj.exe
4792	Jmpngk32.exe
244	Jpojcf32.exe
932	Jdjfcecp.exe
2948	Jfhbppbc.exe
1352	Jkdnpo32.exe
2696	Jmbklj32.exe
4892	Jangmibi.exe
4764	Jpaghf32.exe
4732	Jbocea32.exe
4716	Jfkoeppq.exe
2408	Jiikak32.exe
1848	Kaqcbi32.exe
4076	Kpccnefa.exe
5076	Kbapjafe.exe
3008	Kacphh32.exe
2264	Kdaldd32.exe
4264	Kgphpo32.exe
1164	Kkkdan32.exe
5116	Kmjqmi32.exe
4144	Kaemnhla.exe
4368	Kdcijcke.exe
5032	Kbfiep32.exe
2224	Kknafn32.exe
5000	Kmlnbi32.exe
2920	Kpjjod32.exe
1208	Kdffocib.exe
3556	Kcifkp32.exe
3868	Kkpnlm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6076	5568	WerFault.exe	244

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4980	3924	d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a.exe	85
PID 3924 wrote to memory of 4980	3924	d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a.exe	85
PID 3924 wrote to memory of 4980	3924	d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a.exe	85
PID 4980 wrote to memory of 2984	4980	Ibjqcd32.exe	86
PID 4980 wrote to memory of 2984	4980	Ibjqcd32.exe	86
PID 4980 wrote to memory of 2984	4980	Ibjqcd32.exe	86
PID 2984 wrote to memory of 552	2984	Iffmccbi.exe	87
PID 2984 wrote to memory of 552	2984	Iffmccbi.exe	87
PID 2984 wrote to memory of 552	2984	Iffmccbi.exe	87
PID 552 wrote to memory of 2644	552	Iidipnal.exe	88
PID 552 wrote to memory of 2644	552	Iidipnal.exe	88
PID 552 wrote to memory of 2644	552	Iidipnal.exe	88
PID 2644 wrote to memory of 1488	2644	Impepm32.exe	89
PID 2644 wrote to memory of 1488	2644	Impepm32.exe	89
PID 2644 wrote to memory of 1488	2644	Impepm32.exe	89
PID 1488 wrote to memory of 2940	1488	Iakaql32.exe	90
PID 1488 wrote to memory of 2940	1488	Iakaql32.exe	90
PID 1488 wrote to memory of 2940	1488	Iakaql32.exe	90
PID 2940 wrote to memory of 4876	2940	Icjmmg32.exe	91
PID 2940 wrote to memory of 4876	2940	Icjmmg32.exe	91
PID 2940 wrote to memory of 4876	2940	Icjmmg32.exe	91
PID 4876 wrote to memory of 780	4876	Ibmmhdhm.exe	93
PID 4876 wrote to memory of 780	4876	Ibmmhdhm.exe	93
PID 4876 wrote to memory of 780	4876	Ibmmhdhm.exe	93
PID 780 wrote to memory of 4972	780	Ijdeiaio.exe	94
PID 780 wrote to memory of 4972	780	Ijdeiaio.exe	94
PID 780 wrote to memory of 4972	780	Ijdeiaio.exe	94
PID 4972 wrote to memory of 2360	4972	Imbaemhc.exe	95
PID 4972 wrote to memory of 2360	4972	Imbaemhc.exe	95
PID 4972 wrote to memory of 2360	4972	Imbaemhc.exe	95
PID 2360 wrote to memory of 4724	2360	Ipqnahgf.exe	96
PID 2360 wrote to memory of 4724	2360	Ipqnahgf.exe	96
PID 2360 wrote to memory of 4724	2360	Ipqnahgf.exe	96
PID 4724 wrote to memory of 2028	4724	Ibojncfj.exe	97
PID 4724 wrote to memory of 2028	4724	Ibojncfj.exe	97
PID 4724 wrote to memory of 2028	4724	Ibojncfj.exe	97
PID 2028 wrote to memory of 3432	2028	Ijfboafl.exe	98
PID 2028 wrote to memory of 3432	2028	Ijfboafl.exe	98
PID 2028 wrote to memory of 3432	2028	Ijfboafl.exe	98
PID 3432 wrote to memory of 3096	3432	Iapjlk32.exe	100
PID 3432 wrote to memory of 3096	3432	Iapjlk32.exe	100
PID 3432 wrote to memory of 3096	3432	Iapjlk32.exe	100
PID 3096 wrote to memory of 1912	3096	Ipckgh32.exe	101
PID 3096 wrote to memory of 1912	3096	Ipckgh32.exe	101
PID 3096 wrote to memory of 1912	3096	Ipckgh32.exe	101
PID 1912 wrote to memory of 1924	1912	Ifmcdblq.exe	102
PID 1912 wrote to memory of 1924	1912	Ifmcdblq.exe	102
PID 1912 wrote to memory of 1924	1912	Ifmcdblq.exe	102
PID 1924 wrote to memory of 1812	1924	Ijhodq32.exe	103
PID 1924 wrote to memory of 1812	1924	Ijhodq32.exe	103
PID 1924 wrote to memory of 1812	1924	Ijhodq32.exe	103
PID 1812 wrote to memory of 4216	1812	Imgkql32.exe	104
PID 1812 wrote to memory of 4216	1812	Imgkql32.exe	104
PID 1812 wrote to memory of 4216	1812	Imgkql32.exe	104
PID 4216 wrote to memory of 5064	4216	Iabgaklg.exe	105
PID 4216 wrote to memory of 5064	4216	Iabgaklg.exe	105
PID 4216 wrote to memory of 5064	4216	Iabgaklg.exe	105
PID 5064 wrote to memory of 3932	5064	Idacmfkj.exe	106
PID 5064 wrote to memory of 3932	5064	Idacmfkj.exe	106
PID 5064 wrote to memory of 3932	5064	Idacmfkj.exe	106
PID 3932 wrote to memory of 2604	3932	Ifopiajn.exe	107
PID 3932 wrote to memory of 2604	3932	Ifopiajn.exe	107
PID 3932 wrote to memory of 2604	3932	Ifopiajn.exe	107
PID 2604 wrote to memory of 860	2604	Ijkljp32.exe	108

C:\Users\Admin\AppData\Local\Temp\d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a.exe
"C:\Users\Admin\AppData\Local\Temp\d33d3ab2e295d5081196924e133ec404bd13aa7306eb5f4616747d6e05b9f94a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\Ibjqcd32.exe
  C:\Windows\system32\Ibjqcd32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\Iffmccbi.exe
    C:\Windows\system32\Iffmccbi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\Iidipnal.exe
      C:\Windows\system32\Iidipnal.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        25⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        33⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        34⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        36⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        39⤵
        Executes dropped EXE
        
        PID:244
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        49⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        50⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        51⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        53⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        56⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        60⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        61⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        63⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        66⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        68⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        72⤵
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        73⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        74⤵
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4952
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        78⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        79⤵
        
        PID:712
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        80⤵
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5084
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        83⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        85⤵
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        86⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2044
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        90⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        91⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:452
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        93⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        95⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        96⤵
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        99⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        100⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        107⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        108⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        109⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        113⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        115⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        116⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        117⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        118⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        120⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        124⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        128⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        131⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        134⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        135⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        138⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        139⤵
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        142⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        143⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        146⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        147⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        150⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        151⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        154⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        157⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 408
        158⤵
        Program crash
        
        PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5568 -ip 5568
1⤵
PID:5428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
80KB

MD5
1280957ef6dbb50d239d3cb7a56022d4

SHA1
7366fa6d3c18088e738de3cc2208beb459f13c79

SHA256
f5c2a72d2745a61afe028100c615d51d425536c4ed8bd03ddf3ba5c38d446e31

SHA512
843b4f7c3e829d650145c2c41e7b38a35b146e7fbb85b2553155f7141cdf6cbc384e640150d0a427c599392c2ca4803926cb57db8e72862cb10a18f266c1db7b

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
80KB

MD5
c66dc056bdb326f9b18178287a7c64e9

SHA1
eae0fc9aa8ae173130fa4e37133a97bd71aa1502

SHA256
c0161fd692a9174b0847587e70c988aaed1511b73c8d5d2e59d981900974994e

SHA512
f44338a17bf039dd8f4c1784b80a8cee31f1a37fce69a15166864380e4c10e366980b77be25d141b41f569aa71ffb4233095fe136d2eba00fec43f10bbe73437

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
80KB

MD5
1949663ea4c99223ce59abe5082b2ad9

SHA1
c34b2303d5b19138e429781208849bc5e1cab816

SHA256
12d3ec0fdf7bbbab3dbe9cbcad2ee0bc0a3bfe241af93232532e44e0d0c4697b

SHA512
18b0f7c13f7a10a80cc50484edf8e85d72c88224e10f269e6ab956712ed8ce21fbcf47834b95a51eed7c6a7b3b01333fde2b88ddfdc172003630d95f109a979b

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
80KB

MD5
c46d99ffabdcc304f7f9c15311a84589

SHA1
37451890fdae740975b3d6eb0bb1ccbc2f4900a2

SHA256
8d0ab1e6e32e01bcaea9c351fad041dd743eef874f31e310d2f36c1a30f65f57

SHA512
09325dcabe3927245a47c674a78b9175868d7be743f8c663d2c17ae6409afbf1c790f9b07d581f359de189ab91843c18385e74276a9b8f05da29ecb4929c18e8

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
80KB

MD5
78d44ed2bb8a61df0b162c5fcbba3c8e

SHA1
e5500a8fb40f753549904ba21a1d5b34e44f7610

SHA256
bdeef309649ce905fb7f00c13bc63cd4d0aa70c9c7368df3ccb67adf33d9c739

SHA512
b56dcb28780c25dd1fb7e25c3e7a6368d7ad2672f9e6563ee13a4b3428c48bb524b1971ef31160c56023c1ba876cf00dd602e10ce3433bda6cf2285f0767db65

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
80KB

MD5
3376e09eab52f8034c7f04b155154793

SHA1
1be6c361e344999623ccf4c707f66dea73f82253

SHA256
a269d6ba8d645f0c7c011c3caaa8a623fa1c599ec0d696028fa1bc1ecdd9de90

SHA512
f1fe0fbe80787f966b9a8d875e3ce625191f4057da290ff9ca9f3ffd9a2406f03785c890166e2e5e2778df1935ef960a82416f74c94689242084438f468391e1

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
80KB

MD5
94755f23ce945dcc998cf6f7efb852da

SHA1
c20851a5f9f2112353d6903ddf202e9018d69232

SHA256
59b656d584b01382fe1010594fa416cfd1b745fdb3cf5114bd29384605f35c57

SHA512
059c191f1557440b8c849f9b1f018265cd4516417d0c8639c5cfdb6dbe108b141e7215238ee04573dc55818cd8217d81eba5781c632c3dd229b8334cb1521ff9

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
80KB

MD5
da6a37b35ede208abad6283d99cacd36

SHA1
dd512abebca96c9d9858b162de79c16ecfa25f45

SHA256
34b81a60cdc6982fc462576dece8dfa56ae6fe2c9305df955711d4c2a5872930

SHA512
d1bedb8861ab4fb51cb14b8df4a6fc3faf61770310145e6982505d8ce544a0935926a9cfbcb1c5857afeda7142a1e481dbb5606509260c86e956263aa8f04eea

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
80KB

MD5
0601de12f07f5a3b8a87dfefa20c0bd3

SHA1
ed1763b27210a045574f783b2009d5e20515a735

SHA256
027e47d308536b7e354dbfda109800ebeb5333c2c98bc026e5b24316218bf225

SHA512
3b78df0a43d8b05b6e62f7e14ca39ead99d1552bc4c99b83a00fd62f559a5c7dfbdd26410004cf315436634d99dbfff7d849261384fd5d6624140028acd6de54

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
80KB

MD5
eb48bc6e0dcc19e97680a3294d7cb7eb

SHA1
fef8bc077b07f791da60a497ff3a7af0af74010d

SHA256
4bfd22f9aa81da953168b01877719b97e1219186ea9043de2c864eb375f0b1a5

SHA512
33ade0de39a0863c2fb5e3fabd324713ef2dc2631c0fa31863be3cb5d4ccc7fda6b560a42b2edc9b0aabc39444323f551d35b5123031780eb152e32349f82623

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
80KB

MD5
e464d06a7850ab0629382be504efd8e5

SHA1
320902c9a00621a17428f181772f00edf13b1973

SHA256
2198b63c269252a5725b93e915710559af40f1b6260ca306e2df054451d16424

SHA512
8e83b00da1a5b0f1b1d37a5884ddb13949199b32ba48d08ee723a7f375d93f5f68262485331a3ecf36acf8420bb5eac728c736df65d9b84c8851eb0099b23eb3

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
80KB

MD5
d91a984f0bb38e08156f34bc5b21db97

SHA1
1bc0a771c0e6960c49e829c98f5c4b7057286b7d

SHA256
c9d24811f35988e19a09b9da507acec611353188c3f2fbf8d2f890cd2462c388

SHA512
71edb20c1acbbe119d5647437c0bc841db11696d0ce9a4134080cd50b4af1c7745ed91c6af1f25361f0dbaab524ae508197a9112e9f1fbc7da23d2707f2f66ee

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
80KB

MD5
693c405adcdb54f047bda633fc8ae4c3

SHA1
3ff0f557279ffd5c6c379e082cabbf4a93b9cc66

SHA256
9a9cd5bc29ba7f6223d7411bb3aa0d91e7f987ed002532e2312a70402806c46c

SHA512
dbfce5eec7d8d39a609f17af4bee7ece88bec884475dd928412aea438434d880ace2b798345f32feae75743cc57bf97d1166ebeadfa1cb3db06645d981e76a7a

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
80KB

MD5
f7cba31fe01e3933c4a584576fb1c3c2

SHA1
cb27663caa1a7f54fcc845e1dd30807365ac0f9c

SHA256
2865faec9ae1940e188beab38484dab392eda575af1e27d235752f393088ea1c

SHA512
0fb6ebffee3ef9da62b3b43e60f57de71f7c22c285c4b6587952bb45f8e951dc3d87ae79840ecd958b6d4ad075e12a3e3adb12dba4699d07a743529fff7e3e4d

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
80KB

MD5
7cd2f683d7351da25306cc189e3dc35c

SHA1
ddad4ae3576f19c896babe671957b1885ebe2ed1

SHA256
bdfe7a4728b53a751ed207fb73d97a928e15b9256beb2c420d278bf7f37e7e74

SHA512
508869e34dc6a1efe7e6af782ab4db2540c6e11eee79721619f3958c87f2509cadec580a3dbd04b2700b774676a5f9b7a3a7bcf04604e375340fc13dc55be05f

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
80KB

MD5
1838ce24d57da6312d5ac1b6a1fb3cb0

SHA1
3ddf495d981450977b0c23bae7004cf46c2a8f15

SHA256
56b856c54490479cf8156cc6354c1f257138c8ada00d7c61ecac70a65824408e

SHA512
f374e4c9acadafe1122df8fe11fa969f44001a61fbf32169768d554f390f928dba1617c7be0d0a694e044b7d55d7e9d650baae802dd214e20f237bff9c680009

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
80KB

MD5
74f8a0a7e5e05d903701edafa2939a9b

SHA1
e40c64a7e6ba27a19bae4b224eae60b4d10bd490

SHA256
97d982c7b2c86795b4b707bf57255e936e011478eb7b8314ed6a0feca61cdfb6

SHA512
570084e9374c79da8528ac647fdff50bcc1c5b2a86a09c3c73af423ec7deafe796a157480ba7efbd8e4a4edf0f6f52ae185d858f49ce09102366760923fb10f0

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
80KB

MD5
6c326d5fea7b3b1d5f1d3c983d14d3a3

SHA1
b3668e8fad5c0229ba63a9b22309bc737ffab38f

SHA256
7867db1040da4263ac6d814ee3a5946c1a1a621be7aaad9c73645cfae877fe6b

SHA512
e45ea76b93c378a591a5dafedae2484a3ddad41512971b4425ba3c3ce9037960f2d182876cbb168708b95b872393b82d4bb71ea1c7d0a8585aab3bb8c1dd2986

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
80KB

MD5
7dc11749343f187573d164c02fcd6f7e

SHA1
0cb03a271f15c210cb10628e8a49056f4444d39c

SHA256
3219c1bf171b4b9b7526d17a93732b22d16606ff2198966f663e2db31282eb74

SHA512
080206994bb25be6c431630e801768d33a213d11d45bfb5f7243421df9c403f96f1cc4354ddebfa81ec820c57c4b9ec7536b157eb770c44a027657ffc733efdb

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
80KB

MD5
8a8e72690f5fc7ea7ff69bab9e3b6c81

SHA1
7c70848d70f59546dfff3faceb53af63640aeb95

SHA256
fd2d32c4399ffe5b29e44ddba6334378dfa3bbd1afbfeba1ec23da54fa8d85ee

SHA512
7e3f27b46360be999a97d022fd411b1fb5ef44def67d0698f278b76ba42f931c374047be560bdbafd9ff18710743a81fbb6f1fd5211898adbf67e8400f2d4805

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
80KB

MD5
0d523140cf1adadbb06fff5975595da0

SHA1
d61854b9b5585df02453d7154fff09714c08d500

SHA256
9ed01a200c855045941208078bc38340d075432d15167240884a1202d960b4e2

SHA512
41000ae97bc588bc7dca9bc02f1034d64b33a222c67977e27bfcd2b9be0c86bf1ed4b2dd9497ed319f7f0be283cdfa6b5230ef68a1c3761b858313e1bbf6a05b

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
80KB

MD5
09cfce512373d746faf54878e5e260f9

SHA1
b955682b22255d3087ab75d2b639e35bfddef7bd

SHA256
be759e84fccdcac9342a922c978385d5097e856bf686c2a8ababd744235dfdf3

SHA512
f6b4b133307c1eab37af00d9ccf02b96e0c08b8dccdac1cee740c51066056547104ed76033a32005d252302475b9533d66d0f273e9aba50f45983069022d8968

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
80KB

MD5
d725173cc7829db9f980bdc8fb2993a0

SHA1
f92f11857a52f59fe3c45269416d4f1823a77f47

SHA256
38014821c6213fca043f69c58cbf7507aebadf1cc1569d3a22c26e477879c2fc

SHA512
a01b7c53cfc63e946c4f56c9f717e92520a7a835ff09d17c2696aedd5d0826c0bad520c4efaeebb2eded1507f30db89733aaee2d819769a210b2431af2db3377

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
80KB

MD5
ff81f64e8083b568c2a94ddd4dfaaf07

SHA1
69e18c9a62df17485cef3500a054b5a193403246

SHA256
6655a83337cdf3174a34b410978ecb167037e9697b6a95ee895d7e18fc331e97

SHA512
f5efadb6826ae106c331637cd4fed3dec9125fe1ba178a68279ff07784934861dcfe0fa6bb2f72e0cf65846d4f4c2e6b89f55c2535da1de3131ab552dff15996

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
80KB

MD5
3e3161842d104593cc2a0e6de53e5986

SHA1
6bc3992ed85f00fb21ddf67d54b5e3ac47454402

SHA256
310bb31d0fdf668e724511aa757f947a9daf6fefec16bb22c31f9392c51b3f84

SHA512
c8a35ca93a22da80be7139f46b02e135666bc2c1be151e6ff73d241327430717ef9afe5a1cca72201a436965f323dcdfaf41c1620f7204396959c5fcca9545d4

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
80KB

MD5
82e43c9fcb019a34c8167c83200bbd8f

SHA1
a6ad17db9216d29e14316daf2c6a8c0369c5d62d

SHA256
42a5c5f47ee51ccf999a0a3736e3bdcc7e439ac5e61a9394773a0e39d0aced1d

SHA512
e3b356030f5ff4f9876ea1604641462b5236a727531e554782b85d082eae88abf50346762f61d70cb64e51da84c75d5940c78116b02234a3388ff0874ddab38e

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
80KB

MD5
ac6b3c5104ca3b54ce939de67711f22f

SHA1
0e07a403ebc41e7ad233048bd86cdb13740dcd33

SHA256
1a241c544bbf4a30b8cf564192169f2f4a32722d1e25ec4663d2aca683f93b7e

SHA512
6edac7745a2de3e1c5926c7500c37a3561a0807282176ad849c19969eaefe41e47637f372d69c5309f4903a915b756d384823524f77bae95ada0cb109ff26e17

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
80KB

MD5
769880b949e28c8450a1a069a4244c14

SHA1
c5c3888283292015a90b3a3a3fc3d48ce971ae3c

SHA256
ac596ca8d2d59b4e94f3dcb854f41af736ba34157c5f685d801bf039b6cbb98f

SHA512
93ec576ff32844c984f2ab76268f12af43e65096f50ae9ee1c51e6eea674d771d12fa399af189ac3ad3e78a77734608f452bbfca6b00954311110b73490ce2be

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
64KB

MD5
40ca53780462433a690d87ae34d806c5

SHA1
915cdbf9c0c39eb3ad6e0939c8811977f1ef1355

SHA256
c4a9c017225b42d58292b68be314fbef4f176301103ee0f23d24727ba22e3d2b

SHA512
ab8ffc161e21ca9320131244739d69b99ff7f542acc37107065d5413b4d85f25838376a096fd77637e2fc1e791dc72f829c9edd656283061c0d1ec030b366ab3

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
80KB

MD5
d5e94ffc4f5cee68993a94eb886ca4dc

SHA1
af739568f50679b2b87c8780c38ee44111ed13e3

SHA256
233f3167b1d7fcb106740c85e064f1444763e51f8ba0fa1f4e778b3e166277e4

SHA512
ac89e11c9dd610649b7c12367b09641faeaf95589ae73659d56d4c42754a456fa5b11327efb9202742f5e52c42c23d249c778122f7e6905971d1b011b6464afc

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
80KB

MD5
40719a4826228e46d8640ffa4ca07bd0

SHA1
bb95b30ad242f94ac7e9e9c8ae63d4b23badc97e

SHA256
f4e0b0636276d3dd6d4c8bb09cab980bdfc91704b0a2b41968bae8df5321b84a

SHA512
1114165b1ea5ec996658a31ae602e77971641f0cd26dfeb649d03d3d6d04ffaf76314ca5236464defe1676319bab3a4d070275c4a309acb404bb42ccc5785c2f

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
80KB

MD5
04cff3af6ebeb96af569c4110b41f576

SHA1
5be527a71aeb77ec6b769784b1f7dd88d933b409

SHA256
e135aa823ee5d498c7e8eb9540785a28d5ea06a85c218d27786772e109e0c040

SHA512
4797cb2cb682d954f0999488663429a43ed2c44044a0cf509ddf4d0f67b20f124301252e2b5e4101ee215c7bb4bc53c99ce554e6f94a2ff45a392393f40b782d

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
80KB

MD5
6460d505ab6b3b0643b9ffed38231c89

SHA1
5d7850785866617891240291522f4b883e0edc2b

SHA256
637004e7354796ec0074ee3828e5d62151493b7ea36bc37d1f34ef84b6048798

SHA512
1d66f5c80f3ba8fca057b0f79e50ef1e87f191ec1f671fec1128778fa1d35b48cf51881568d6c0e5f3bdc6c3ed46f20d9ba98e4285b80bb7640250de2a7ae924

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
80KB

MD5
d26dd2e2ff38f2ed2820714803c68555

SHA1
5e651184776ff27c0dc717164581cbc995e37b30

SHA256
cc2ab48a073a16be09b5e80a705d10af0a24185d864d01dd16e2ea87869022f2

SHA512
cbaced73d223c050dc5fc25ff73446d04c89ddfd654de768272c6d7e06ea33877f49f0792d37dcfeb5674c493f3e498481b7f5080ddbb98513772260dcb4b99d

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
80KB

MD5
4ec98faa3d457c07be393d5b96c20c60

SHA1
e13eea928d32ee375feee28d1aed1dce0e09c859

SHA256
abcedd2b8b44e1ed757e5d51da5f8023892394e24475a182477a1ee973bfd8e6

SHA512
dfcc16235a7a61554536e9966ae8dc87e486a9848337618933b5c66dd0f740a8a6348fb8de4d556043765e46be4c3703dab4b33e2379d464723143a080ff8331

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
80KB

MD5
a58a8546a8f7416e10c903541d4d4462

SHA1
6287df965eb33c412db533134adb8cb96813b0a4

SHA256
3d9257cd879bdd322c658d0309c4bbc483b5143c08ec9a67738f88ad83e574f4

SHA512
5f6672147bfc0181ffb88bf295aa3b80ad691bb22c786d4cbb52a95b5b93a2ca9f531c9adeeb07fb2ded08089c7d3649fd5fb707957719d56d7ee2c63e3b20b0

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
80KB

MD5
f20192e7456175507cae953ec69432dd

SHA1
4e1fda57849ebdebb212132cde70e2a70bdce896

SHA256
84176829577321628860c40a5b606f409aa767a0f6d1f7f2d4c56e2c01745ad7

SHA512
6ba951e4887c507b7c65934e14e98ebc1e46de119eeda5a625d8ef033adeb457fe5799bdc8db488d0304a8fa5434f1b533b70d0375b601747aa8cdbe6a2406d8

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
64KB

MD5
a1696c06c8694a6d895677893b26d207

SHA1
ecba7e1a3a0255e53f83a5bb8d471f77b55d1530

SHA256
e2ee7979e03ff73a9fc1b51b12844304965ecc7dba6ec9748547a93c3b736261

SHA512
68474c2c1d9ad529d6b493678c814c0d6410fcbb208801685ab5a9d07fd7e9d6c90adca046f0d12d2bf89dd1bc036018ac3985ccd496dcf5880994368543399e

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
80KB

MD5
08bda79d892e53c8f131f3ddec4bfbe5

SHA1
0184fa6835d932ad3d9fedafd036b46aa7441683

SHA256
ed050d49f30c6de4cf51ae5a3a15b645d7bc5aba45298351b39836698579cb40

SHA512
001f549750477abda45c3ccb4bb2e00d423901dc14065bb9a6c6ac7a2a00700fc8a92499f11f16d6cf64bb9e600f47d3558279f392aa0413f59842857c446bc3

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
80KB

MD5
49d5977fba2face73e96eaf4b6cfe434

SHA1
5db49096018823702ebea9478293fd0e77a81b78

SHA256
de150ab590419def1c2c17cf4f31dd58a644bd7ecbcd06670e2046ccfcffe277

SHA512
4c5462e34e24fd8a9566badae355ead28ea51825cc1c720079645159949ffacecdf7d0da3cd67c4a3a1d3c5f7521481080ac47736b3fc626a1c13670736f602a

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
80KB

MD5
b5dc321e736841e4c44e28c1f7db8e4a

SHA1
57f3911e5e9c5ce27835e181df08a29b60c918a9

SHA256
4988b14cb7d7b1e1526c0ebf675249c90b28c98e8e17d004219f1677c7007ad1

SHA512
da6a790ad31a65322866de61bda7e393be93829b9b2333ec00f3eb1c866f817dc26123a52fc388532c48557730f8a068da8633f2e47e7ff19c0630fb082f1b8d

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
80KB

MD5
0cbaaf7b0848d211a6fb9f91f9807a37

SHA1
78a12cd7698bb0c4df8968712715134485ed7ef9

SHA256
f383c3819135f08c02b8e64815c6d29d002c1e118d9949d32032ca1511a6d47d

SHA512
dacacd0353435add69bad00980cd012c2f4e2c447c3a7803b13ead0bc44d8d99b4d4b5902a49f018fefbffc8c985f5608e43c8063fd0d48d7720ab8a606fd606

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
80KB

MD5
395410e17d3c8146936a91568824f689

SHA1
6b804fe785f800fd4054d18ca4ede8e791365031

SHA256
32c7f1edae8af8c696dd0873a678381952b5675fab50750a3d775db490c17c16

SHA512
f4ea70e1a1d29d826bc11eb6a26c9508f8bafafc88b31ca081e72c5fb20c6b08670c909389fd715456019c3e26e496e7f17da005a0f164a8aba880b563bd0ba3

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
80KB

MD5
f7f6f059123fb68b9d0076df1c6ab72e

SHA1
4d7ffd620af4b0591392cebcf811a7cd118e88e9

SHA256
1187e1cda81afbb496673a6a2f66cf7d764b362e6bf53881213d1e4fcdafa8ae

SHA512
74693a070155870131b93093bbbf987bc76d33e113926e1582b2d72c442330fc5f04c98851134e5682682eeb1f12f9cd437ca6b68cc22c5c78f02fb456b7b5a1

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
80KB

MD5
55815743a3118c656b1130f66154b5b6

SHA1
b4103fc7517bb662200f19565df6902653f64b88

SHA256
a8987a591f7731d3449ba38e3b1aadd36d4bdf4b6e643169759e2874c201b4a1

SHA512
64a110b38d5f1ad51d2e2a8ee3a1062f4130fd9d7d0b98d602fb894ad8f427f8117313738cce5de79f4da2b986fdad0111e8259c17b00e7e17e53002cf959015

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
80KB

MD5
da5908763d0f91b7dd37f9e0e166c71a

SHA1
abc0c89fcefe35758f1ed9fd154ded4713e375ea

SHA256
3478a1b8643df34dc1a1c635f0b44a8b8868401daa7650508824a2ade894ad5b

SHA512
590ad4de07ce02cf278123110ddbc19aa922e19fde9d07233d95a5409053790e2575214a5b30d4e466826a812d8f08701af9ebc2fb9feb15e07bb42440a2c8e6

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
80KB

MD5
12c2f90a2ea69c19b81b121e0b460d8d

SHA1
e9f17d583077cf419f125440d4b985fe44eb368a

SHA256
99d1fbe3148ded828721f78dbda07d35fb1b34dc3120f5363d650c635013ef39

SHA512
2131d0b62a890b2a4dd55f9b84d42db96538afd0d15d1ef8995998cd6ef15356e442de8d3c6acd7dc1ba6f2d1bf5e4fdc10cca43c1187b1809be3201626e8380

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
80KB

MD5
da3b20e7e150ceadafdbfee8f15a7c34

SHA1
81065affc18c1f21c487ce0fe600add3d069b9cd

SHA256
a85cc70a15769d2c99d72e687cedba6bd205e796d4bcad95d2914893c21fa50e

SHA512
9a222e2b2caedc677fa0ad18251901e701b4577056e2f26d681692f0e4daf13e8968220d3e6cadd27b38b39cf573ffc824925ff0af0c1749ce83c748dc84c6c4

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
80KB

MD5
86150f1c9125a5843d1d74bbd4ff42ac

SHA1
e71712274f46b25758cf4f078bb039704103c4b5

SHA256
19f8d574af74132791298ddbc247107e1d2ffe18aa14db9b6a546936c1e95f42

SHA512
8adc5fd53179b2fd2479b0bffdb655d99313e24c866ce76578ec7f28f969136f67728a296077e5ed0df135d5d9241ed2a0ddb576ba8be51adfc49e9e9aa2951a

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
80KB

MD5
d37fbedb5068acc4f7ed7bd4800b6ce2

SHA1
dc78ec24c7743a98f0fed3e086d49b19ae83877a

SHA256
27acf6f7938d018581175a60649b45c72695e8f86563af1b003b1dae67e0b652

SHA512
a6c193c4f86d3192af5d84abfad5a723337f8ac13d84e6c70ea54d826a031df2f72144f9ea79ab6fa8fb46d5900e4677073f0959b35a73014bc309518a10a3f5

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
80KB

MD5
ad050b69cb3b54f55eb3b54b3afc029b

SHA1
ca8d864277299da66cc2e580ff0ac185ca72e9e9

SHA256
73ea41334d69ec074a682fabb4718c1ae254ffc19d4e48d66a1a3921eb87a66b

SHA512
21bde5d563982199142cac05268bf4aa900e669b3b417b893193bc094ff8f979758c7ed55da287f7009519f04a8c14d7b0b86905b4928b25b7f905f99febf6b3

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
80KB

MD5
81d56f786fb310d30a17971938b6285f

SHA1
ac52342010fb282e7e7f3c9de1258e4b763ab454

SHA256
da1bd291d000639cc8df7710eae4955babc5e1bea1980ec26c2182d3ba17a90e

SHA512
d9e0d76195e0ace446c25747ac57d0987d34fa8d3ca4ad5bf16e5833a0c6b308c78465b21c6c223d8376dab38a61c96c9f0e2d125099a4fa5729fa925bf483c2

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
ecf392813b9d3fb89904fd0875a12e50

SHA1
bb3426755fe639dc2de455c1d36a7120546e0f05

SHA256
de79aab8b9e257db11bf3694c36ae7b2173985fa9367b988b5cf568aea8efb60

SHA512
2568d9adb94919a8ccb38d0908636a1e2dfdee3544c213ae04a9f8fbd0e6ec0c8b1f3e55a0a3efc4c1febace9cd0501224fab570e3c59a5e82ef330d7506657d

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
80KB

MD5
066e2af0ff1311b6cd9682e0b5876033

SHA1
7755150f98bbf33cd9cd6ef060275933a31bf566

SHA256
30b3ad4997f799b7ae21d7202ee9fdf66bc3571577e7c33a4ee756bd8c80d980

SHA512
2d2b1d0d8b3acce2a1706c25556f99169edcbbcb5b844d54c185d5d7aa17beb42edbc0b37b2eb7f2554347a9124bee3c3efea7d7bb368e600afb56f18cde52c8

Download Submit
memory/244-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/392-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/552-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/780-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/860-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/932-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1036-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1164-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1208-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1308-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1500-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1812-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2384-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2408-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2712-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3096-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3172-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4076-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4144-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4732-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4792-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-369-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads