af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4.exe
Size

80KB
MD5

51907e24de4a4a4f92109a849d43d120
SHA1

2a65daafe7addbb4c72a575baee3ad6557894c3c
SHA256

af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4
SHA512

c74b7d9a44f0d82c1b72a6cc2c7854f5b9e62c90838ddba2350944d7a6de03d58e1c0ee79dfcb0b917241fdee2a818ecba56e628db8b0835c92fa00781f27db3
SSDEEP

1536:rtSyiPZPPP/qHKCgN59i2Lk2S5DUHRbPa9b6i+sIk:r4yoRYgfZfS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlednamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe

Executes dropped EXE 64 IoCs

pid	Process
2164	Jlnnmb32.exe
4968	Jcefno32.exe
4900	Jfcbjk32.exe
4772	Jianff32.exe
4196	Jcgbco32.exe
3204	Jbjcolha.exe
2744	Jidklf32.exe
4752	Jlbgha32.exe
488	Jcioiood.exe
3928	Jeklag32.exe
2040	Jlednamo.exe
3976	Kboljk32.exe
3280	Kemhff32.exe
5000	Kmdqgd32.exe
4532	Kdnidn32.exe
412	Kfmepi32.exe
4104	Kikame32.exe
4936	Kpeiioac.exe
4828	Kbceejpf.exe
2004	Kebbafoj.exe
720	Kmijbcpl.exe
2308	Kpgfooop.exe
840	Kbfbkj32.exe
5088	Kedoge32.exe
2848	Kmkfhc32.exe
4460	Kpjcdn32.exe
1204	Kbhoqj32.exe
4872	Kibgmdcn.exe
4644	Kmncnb32.exe
4020	Kplpjn32.exe
2204	Lffhfh32.exe
1540	Lmppcbjd.exe
2020	Lbmhlihl.exe
1732	Lekehdgp.exe
3728	Ligqhc32.exe
4312	Llemdo32.exe
1048	Lfkaag32.exe
3524	Liimncmf.exe
2876	Lpcfkm32.exe
2092	Lgmngglp.exe
1376	Lepncd32.exe
4308	Lmgfda32.exe
1144	Ldanqkki.exe
1100	Lgokmgjm.exe
3096	Lllcen32.exe
4420	Mbfkbhpa.exe
2956	Medgncoe.exe
4168	Mipcob32.exe
2484	Mpjlklok.exe
884	Megdccmb.exe
524	Mibpda32.exe
3584	Mmnldp32.exe
3104	Mdhdajea.exe
4816	Mgfqmfde.exe
5048	Miemjaci.exe
5032	Mpoefk32.exe
1556	Mdjagjco.exe
220	Mgimcebb.exe
1408	Migjoaaf.exe
2584	Mlefklpj.exe
4696	Mdmnlj32.exe
4904	Miifeq32.exe
3068	Ndokbi32.exe
4656	Ngmgne32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Llmglb32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Kcdgpfak.dll	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Jcgbco32.exe	Jianff32.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Kedoge32.exe	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kedoge32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jeklag32.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Jlbgha32.exe	Jidklf32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ingapb32.dll	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Lmppcbjd.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ncdgcf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7424	7320	WerFault.exe	295

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mipcob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakipgan.dll"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memcpg32.dll"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Npjebj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 2164	3676	af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4.exe	87
PID 3676 wrote to memory of 2164	3676	af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4.exe	87
PID 3676 wrote to memory of 2164	3676	af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4.exe	87
PID 2164 wrote to memory of 4968	2164	Jlnnmb32.exe	88
PID 2164 wrote to memory of 4968	2164	Jlnnmb32.exe	88
PID 2164 wrote to memory of 4968	2164	Jlnnmb32.exe	88
PID 4968 wrote to memory of 4900	4968	Jcefno32.exe	89
PID 4968 wrote to memory of 4900	4968	Jcefno32.exe	89
PID 4968 wrote to memory of 4900	4968	Jcefno32.exe	89
PID 4900 wrote to memory of 4772	4900	Jfcbjk32.exe	90
PID 4900 wrote to memory of 4772	4900	Jfcbjk32.exe	90
PID 4900 wrote to memory of 4772	4900	Jfcbjk32.exe	90
PID 4772 wrote to memory of 4196	4772	Jianff32.exe	91
PID 4772 wrote to memory of 4196	4772	Jianff32.exe	91
PID 4772 wrote to memory of 4196	4772	Jianff32.exe	91
PID 4196 wrote to memory of 3204	4196	Jcgbco32.exe	92
PID 4196 wrote to memory of 3204	4196	Jcgbco32.exe	92
PID 4196 wrote to memory of 3204	4196	Jcgbco32.exe	92
PID 3204 wrote to memory of 2744	3204	Jbjcolha.exe	93
PID 3204 wrote to memory of 2744	3204	Jbjcolha.exe	93
PID 3204 wrote to memory of 2744	3204	Jbjcolha.exe	93
PID 2744 wrote to memory of 4752	2744	Jidklf32.exe	94
PID 2744 wrote to memory of 4752	2744	Jidklf32.exe	94
PID 2744 wrote to memory of 4752	2744	Jidklf32.exe	94
PID 4752 wrote to memory of 488	4752	Jlbgha32.exe	95
PID 4752 wrote to memory of 488	4752	Jlbgha32.exe	95
PID 4752 wrote to memory of 488	4752	Jlbgha32.exe	95
PID 488 wrote to memory of 3928	488	Jcioiood.exe	96
PID 488 wrote to memory of 3928	488	Jcioiood.exe	96
PID 488 wrote to memory of 3928	488	Jcioiood.exe	96
PID 3928 wrote to memory of 2040	3928	Jeklag32.exe	97
PID 3928 wrote to memory of 2040	3928	Jeklag32.exe	97
PID 3928 wrote to memory of 2040	3928	Jeklag32.exe	97
PID 2040 wrote to memory of 3976	2040	Jlednamo.exe	98
PID 2040 wrote to memory of 3976	2040	Jlednamo.exe	98
PID 2040 wrote to memory of 3976	2040	Jlednamo.exe	98
PID 3976 wrote to memory of 3280	3976	Kboljk32.exe	99
PID 3976 wrote to memory of 3280	3976	Kboljk32.exe	99
PID 3976 wrote to memory of 3280	3976	Kboljk32.exe	99
PID 3280 wrote to memory of 5000	3280	Kemhff32.exe	100
PID 3280 wrote to memory of 5000	3280	Kemhff32.exe	100
PID 3280 wrote to memory of 5000	3280	Kemhff32.exe	100
PID 5000 wrote to memory of 4532	5000	Kmdqgd32.exe	101
PID 5000 wrote to memory of 4532	5000	Kmdqgd32.exe	101
PID 5000 wrote to memory of 4532	5000	Kmdqgd32.exe	101
PID 4532 wrote to memory of 412	4532	Kdnidn32.exe	102
PID 4532 wrote to memory of 412	4532	Kdnidn32.exe	102
PID 4532 wrote to memory of 412	4532	Kdnidn32.exe	102
PID 412 wrote to memory of 4104	412	Kfmepi32.exe	103
PID 412 wrote to memory of 4104	412	Kfmepi32.exe	103
PID 412 wrote to memory of 4104	412	Kfmepi32.exe	103
PID 4104 wrote to memory of 4936	4104	Kikame32.exe	104
PID 4104 wrote to memory of 4936	4104	Kikame32.exe	104
PID 4104 wrote to memory of 4936	4104	Kikame32.exe	104
PID 4936 wrote to memory of 4828	4936	Kpeiioac.exe	105
PID 4936 wrote to memory of 4828	4936	Kpeiioac.exe	105
PID 4936 wrote to memory of 4828	4936	Kpeiioac.exe	105
PID 4828 wrote to memory of 2004	4828	Kbceejpf.exe	106
PID 4828 wrote to memory of 2004	4828	Kbceejpf.exe	106
PID 4828 wrote to memory of 2004	4828	Kbceejpf.exe	106
PID 2004 wrote to memory of 720	2004	Kebbafoj.exe	107
PID 2004 wrote to memory of 720	2004	Kebbafoj.exe	107
PID 2004 wrote to memory of 720	2004	Kebbafoj.exe	107
PID 720 wrote to memory of 2308	720	Kmijbcpl.exe	108

C:\Users\Admin\AppData\Local\Temp\af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4.exe
"C:\Users\Admin\AppData\Local\Temp\af1f13f6b01d7dbe862806612ff8b56c7380b33c4b3eb486ed5c5f49dfe67ed4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\Jlnnmb32.exe
  C:\Windows\system32\Jlnnmb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\Jcefno32.exe
    C:\Windows\system32\Jcefno32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\Jfcbjk32.exe
      C:\Windows\system32\Jfcbjk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
      - C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        23⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        26⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        27⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        28⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        33⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        37⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        38⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        41⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        43⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        45⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        47⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        52⤵
        Executes dropped EXE
        
        PID:524
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        56⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        58⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        60⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        61⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        64⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3012
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        67⤵
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        71⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        72⤵
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        73⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        74⤵
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        76⤵
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        77⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        78⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        79⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        80⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        81⤵
        
        PID:908
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        82⤵
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        85⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        88⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        89⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        90⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        97⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        98⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        99⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        103⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        105⤵
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        106⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        107⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        108⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        110⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        111⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        112⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        116⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        117⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        118⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        119⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        120⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        121⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        123⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        129⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        131⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        135⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        137⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        138⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        139⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        141⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        142⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        143⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        144⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        147⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        148⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        149⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        150⤵
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        151⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        152⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        154⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        156⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        158⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        159⤵
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        160⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        161⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        162⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        163⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        164⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        166⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        167⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        168⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        170⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        171⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        173⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        174⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        176⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        179⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        182⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        183⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6492
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        188⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        189⤵
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        190⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        191⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        192⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        193⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        194⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        195⤵
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        196⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        198⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        199⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        200⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        203⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        204⤵
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        205⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 224
        206⤵
        Program crash
        
        PID:7424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7320 -ip 7320
1⤵
PID:7396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
80KB

MD5
14bb55578c0572f166afeb15c5bab138

SHA1
d1078e2b58cc6699b1931483642165ce0133c7a1

SHA256
872c4663bd3f5d8d3ea3cae13fe96d88cc4bd91f2c2fe79a463de8fc0a8276eb

SHA512
e1fd01eb2645b5a362b2f43899d2b1531353e9d087892c91ca92282708da6d50bbc48d8df9ef6cd9c01751d04325d29d756f54c8f0e0b1851cc0e3909e208e3c

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
80KB

MD5
5ee634a62324c195c43622ccf5c8cb14

SHA1
568bb3c0b675d51ad3f2cc99f9d4d69dd54a4f71

SHA256
3b76d7d995c5e40d204b0e4cf35c5ab93209a19df020e9894f6090325d78b572

SHA512
fb1998ec52cf7ccfaa5850ed67a78af422a52c82291f7e38cc1cf9027d2df4f980b1842cf3c308b255182b811ec552238df8b8ae8838e9b5149e8d22db08f69b

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
80KB

MD5
7fe04e89e95fc06df833edc90b7e93b9

SHA1
04060959c69bc08f3c8ec8160d65addfb483cc77

SHA256
131437b01fa0bda5fe7893eba850b2c2a1d33ece7d1dd0814849d60b1ef04323

SHA512
6ff886c60da0c51364ac35c54ed3f4c188dada6f36e685cdb7801388587c4ceca76620b8afc6ff48f443827168e7274b2cb6763173db4cfa39a0440f9a9c6030

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
80KB

MD5
628d439a1022c1b85429c3453102c210

SHA1
80f60554bf4f4f5a1d0447867b19947e487242af

SHA256
123fcba5133e937e212dfdfeeb56e153053601c8afa1cf616be232127c99a564

SHA512
17451a3835be655f7b679ce84b50e32cb7efab145cb592fb88f11e289c7ba463bbe5fad8fe314394ec1cebd61306dca8b8e3b45b493224fb16478df996e6f5d2

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
80KB

MD5
9dd091b00544b6eb2f74a8fc41a6d570

SHA1
bcaa81572c470ca01631f9efd88e7558e8f4d651

SHA256
547884cc6e606c22f5c5ca126eb600b0b3e6941e6d7c97263dc3a6f47fe57b8b

SHA512
3fd356456e24e8a7ab2227a95ad179eb50bfeda64c2ab3a070339a3f4b7052bfb3acfe6cffdbecb4640a7a646213b2a190fba796efdb402e5b1e6203a0a7f865

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
80KB

MD5
9fa371996815c5a67d6c452d4dc197fa

SHA1
3de6df10c7a2c61dcc670cdf5550e25f8cb656f1

SHA256
bb2d2213364cf4f6e3741c1f4f39a82e2b477d66d386e91b8d40c69dba69732b

SHA512
0d72c95c6f4460f380e68d99fb4682df63319d03628d4a98d4e1b3a6cf3ae10a3fa08f8b3ccec0a78ef2dd848ba85391b7066427c153caf06aba630419b9655e

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
80KB

MD5
6080a1b49c10f92ed1148964212f0723

SHA1
1edb01193de71d45b346a63a518e47b7512a3b2d

SHA256
b611cc97b81b3867b85f3c6d3c55cb2d627ea98c988a67efd9a90f7a4f68853b

SHA512
9b5daec96eac6ef75b9f87694d7d61032183d4967fa35d6287e0f22a19c5e6acb6debbebba6d9923e77297f7a5db4e1b2b7c91e214f7eeaaa98a7f756e467957

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
80KB

MD5
9c0ead8e5d8e27303aeb4a571aa56635

SHA1
ce227fcf83018d7abdd1da08f301d367c61a4aa5

SHA256
ec307ba1d485929083ec956a949c1d78d9109814b00251ead590fa25310a52ad

SHA512
74ef53e955c0f4f1c976b367685936a8c819b2b13c5d3c17913e40c2f8aa465fe5c5cfde942e66941542b959f7fa7b153f871e43c13df54c0962bc294f159934

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
80KB

MD5
5cd48db3d484dbc1f035253dba55fac1

SHA1
9e2f85866a312f82f3e00227cb450b07b4d6bf23

SHA256
99d82329f491db5666db381c2337beed3afae8dc8e5bc122ebc0a15dcca29480

SHA512
4c7cf1911a9539c1bd6f86478d33bbc724bd1052ff86ec6f008390e2e2ae8b250ea5875285dd2ee7cace9667aa2145061e8b7c37496d4fc642514e6ce5253562

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
80KB

MD5
b89883510e8f961256aa97bc3fa4aa72

SHA1
ff2db992859aa3d192b2b06b8f60c8b37e5ba0b5

SHA256
851136a48b708493a2ccc4e1e8bfc364fe1a25faa6529bf0b47a88c1f371da66

SHA512
490d118f0bc61eab766b137fd2e941c73089c86795d8efedbb24b02b66fec1247de96e48cbbc07c5be319a7eebe74dc985296602073949cdc90164525808714c

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
80KB

MD5
73a0234aaf800be726aff1f595adfc37

SHA1
df2012ae041c4dc69d8eda26d51f5ee8cb58ab46

SHA256
ae68d0d5e9fac15deb95f7e01ee337f0f82ae836b94f44a3015fc55ed7f38d00

SHA512
9a296f952ea7cd8b0d9428fa2b23760cedd814f40c1e8cbb675c235b8bbae8bee5e4e08a4c9fad49f57cc5e619f60b0b9e82d3aa20014b3ae729f7f6f8419601

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
80KB

MD5
2814d7e8c7f94691b5cac5b1c3247b69

SHA1
67beabf039247ff52977637ee260799af22a3194

SHA256
aa166526bb049ad9f876c887856a87de1e9f3dde8de6b1bc50587465aac8b9ea

SHA512
6474cd6f4ed16d19e163b33907d184003f079c71dcbccef8c383834eeae278acedd93fdb928e0e656e8a46b6ca0f396443be821ce5d8102fcaf1d83e6c97a544

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
80KB

MD5
76737298b269133b46c03d831e4c0691

SHA1
32393335a2842a192463fe424e4f6b52d08aeb89

SHA256
89110ab76438af907aa66da5ec71634d43208081d4e41c6fc8bf671b7ddb8bc9

SHA512
eeafaade6e1bcca916e36f5abac15d473399f2e9eabe9378b11945574e283098cc7ec69e317f5f9494af244e168aa03eceea35130ac184da7fcd2f0e3010b973

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
80KB

MD5
f5f5cc19a4519ef21901cc6c8584f0a4

SHA1
47d49758530a3f6634472acdfa5735d0d6b3b6a4

SHA256
a22a318742720034bca6e859de9e6c1ce5c7271430d2d727fd8cc38b09b43cda

SHA512
1e983aa474aca2b4cf3002867f98af299e90071e6d816e64e9716c605d5dda1e6ed34a88d5f2d2afbcbbbc2179b23bd283926d420bbdeaad2f3adf4037e70cad

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
80KB

MD5
68daac57ad34a23ab54b5bfa3a0af79f

SHA1
ef70a4b10792e5f84817f3b662320a6d6e2c8ef6

SHA256
61bd4b0ac32848501da3226a5c45a21ec1ad8c9992a99f35c4119f4450040e63

SHA512
7d07918a2edcb6d29f52fe778eb1f41e190c664aeb2f73a0c220003e18a35bab3731b450da45150d1d5905575f1542851ca8a721694a7832c52378a5d98428bd

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
80KB

MD5
a80ed86b3bb451bfeb5de33c4e6e7fe9

SHA1
51b59bdcf64cb79a601f16ff3cbb47b6acfb1b83

SHA256
f24a22b50c9f659944391fe5fb34be11602c54296c906e57c54dcefe56e2e8fd

SHA512
5125668d9f4fc2bbeaea4cedf3c2bdfdec37c2ba647203d8475837837bab0407864bfb72a0e5cc2d8937b659044bc45a8f4c72a8f268d61868318a00dcf53804

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
80KB

MD5
9d96fd109856ffda3f1cefeceebd5b2c

SHA1
5e53f7e1ea05973e7018666df4bd7a73ad3441ae

SHA256
9f100318b4696cd81d56046339906e3f10b9ba933cf750bdb9354515457adfc3

SHA512
96c19c1b3fe49ae293dfe8984fef7d454fae7ede996bee9ebfc8af5a67ed9106e5311ced57ce34087ec7673e98f331179031ec3d9bc154828ae3ff53363ec567

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
80KB

MD5
f7d598aeb51205a4193a8e107aef6dc8

SHA1
7ed7eaa2628fa3342a5f9876a317bb97654771ca

SHA256
e5c1aae7f717012beae73fb3effb6911ad1478915bab682fa3db1a7c88634569

SHA512
fd3f392e3705977dcdab665fd5d41efeef7c13fb4643f847e4bf6b902ad09f3415271ccc7902501442b9af45b64123fa3564b23cfe827f99c9491c83ce89ebf6

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
80KB

MD5
a9c8d9d4945fe0e22720879fb3460854

SHA1
d2f87020042a83deb6d4c734cb7dfbbb7d2207f0

SHA256
46136d51aa07840fde680ab237c5dced464fcd6d99af33c51b85d9aeaf0ad62b

SHA512
4963f8ac72c595bc4c763de956eba2c28e396336c1a706f710a8516eecd3848958c2c88ed788b9bab2b1b1c3c052b2e4c72b8209ce3dc13307687cfbeaf994ff

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
80KB

MD5
ceede242693ce24d7b176e1e293b3d4c

SHA1
a1039ad2914d4200ea649b24c8fb5d3e0190f020

SHA256
e5b550f655e35390a78d636bfcd1f6dc12da6bdb992bd6ce8d1862e3ae8e6136

SHA512
be213bea54a6ae38502b834dc0d1faf90290488e97e9ffa2ae0fa381edc4dd9e37a8c7aeb8b7aa4626ff4fcab1ea44a0d3e9a45c5ac31064f0f691da30148999

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
80KB

MD5
0fd70fd6eb5912eaa2441c832c3c0a89

SHA1
4f4496d9d2652547b9f1535fc3ad1090c5971573

SHA256
65eb9f0ef60cbedfe728fbd51f2f1f7180ea1d17af2977700c8c38106979231d

SHA512
a0aa5fe1254f327e2346d1675089c6006a8e286fffb84a89a27ca539e31021591b81ecbbe517edb88cec1bc69398af6655e842677f929d9c0f45a4c530dace67

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
80KB

MD5
0e2d44250a5e010b4ca016a558aa03cd

SHA1
c53f86269dc4818ffbc6751a36cbd48cfdd552dc

SHA256
a4856642360fa13f006b8c8f5147b43bbae10ccfbb0b6d892a8d32364ef8db33

SHA512
44dce8f250b8ffb2bb4f40380e2d444be19ea031a76406b6a47d8728021c96b196e81787595cd50798f08e45c3db6223cbdcaa0a849c67ee48e001a39380ebd6

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
80KB

MD5
068a81bd9caaf6b5cb14e26c11e52c2a

SHA1
e3b2a37b2edfc87ed1c9894d3b4c05bfb465c9da

SHA256
3bc1de8e4866c757a0b9c35db288c4c3a08b2c24747fc5f3c112862c876151a5

SHA512
1e470b119f62110d3b02c5ca658d6b426efa7afc944279f63a71dd422943f2ec0eea04253bd21d7f9f1c695d953fe24ab1f1064b1aa22864df25503b1fb7e7e9

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
80KB

MD5
2e59416078261bb92c643cf7bcaccaca

SHA1
3cb09c286486b0f0cabdad9925976c7229d4b27a

SHA256
46ae679f769db714bf0b119e5f62873014afafc5879ea5dc8bcd2d1e8d06185c

SHA512
8c7f49171dfbde9bcb149d80e69075b80058cfa51c227510e1ef77b2cbb9821b25b32360759663b1d28ec8308be9b8ad675320318d72b42a57514ff65f7b89bc

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
80KB

MD5
3ee77d320bce227417af68dfc19df36a

SHA1
d0ddad424b117afec63df3e0bf1e9041f403d71b

SHA256
acd6ac37eef13ac7471a142ba2472465a863b906327902403d3269cc04cc1bb8

SHA512
d2aec6d12c5eb6c7a10d07b929d5cabd407c2a0f481351f058779b56e7197e280dfc435b20962649cf3587185f0459bd111d2309a1dd4ee0b851950e65a25712

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
80KB

MD5
b4eab3cead781afdb0680c51187ad828

SHA1
e6a598d255ddf168ae3d909d91bacf30b5e59a30

SHA256
bdd54f9653c45bcdd3bccdb6f99f93b84c1116afc3d94fe35565df65fbe0b2d7

SHA512
ff034e1e42dc66d6bf9e7e4533fb0a35ad2c7171fc5e17068eb031502fc5cea43ae32bfac906fa58d2b3bf68054f013191976219c385b40d22df2f28db433931

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
80KB

MD5
e9ac33131bb873ce682b7d3505141ae4

SHA1
d832500b4a5fa58629602d6122aa87def58f26fc

SHA256
e7792411708eaa1e4e628df0e11404b17c898b15cec660846d6ebdb45ac5c0bf

SHA512
93ec3cff23ffbb0f544f1046122990e0d036cf2ac04c3c79c95f91487034fcf42302e35ed1c5736d5f58ab7d6f7a0e2e38e26dd06b079744f920459119876f45

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
80KB

MD5
7a6bc29c6a6d773175b12ad5451bf9eb

SHA1
cad040e9a89d943ceb45cde6e6e533911a38466b

SHA256
7a3b72d552e432a1cbf76c671410a181aa97c627161383a256f554d5d0650e26

SHA512
0fe0f7d7b32ebf2a8fa0918f6f49d67635ddccf6316db402ea902c05ee44d36c8463a1c7d5ea07e57208fbf8e7189f8824602947a84455b50e3ac3de3385c995

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
80KB

MD5
0897b505643d9b6fc19db88f6943ed40

SHA1
bf185b29f5481abaffa2f4e5c1ad0c8b9f976c2b

SHA256
d86903a8ab2d35634c68c7e7737adec5dd396d9e1dd52675c1d5b21cb2e768b7

SHA512
c87065d123db68a9bb53f08a1ecc307df0cd8b42a52fb8c8d6a4d6e5223d8717dc08afc1992ef91d829e306ecf89fd5f113314fe67c4ea4bf0531b62b6b4ba20

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
80KB

MD5
1d4123d7beb95695f72e4a8822412bba

SHA1
6f8a8520cae5adb16858aabe72d9dca32f54cb54

SHA256
19f089834a56bfef954fcd9fc0ee320942d766182f031eda6addfb218cb5ebe6

SHA512
3a657cb47b44587e8fc985fd26351b47ff67b5b562cc83f5995502e6333b9c91157340b63b8001876e3b44fad42c66831dc3428cb0746f4e5c470542bf7d082e

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
80KB

MD5
a7b89c316052dc163c02be0f0a6314d2

SHA1
e16091c5c9899389114d7ba7bd8dda247eeefd2a

SHA256
a955c84f1307e596b5aac487fafacd0aeaf2aff6355b3b3018140d15d72c3662

SHA512
1001a6f611b225e857d48710db5b5ce062048915e657d9e6d5f4dd7ba0abc570da1774e4ecdc3f9881be0e7a3da25ad2264e129ecea69a47c005d4e3df7068da

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
80KB

MD5
439496aeaba88479d6c735c4fe9d6ac0

SHA1
51f00aa1bc054d19046187f98293534714973b02

SHA256
1afe8f8eed565881fa1afe97796572622dd57a6d02ce4dde154fafafb75666ce

SHA512
fcac0893e31ca7ae7d46660fa433dcc3df32188ee0757c6e6bc70f98163318a94171adb04feff7aed93ce44cc17d7879cb9ac6d0f9ff5d69054d62ffbadf61eb

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
80KB

MD5
b193cd0ad89a7296573726430dce9075

SHA1
ea1b8e935575dd10b7794c22b66cbaacc1b84d49

SHA256
0eb9a18603e0df9dd56294e6d951e3e39cb51644ec141379df684462e087a11e

SHA512
93894d78c51d785587aa28ede557e12993f8a517e29f886377421dc52f8364ad4ab6184bbb75ba61ac4c417bbf87cc1aa08a6413f49a008e5904c27f22164a2a

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
80KB

MD5
73e34055bf5ae1b1b0a24903090406ce

SHA1
aa35839ab9f063069886190b623c72560b6f3ac9

SHA256
8129f972d8c4f12d17151b9ff276698c7eb0dd531413c06b89c455a41803bb71

SHA512
046800277adbb6b2862c958177fab33faca9d2042b0d12788995df2fcc8987a36523529c99383ef06548b7e2634bc6144b12324c9484e2a5f2c655b63242d760

Download Submit
memory/220-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/488-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/524-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/720-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/840-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/884-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1048-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1100-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1144-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1204-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1556-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2848-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3096-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3104-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3204-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3584-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3928-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4308-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4816-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4936-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads