14fc25123e61ad2ffbca05f02b9dda6d865c0432d038455843f436cd834c7437

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

550b5979b07485207e49395aca5cdf62.exe
Size

108KB
MD5

550b5979b07485207e49395aca5cdf62
SHA1

7d0ba4ce3f3a18bb2a95458687caf96dffb2c75e
SHA256

14fc25123e61ad2ffbca05f02b9dda6d865c0432d038455843f436cd834c7437
SHA512

849500ec962ac8001da81afa12e12692a124b1f1a37562327a30aac9f74e37131044fcd6eeb8fce02bf7f3d1dcb5546f94efbd5a08e2b3fb2bb97c108b93604c
SSDEEP

1536:dth8/Yqk25walPtJLkKhPr8zOLtVbFcFmKcUsvKwF:dthyfhYgTjhVbFcFmKcUsvKwF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	550b5979b07485207e49395aca5cdf62.exe

Executes dropped EXE 64 IoCs

pid	Process
3784	Iikopmkd.exe
4060	Iabgaklg.exe
5116	Ipegmg32.exe
464	Ibccic32.exe
456	Ifopiajn.exe
952	Iinlemia.exe
1196	Jaedgjjd.exe
3728	Jbfpobpb.exe
4196	Jfaloa32.exe
5012	Jiphkm32.exe
2680	Jagqlj32.exe
2824	Jbhmdbnp.exe
1012	Jfdida32.exe
4124	Jibeql32.exe
4136	Jplmmfmi.exe
3888	Jdhine32.exe
3200	Jfffjqdf.exe
116	Jidbflcj.exe
2116	Jpojcf32.exe
4436	Jdjfcecp.exe
4132	Jkdnpo32.exe
4524	Jmbklj32.exe
3208	Jdmcidam.exe
4128	Jfkoeppq.exe
4092	Kmegbjgn.exe
4296	Kaqcbi32.exe
4876	Kdopod32.exe
3868	Kgmlkp32.exe
3584	Kilhgk32.exe
3904	Kpepcedo.exe
2668	Kdaldd32.exe
1204	Kkkdan32.exe
3076	Kmjqmi32.exe
1440	Kphmie32.exe
636	Kgbefoji.exe
4360	Kipabjil.exe
1412	Kagichjo.exe
3312	Kcifkp32.exe
4944	Kgdbkohf.exe
1572	Kibnhjgj.exe
2264	Kajfig32.exe
4804	Kdhbec32.exe
924	Kgfoan32.exe
5064	Kkbkamnl.exe
1084	Lmqgnhmp.exe
3332	Lpocjdld.exe
1460	Lcmofolg.exe
1356	Lgikfn32.exe
2776	Liggbi32.exe
3416	Lmccchkn.exe
3792	Lpappc32.exe
4328	Ldmlpbbj.exe
2096	Lcpllo32.exe
2584	Lkgdml32.exe
1368	Lijdhiaa.exe
1488	Lnepih32.exe
4200	Lpcmec32.exe
4056	Lcbiao32.exe
3040	Lgneampk.exe
3464	Lilanioo.exe
4392	Laciofpa.exe
4072	Lpfijcfl.exe
1068	Lcdegnep.exe
4768	Lgpagm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5768	5680	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 3784	1548	550b5979b07485207e49395aca5cdf62.exe	85
PID 1548 wrote to memory of 3784	1548	550b5979b07485207e49395aca5cdf62.exe	85
PID 1548 wrote to memory of 3784	1548	550b5979b07485207e49395aca5cdf62.exe	85
PID 3784 wrote to memory of 4060	3784	Iikopmkd.exe	86
PID 3784 wrote to memory of 4060	3784	Iikopmkd.exe	86
PID 3784 wrote to memory of 4060	3784	Iikopmkd.exe	86
PID 4060 wrote to memory of 5116	4060	Iabgaklg.exe	87
PID 4060 wrote to memory of 5116	4060	Iabgaklg.exe	87
PID 4060 wrote to memory of 5116	4060	Iabgaklg.exe	87
PID 5116 wrote to memory of 464	5116	Ipegmg32.exe	88
PID 5116 wrote to memory of 464	5116	Ipegmg32.exe	88
PID 5116 wrote to memory of 464	5116	Ipegmg32.exe	88
PID 464 wrote to memory of 456	464	Ibccic32.exe	89
PID 464 wrote to memory of 456	464	Ibccic32.exe	89
PID 464 wrote to memory of 456	464	Ibccic32.exe	89
PID 456 wrote to memory of 952	456	Ifopiajn.exe	90
PID 456 wrote to memory of 952	456	Ifopiajn.exe	90
PID 456 wrote to memory of 952	456	Ifopiajn.exe	90
PID 952 wrote to memory of 1196	952	Iinlemia.exe	91
PID 952 wrote to memory of 1196	952	Iinlemia.exe	91
PID 952 wrote to memory of 1196	952	Iinlemia.exe	91
PID 1196 wrote to memory of 3728	1196	Jaedgjjd.exe	92
PID 1196 wrote to memory of 3728	1196	Jaedgjjd.exe	92
PID 1196 wrote to memory of 3728	1196	Jaedgjjd.exe	92
PID 3728 wrote to memory of 4196	3728	Jbfpobpb.exe	93
PID 3728 wrote to memory of 4196	3728	Jbfpobpb.exe	93
PID 3728 wrote to memory of 4196	3728	Jbfpobpb.exe	93
PID 4196 wrote to memory of 5012	4196	Jfaloa32.exe	94
PID 4196 wrote to memory of 5012	4196	Jfaloa32.exe	94
PID 4196 wrote to memory of 5012	4196	Jfaloa32.exe	94
PID 5012 wrote to memory of 2680	5012	Jiphkm32.exe	95
PID 5012 wrote to memory of 2680	5012	Jiphkm32.exe	95
PID 5012 wrote to memory of 2680	5012	Jiphkm32.exe	95
PID 2680 wrote to memory of 2824	2680	Jagqlj32.exe	96
PID 2680 wrote to memory of 2824	2680	Jagqlj32.exe	96
PID 2680 wrote to memory of 2824	2680	Jagqlj32.exe	96
PID 2824 wrote to memory of 1012	2824	Jbhmdbnp.exe	97
PID 2824 wrote to memory of 1012	2824	Jbhmdbnp.exe	97
PID 2824 wrote to memory of 1012	2824	Jbhmdbnp.exe	97
PID 1012 wrote to memory of 4124	1012	Jfdida32.exe	98
PID 1012 wrote to memory of 4124	1012	Jfdida32.exe	98
PID 1012 wrote to memory of 4124	1012	Jfdida32.exe	98
PID 4124 wrote to memory of 4136	4124	Jibeql32.exe	99
PID 4124 wrote to memory of 4136	4124	Jibeql32.exe	99
PID 4124 wrote to memory of 4136	4124	Jibeql32.exe	99
PID 4136 wrote to memory of 3888	4136	Jplmmfmi.exe	100
PID 4136 wrote to memory of 3888	4136	Jplmmfmi.exe	100
PID 4136 wrote to memory of 3888	4136	Jplmmfmi.exe	100
PID 3888 wrote to memory of 3200	3888	Jdhine32.exe	101
PID 3888 wrote to memory of 3200	3888	Jdhine32.exe	101
PID 3888 wrote to memory of 3200	3888	Jdhine32.exe	101
PID 3200 wrote to memory of 116	3200	Jfffjqdf.exe	102
PID 3200 wrote to memory of 116	3200	Jfffjqdf.exe	102
PID 3200 wrote to memory of 116	3200	Jfffjqdf.exe	102
PID 116 wrote to memory of 2116	116	Jidbflcj.exe	103
PID 116 wrote to memory of 2116	116	Jidbflcj.exe	103
PID 116 wrote to memory of 2116	116	Jidbflcj.exe	103
PID 2116 wrote to memory of 4436	2116	Jpojcf32.exe	104
PID 2116 wrote to memory of 4436	2116	Jpojcf32.exe	104
PID 2116 wrote to memory of 4436	2116	Jpojcf32.exe	104
PID 4436 wrote to memory of 4132	4436	Jdjfcecp.exe	105
PID 4436 wrote to memory of 4132	4436	Jdjfcecp.exe	105
PID 4436 wrote to memory of 4132	4436	Jdjfcecp.exe	105
PID 4132 wrote to memory of 4524	4132	Jkdnpo32.exe	106

C:\Users\Admin\AppData\Local\Temp\550b5979b07485207e49395aca5cdf62.exe
"C:\Users\Admin\AppData\Local\Temp\550b5979b07485207e49395aca5cdf62.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\Iikopmkd.exe
  C:\Windows\system32\Iikopmkd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\Iabgaklg.exe
    C:\Windows\system32\Iabgaklg.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\Ipegmg32.exe
      C:\Windows\system32\Ipegmg32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        28⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        30⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        47⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        66⤵
        
        PID:440
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4884
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        69⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        70⤵
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4268
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        73⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        74⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3372
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        77⤵
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2736
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        81⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        82⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        84⤵
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        86⤵
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        88⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        89⤵
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1496
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        93⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        96⤵
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3020
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        98⤵
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3236
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        102⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        104⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4240
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        106⤵
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        107⤵
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        108⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        109⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        110⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        112⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        113⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        114⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        118⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        119⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        121⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 420
        122⤵
        Program crash
        
        PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5680 -ip 5680
1⤵
PID:5744

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d8d2f115aa0109e0d41a092f8196941e AqXzX0t4h0CLAEAZVRMLfQ.0.1.0.0.0
1⤵
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
108KB

MD5
5e390fd6e52791ff192cdd6d07d27609

SHA1
3d1c03517380bff5e7c1c2d63201520cf6ed4fc2

SHA256
2ac95b24cf1180efd9bd0f5a41c857dd9ee958c5687b6f0c17ef0ab022bab2de

SHA512
c388ccd7d6d1936b35f937594961c15395539b9ac2064307dce269d12e268d266d3b286a4b3ad27af98f031187c49e1bf65426bbbf1b6e7dc0ef534fc7db7bd6

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
108KB

MD5
3c1dc5eb35d216b61072d0e40fb6ac85

SHA1
fb82a48718889419ed70416f23922948444457c1

SHA256
8d2876dbfbc861f3e396785e6e14bd44775bf326310d8c2ff470764fa3d50773

SHA512
055a6fb4696965a72bd69e46fb2edff0dc2faae1df9b04cc60c32069a59860a86bbfeca491338af512f01dbee67cdfc2e92910e61a751774af7bab5fb2b80d90

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
108KB

MD5
abd12841dc2f823ff955c5256848ee09

SHA1
e0613b748b40319cd70beb2c0174f0950bc2dc6b

SHA256
3c99f846aec6031d54d8be64c7568879ac684f11adf9e6e8a89f131ca04f25d0

SHA512
4747ec5cf37aecc66110444b5ee13897ed08d5637fe684cca68fadca1fd0c482cd1d272ea98901cec65eb96e6209297d634c06ee7d80eef7498266035ac20a03

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
108KB

MD5
cfb9427ff9316cd770e0a239c561d6a5

SHA1
fcc9cc86482835d216163be9f8861af864f36a2a

SHA256
413bef2aaee2dd4aa449ebb27d9eca53260f039c77f91786ff2526aca86bb15b

SHA512
8b598750eb2fe8c810bb285c7722063db6af3aa5e05cea1d54166879f34563fe3aa155d681a319d586eb5c82a876828ecf606695852341b148478e9d01193062

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
108KB

MD5
bb7a70529f8f1d4e5c524a0623e21b82

SHA1
5748bbe98e88668f8cd264c54685ae881933dd7e

SHA256
4f3dfc2c39db3160cfeba71e5ec99057893428cb36ae9483bdb965ee6cf7f535

SHA512
8c9b78df5147625ed1efa5501ccb511c0108c8dd89787815b304ef6071f5c488de468b0b836f7644e87654c9f41c30650cf1a8020b2c38e6de2d384fd7bc63b2

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
108KB

MD5
cf7c4f10af4b6ad24f17a8b80d7493ba

SHA1
d7c716434e631a8074e60ff461b79f2f509bf40c

SHA256
1590da6f6411c1778975e5e95f7a3b80ddf8253fa41260692a8922902a46994e

SHA512
41e926b81b3154b4d5599c02ce56722441c150f83affd41c6121eed6bf38f378026c3f9dadbe51c10026a58c078929a39d063e180be1a22033c0a285592bcc7f

Download Submit
C:\Windows\SysWOW64\Ipmack32.dll

Filesize
7KB

MD5
f076ba8ea4002beb89c90409489b0ebf

SHA1
144cd6b2393d2960b270e0849362cf3c0855c78e

SHA256
61122986b1dbfb657ebef9a2f139f59da6189683f0304186f536a7b7ccbebf48

SHA512
5a14ae550f146e16328be9b60627157ac4cadf60c2a7ae6a22e80489d731c1d81feb099f6e0c3d499b23de94998517216866fa6d7af6560ba73b28879447e791

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
108KB

MD5
6953f73a2dc6b6d88e2c445fd93fb753

SHA1
66f264fa93374aaaa54c5f28cea53e0f0e530c59

SHA256
4687648e13cb4cb24795644ddf5f55876c00dd0cb6ad9223c0baeb6a7f54cee0

SHA512
415fa43e4b2dd32839770344d9b2e732d68a390422cc91f32864d484839db51d838d0f30c538c5a876eda344fdc6d2098b328b69e98f709a88f7a221ff0548f6

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
108KB

MD5
85985a9bb913e7c8ae5ebf8784154063

SHA1
930dfc785dd39d6b2e613d0c2227b729577bd3dc

SHA256
8d90751de774c40922ba69b91269de72034cb729ea411f9b02b6266450b22850

SHA512
cb0eb487848d05bca736e07e97da2c04554e773bf3fcb40cb1c8c54e4a02d24450a6464c489f314771278497f2445169783f23a21d4f0324908517e0f3b2f69f

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
108KB

MD5
0100549c0caf5828668a320edf77cced

SHA1
cd489d249ef095982e9eb4cda8906f19bbf1f325

SHA256
290ef831f3378f4e4a9550fac95137fe3bcff8f17953cf3fa54e1fa953f93594

SHA512
282a95b16475917b0593c4928ef952a050165d2acb3c8ddb4a7ac22c16eb9b25d4a88efa163ae9cb6b755fbdc7aa788cbf26911337b7fcd471ca95b0a7e067d1

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
108KB

MD5
78c99a3dd29f705fe3f89c0cbe61b64b

SHA1
b12ef3c6a38f26ad7d4071f53af2a0c18977d4ba

SHA256
44788fd48cc15da2c13700dfe42fda5556b3ae4c4be044d175cbc52b016a779a

SHA512
9e5ea077d97a7e295bb080f5b5ec27e7b34ff023dcdfef396560912987cf889b17a2eb2af07f32eaeb615fd4d9329aeb41f316c25a62f3586cc2b47c469f8b22

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
108KB

MD5
fc59081c4a1b9e10c3aa745adc5f9029

SHA1
0821bbdfef9a7f4a055f56078ea434f181dccfe9

SHA256
f20bf42286a6e21345995ed03fa4626926c5a6e2e97fef15d133d2d005902ccc

SHA512
1b9b6e9a14a4da9e9ca781fa6f81522e10007dce1bb2733e45b1fc77c1e8382dcb8c9fa0d28f8e8115b482a84feb1c5e9743b3da83a54aa7a995bf4ecdbc88b4

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
108KB

MD5
b971dc86849586a67d3bdd53435211dd

SHA1
7f0e6a9577bac149b93c5ff3286e1fdb51fd5ea7

SHA256
09af76d9ab54917af71d5ca1e85d02f44b48e4f1b3dc5630e3dcfc13dc7b8d44

SHA512
2d739032cc89c876d1ebb94869ad7b67049679801c96c605bffcf2901fddd992a221f1bdd006ed2b4e5da5c7ebd42483ed289bde80df6f142a85031fdcce854a

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
108KB

MD5
498052c50a85a2030458cb6fb7123c55

SHA1
13e5e8f28183b591f21f5917d1150943db1a1dec

SHA256
e365577e642bad8cfbb52aa34a8dda36c5c5b7e2b485a4b4c89fda51fb59ed35

SHA512
c95e6a5dd4157807e964426a1072171783fabdb359bf344215602b569025d0e8efacdbb358f568dad2b0b7e4ea0aace621d1b745a71567434179dde016cef5a9

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
108KB

MD5
e6f8d77953f4f1648b7b0dfcde6ab059

SHA1
724d8733e1cb80eded1cb9e9ebff3928c2aa976e

SHA256
9ae076efbf934e80994abfbd00275b3bd0fa1b9705444620e55f3cf3c08fa73d

SHA512
8fd57482f17a0e067de622db2bc908279060f4d49842a758d94527dd27226a65dc108a76053316a70eb7cf65f3cdc0262410e579e84ad7ea81c371a661b4738d

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
108KB

MD5
c63ca48f3d8d9cfe236561d2e81ae85e

SHA1
23020f5995fbfc182355f2e803240f6eac4a3af6

SHA256
ef43778a98407d4d6bd9a734fd92c91653e8e21c569efb048bc7b47829a8b241

SHA512
b587b6b42162a5d2e749b84e7061ea4f1e8ee188649ab0da97d7b3061bca1f3e00dc0bc214e78ba476d118f21b437c4b982c76f60a0948ce5f4f5b59e5f8c242

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
108KB

MD5
3358414852b59edc891948e1d8354142

SHA1
fa07fa378ec22ace4e71cbd0f59ff5d922d63913

SHA256
f58b4c3c5693dfe6ff0692046e04d74855b53a5ca50b96bcdebaea19b8591aa7

SHA512
fb3edd20c7f9dc9604bf0f5247c278177ad7eed74e8f6aecc0573b7bcbcc85d2308395bc8c43aedb8f079adc019761d5bc9a4813be92ba193b7ec8ac324da144

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
108KB

MD5
672e0d94ea1d5736d1100727d8b4874c

SHA1
7c2c07fff03f73edfaeb471b95e96fb0eb11fd61

SHA256
0f916ca160e43e9781dac637398cc7e8545c4f179f1701e96f36460014f8f20b

SHA512
4ff59afc224e8d1c78597eefbfdb3c3651134a0389a3543c382a4df19d66013f17723d3c8f6921556226b795ced79dbc33d9f6181953b17d16ffc65bbed8a4fd

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
108KB

MD5
0a4c64c64ef479a0a611bc896b9b036c

SHA1
4167c6cb5cfdbbea21c5e32e67eff33defbae904

SHA256
8b3f76f2984a8ebeeedb822da96ff9ad6a6f3835375b1dcfbf8882e59e8638e8

SHA512
8def5c452e12a764d4cfedf01e6d475a3a1fc6af2cb2f73b12d1e36730ffdd3e03a86271a25e1bee806fec5c0a395078d47912faec39d5ebce379d7117e00c26

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
108KB

MD5
4b52da578486bd37024da546531bab8e

SHA1
5374b8f4320c6d43cd59aedd4dfbcbff26275e32

SHA256
237c3e8db59ff21899b81a19b6efde2fd7e55218a81ab8a2db0d222ef6d77c5d

SHA512
6c08b7014fae87edadd84b0b9ad2c3e917bc8fd1ce526bab7b2d88581fc44cecbfe6ff08acbcfef2810cd61e2e8bc04ad8910bd61bb82f83fd21270ca72883d9

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
108KB

MD5
c3c74eef523cdc48336f9c8d702ca1de

SHA1
684cab3ddc65721267a2bb519b6b26813e03990b

SHA256
27d7477df5d59298c8fe2b59089315651d7bcb8ac10254ec6f7c4c9a801d95dd

SHA512
e45b1b4dd68cf2a478b3dff1528191d7595186a9bdc1fd276e667b3fde2571b09ff5af761fae738ef7d6e40f8ab20ce5267cffae7913d9451723168260db42b4

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
108KB

MD5
cdf93006634f739a86fb34fc592469a0

SHA1
90f93bf4686828224430609fe482ea5a890ccc26

SHA256
71cd9d5c9c8d16eaad169fc85747d4390810ae50ec0dc6e71f81ec2147e1d9d0

SHA512
48b85be20903482988e84da874d20fb25c2a4503ea3b3669786fea36987b3e11b8b04c22b79a177c02e576c1215da40f71a2b21e2a678ea56514763d9b1adc7f

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
108KB

MD5
797e069ded71f1e801e0dcb2b7745302

SHA1
5fa5eb06ab96fdee7dfec34bc21a809563db84be

SHA256
7acea462bb7a072be73f69e43cc2872fb57f3a9db5758d5be005f5fe5001580c

SHA512
3af9f31d416330da0973ac553e5d7e227372add83eb79cbda539a02fbaa1d7ceb5a403b789a0bd8a05c41af42b131213c3ff5a85dfb086c19f9331194409f891

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
108KB

MD5
bcc6fc868d72d243b0849cf9e96b6355

SHA1
c5098b36adc7474a20d207725b01d233c35b5f04

SHA256
d35c1005070cb55638da9ff753a31068d2674e77dc499ebaa87e5a79731892d3

SHA512
6b99069a3e124f8279f2463e7c5276af64b1343e4553a1a797383ef3d3e41909a119c0498f4034485cefd4598e9d755386721c4ab81ec975775bb309619acfba

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
108KB

MD5
fe6bdb862614d3d542f8ed2d662db3e7

SHA1
f2be39923eba00a3e3017cd0901b476f33ca2912

SHA256
1eeecd81d9360c47105a293afdc02c730b2d50b533cdf1829ebc162697801e06

SHA512
af4b29339902197963be33c650bbfa69bd8e18ba5b864f610f04625c7e266f444ccf12315ed084b1daa4a48db14794481d787f141c973c5326b9d1627f0e7a73

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
108KB

MD5
b12e22f9e226813c244561505330cc60

SHA1
3710d7822650d8a65d778088dbaffabf82987522

SHA256
1a9d3e8eec3397f30d2843a62fb62c6938fcf72047d8ebe58715ad9952fa631e

SHA512
c7550829d8136c0f9aa300ee688ff69bc9c27ad8d83d562a54e272af73fa7a8301c1a18bfa2d4bece583fd9f5e26faa8e4f6540655527b54f8833294a556e60a

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
108KB

MD5
df69d69d81a4e78be7c1d68d3b9aa3b8

SHA1
fbd65010fa2e2b8eadb0c954c4bc79f16a6a202e

SHA256
573b6b9f4ad64828029ec3639ebf4f336af89238accc5a714043b68345d61878

SHA512
8bbdf77e15763318fd69426461d955f75c1a1b41d6d9b1001f9cdd19add208092c861163f2ce253170779451722ffac8806977e1363044f297e3093043b05d60

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
108KB

MD5
30f0fe1212ac9fc15bc3eec90c3a74a3

SHA1
74e669eb6001ea1408ba89b341aa997c4c56a28d

SHA256
05218f263d5200f4f3ac66741fc2b8976993143112ae3633f2279e0f8729cb1a

SHA512
b582114b2c6912b0b23f619dcf5a522bf75b2185238a304e86b8f1b87874a52f5d02f729c5cc3db59385a02ff8cd309841ec0912fa7305dcd43fe8117841f89b

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
108KB

MD5
a9078f39b2d07442dbb6371d67fc09ce

SHA1
5461f903dfccdc18fcca688b18614d95b9fb05e5

SHA256
967e7260c58936cec698f210ca77682aa8c8e7b2ec3a31fa9a91634974eb7203

SHA512
d650b5e4337c20e3c7b2c51d7d3840804f31f5fb2cb5ca913e707f22246ed503d68237a045a835fc2dd65b42cd05c968e7e9c68f7812d5057207ab788f0cda95

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
108KB

MD5
37a7f8fdc6d1fd1bffd44bf73aff1ea3

SHA1
8d093086d687d15610a4f51b988d541b522ed6b2

SHA256
97229a9354edba0198a7b3b954941eef8f731e7400be35c6b7e19c9c6d30d547

SHA512
f7bc0187bfabe2a24ea2667299d2dc9da6582542742c975275b6cafc1e7f5ab9bc34e683bcd95ae1a27f73aa0a6d4e9862e7d1457cedacbb4b92cc89eb5f57bb

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
108KB

MD5
1c3981aaa39060b367b731a7ab49504b

SHA1
3c27876a5f95336116086adbcae76815b320e23c

SHA256
ea39d076649c33db868991ce11f3d5c6a6efa0d8947031041e4d2cfa61d61960

SHA512
7231db4cdf19597aae811966d7451851cfd3a627f1ef32c1c6864070f5900f82020cbdd35c9c10fffafd3b5e70d17daa89b9c92ea4c040841ebe4a9a3a4c0d91

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
108KB

MD5
1a8eb71eb27e4dd69b7f594c86a26440

SHA1
cbe03e7ab49c51a3575bf0b08777bda177f493d7

SHA256
9ebfc6ff1dc59ca0c4482023fc17473abe34bf3d318b388a479c63a2ff257e7d

SHA512
19d7542d47b0a719999eca715bca9b556b9b15c1a4c55db940bbeec1b48bcca39a687571b4bd992473fd3e1b921b63d793d9094d53ccdd122389c4be9d92999c

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
108KB

MD5
c35d3b6de3f0366ea8fcf5bf0b5a0788

SHA1
d17d2d66c1c437cb2db3de60e4e53deea6950482

SHA256
da546cd8b313c774441506500faea825f1015194820dc80f165c7194614c0a1f

SHA512
c30882f621700cded6dc04afaca2f657329b6480db1a481426bac5a06f734ddd18ad1da39ff8562e8c7b69dac3fa4a2874e8550ea0c1951ce48217d5073db78a

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
108KB

MD5
4e50129359914deedcb4f6935313bc98

SHA1
de2523838cd063f9fbafd00ff66249f9ca949f2b

SHA256
395a3afde4b6b4c3fa22b4cefe82bd9aa8356b62465ce2abcc2f344434303458

SHA512
7f1394b48b438a525b60e161359488a6644ea05e97358435e451fb071bce3bd540afc1b984ff7043ff83819445e8448dfc7ad8d1a55d752c26c0d5a3af1e4dbd

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
108KB

MD5
5ebdb732e6cf3c43ab8ae155703f4d44

SHA1
a920e2469f4ae283f65c007406bbefc1e3caa2ce

SHA256
f3ec4d3bd6cfb7c073fbd9cb8a68d4c0767ac58f0526173eb616e1a27b9e4498

SHA512
2500737569d74555f398e00a9f467891f9ab619b1db58d58335fdc2689724f17eb2e5739ed9bedd3cf9423e4384c4e57b732dc6d27d4a77f5069a35bca82ff0f

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
108KB

MD5
af1de84332cd5eb3b3bfa4d8f512f28d

SHA1
7d8da6be0f18572638c304ed59d1c5675df8250e

SHA256
689b5cea42bbdb9107f3fefe001403d533dd566bfb2d6ad9470023679e217bee

SHA512
5bd982212bb7702573aef458c307e9db8f1d37fa6fcff30c0a158d04079c069b32908fc6809be704f97ed73fab58adbd4590a2b10ce0437904327ffb60abf1e4

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
108KB

MD5
c3bce1fc1086f4b0fa8b65a282925909

SHA1
8b89789710822681fb8e3771432f5b79e22ca1bc

SHA256
426ed89f14a6aa98e674c18f84ecb0369be54ad74b73edbe1b9bcd0e8394dbb8

SHA512
8c238f37f22decbbb277432a118807648ba3d4588d1b66a41b6272e5be7922e4e948811db8f667f2e185467638110ab502e8d46c1daede3a5251336247ad6acc

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
108KB

MD5
6af0489091aa87ff770fa86a584983e5

SHA1
8cb96acef2fe8c67cbd112d3565dcf6d0683b5b0

SHA256
08d1d32afdf5d8e1ee2db19fd5f73e76aaa0dbc62a0eb72d2ba7b8f25b1266e1

SHA512
1686f0e9cf7be6aede8f274b8c849bb5118aef5276d8c16a8072f59b86ae1fef76827459e094f67a4bc1ef8193bde309db16be54600f8a855de25b595c19c5ed

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
108KB

MD5
8739b07772e04a7b98ea17f91531ca65

SHA1
9ee4e66342f13ad72d47653e33ffa98f3c858d56

SHA256
d0f52cd3c757ad5bef83c980459649b5ef9eb3bc4048cf163d23573491b921a6

SHA512
ee486bda7ab2129d489fd5e943829812fab80ef7ba6223fb3db925d22705a45078468188829bd5cc489f170206ea776f4142e8d7f84afa60fda931a6b1569164

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
108KB

MD5
83188e4cd26564a9089b385faf64ed0c

SHA1
d555f7de532d7d3f569ad86f85f967f516af57b9

SHA256
8ebf7381cbc1af13f535d975ac55f89276177caddd625655245992930d6714d1

SHA512
da5cb7b98506d6589f3634baad74b918159a297fad754fafc83b82632239b6efdba2a3bb139256a7630eaf1a36e813f9de0a7e28428e28dc12e18710a36b8284

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
108KB

MD5
3fcf94eecc981754578315bca288eaf2

SHA1
231fab04b7df0aa371d14a628d137385d01c162f

SHA256
ae79c421d9a94070b688bf63c233dba9d5d9799cbe05a48d4726a1ab58d0c06c

SHA512
3718e3d4141a60dde2591a4ff1f0db2c8f6296db746e9c19fc6fe8021284f5883e840c93bd977400ee7b858e77a942f9104988bf4100606e6c0ba050236dc73d

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
108KB

MD5
2774d2682afab5c8673a24b3ca99762e

SHA1
38914ddb1edec5ea2f5eef457c6ba58cfdefe94e

SHA256
ad3a5284875c0765539ca557b196efb191107d40b3fe280c067b2d7226da2b53

SHA512
3ff326f9ed28571676fa53de7856424968ffb53c98ae91f063c6161117234a4b9043a0a6e8d699b7b6dcd591355af03022c3703b2956209408b65c1bb863af9c

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
108KB

MD5
6f522506f9c0c02f701f88a55f3de76c

SHA1
abce0640d5c751a3a5541bf982e8f00435dbfe96

SHA256
7522c1c6d999496cb7ac8d60274c507ff891df8092bf705bcada9b2287bc3f67

SHA512
7c21220ebff5d4eceae02b967ceac14201d047cf2622665616c1edf99cd2a87f4aa9f0fb7e1f91201fb6026fab0277ddec6e8615d53ee1ec1b40034b0873dd1e

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
108KB

MD5
816860e1a33b9d788d0de6376bc6bb83

SHA1
2d4e9bf64a1e7f1b5ec98b2edc2ba2a6919c8276

SHA256
675754e317c82c918ff64f225d0af0afeaad0f33580ad6a8c3d9518c25e8921e

SHA512
fdd9fca9d6807381bb8f343362eb3fb38ec8279b8a6360d4d2b0f18b3773783d0c82c4050510f04c75129c7716acb695478bf85caf1b484d0f9c2e62d03fed6d

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
108KB

MD5
aee5543816776c4016bb08b3f09d333d

SHA1
70dcbf956b162ca1dfd909a0e02bfa1e5385fd49

SHA256
407123157c6e1c54ba2851cbce1135a5814dbec796bcfd776df55bee266d68d0

SHA512
b06fdb36f6d58f46bf3b760560a82747827af57064705554ecc0ba887ddb6d7517086c5cc4ed135241c51752edd04bb64707ea67b6db56fe41314dca1e5869ab

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
108KB

MD5
e244da301f2cb02d0b7c17291ec9c143

SHA1
ac9bfb4bf3880c3f558fa8a9df494730f21957eb

SHA256
98843f41e989df93937d9e9e10b65f1070dc8528c7420e19f0428f886392bd26

SHA512
e4e00a8b68b2cfe73032476b866fcd1baf30bf641641278693944d8898f92f3ee6e07db6e1b962a6700da360198a8b2e9f3816ac4e9395343311f537a0872d08

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
108KB

MD5
d620f1d31ee6a57a30aeebd3b00457a4

SHA1
09e9a4350f75c18d1a1bd0b9baa306372a91e907

SHA256
ecea7cd1af0d5510e5b87c8d2d4b14de51c2552d0e2ed812f94740673831be8f

SHA512
7473a5de1f60b67ce9230136e94815dda8bbaed10365e94c9d2925cc0169aea65966004142e6bc05a8f419b87239d6025e48980743dedb627c589186ba3508d9

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
108KB

MD5
4e35e7114d36f99d7d0bcead8124b924

SHA1
5ee2aec8983ed00b23425a5753239a84f69348c4

SHA256
ddd03ce73c07bdbe1e10218fa5e7bb2527aabe4c98e9bb83b1c8c49b9335a01c

SHA512
7c4f2a5bcd561dc9b440d4dae10bc15c04336f1f3c8dee27df0a2f44387bfd4ab9d4ec9976506686ae9fb552ff0983cfa84230ff31769f26ab6c9236cf196c98

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
108KB

MD5
0471ed8f1ff55f348f17ca2e34cf8e34

SHA1
fa5e3e3edb45aad263d7d2b1f0a9d46a2dfd34b2

SHA256
c8ba133f0daef55d8d1bdfad2f32b2c92795f37b507de0def4ad48f0405a745c

SHA512
ac5af2e35f34d82067bc2d747ff3f30bf4c2a24789cabb48e33b3b85f1f11f44ccbfd20efa954962a8e262703899d795331510d8df23152b711df022ff16aadf

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
108KB

MD5
203e510010d3c34258d4e86c11abec2f

SHA1
4cae2134ad9b326c45c0891b53f5d6644ecb0d55

SHA256
c055ea6f2a01e4f1001ffdca5a2b9d9f9ae02bf967dc9835f33b5a61ddec5c35

SHA512
1bd5deeaba14de40c633e8f9ec7e26e6e21822c0047bfa17970a9dd044032f5818d5759f60aee3a5c189c6e17c185018c86424555e6be557ed73d2097340dab7

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
108KB

MD5
39487f21d0c9c808ce7fb3ad267850f4

SHA1
5098199b8c22ca5de770f043dd113a7d98b8b6bd

SHA256
0d4ac68e84eeec63ee9b04612420e497b5f31d1faf395c1badc474fcfb15d95e

SHA512
5a5a024030ccf13480bff59c6778c141f056383e90b19c1784bac78f080f6a34a3154e3bfebf7c633d7db2f2e3ab3a190008b6391de671b2ee1723b58341d562

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
108KB

MD5
2f487b75bc3e52e18422576f6f2d4b16

SHA1
69b270a66d4babec59873729bf3c38da6eb3a07c

SHA256
93321c326cb8263a2aac5b52a674bb59c6553acb7ee8100cad034d4c25936068

SHA512
9437af4d7b2e9df4829b321dd8ce1a380f16144fa070e77ffb98db514520e6047367794e5b23f7a295e45a558d21a7e4c454612cb341b0685f18fcbdeca42eed

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
108KB

MD5
103a3dacc633659a335d9278d7cb007f

SHA1
be2b502060b8d37c107db4502e9fd0dbbdd95646

SHA256
ae8906a9cd8d3663aac754c324207935683397d6bac742de43691f80a5bbc862

SHA512
4855e064f805cc890730d109d90debf0efa73aac62c45ffc9784596cf999c62764497795ef11dcd2651be12e40d44273f394d3801fcf56815bbb6438aef25932

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
108KB

MD5
e786d0f0f1db20fb3040b647c027c2b6

SHA1
ab83fdfd234cbf4e14a2778db1d8b2f6e9cf9347

SHA256
6cec46cfcc950ebd0314816af52802babc1878585a1d068545425cae796520a8

SHA512
52420528bb24e5fbff12c4de645ae9cbcb9c9b6b921ee4c30b935b39a9f2e19d7bb281ef0ac0ec074cc8d9adcd25a0c542ed32c41722e15db059f69235c8e112

Download Submit
memory/116-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/440-453-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/456-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/464-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/636-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/924-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/952-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1012-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1084-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1112-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1196-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1204-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1356-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1368-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1412-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1440-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1460-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1572-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1780-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2116-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2680-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3076-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3200-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3208-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3312-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3416-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3464-420-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3728-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3784-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3868-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3888-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3904-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4060-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4072-435-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4092-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4124-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4132-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4136-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4200-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4296-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4436-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4524-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5012-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5064-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5116-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads