c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe
Size

62KB
MD5

41b6ac1317795f815648bc057bcfdfe1
SHA1

d936f709a80e31e716dc77b0a119f6b0ab79aaa2
SHA256

c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77
SHA512

6d55aa2a656e0b108ec4570d9a03b79194ea7eb0af1e42dafc8b4f330b80bcf9cc082e5ff779efdf80888d1956ce20b2a659e5f6955b21ea6cbc98ee7bc98c23
SSDEEP

1536:s5m70zZkTOHgywB0ApREFyLvy+9ve8Cy:z0zO0AnLvJ9ve8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe

Executes dropped EXE 64 IoCs

pid	Process
1648	Ifjfnb32.exe
3692	Iiibkn32.exe
4800	Imdnklfp.exe
1168	Ipckgh32.exe
4100	Idofhfmm.exe
1020	Ifmcdblq.exe
4436	Ijhodq32.exe
3680	Imgkql32.exe
4804	Ipegmg32.exe
5000	Idacmfkj.exe
2232	Ifopiajn.exe
2660	Ijkljp32.exe
2328	Iinlemia.exe
408	Jaedgjjd.exe
60	Jdcpcf32.exe
1840	Jbfpobpb.exe
4236	Jiphkm32.exe
872	Jagqlj32.exe
3048	Jpjqhgol.exe
4816	Jfdida32.exe
4492	Jibeql32.exe
3684	Jaimbj32.exe
3932	Jdhine32.exe
944	Jjbako32.exe
2188	Jmpngk32.exe
2540	Jaljgidl.exe
1856	Jdjfcecp.exe
2044	Jkdnpo32.exe
4308	Jigollag.exe
4052	Jmbklj32.exe
3488	Jbocea32.exe
3668	Jfkoeppq.exe
4372	Jiikak32.exe
5024	Kmegbjgn.exe
2932	Kpccnefa.exe
3632	Kdopod32.exe
1072	Kgmlkp32.exe
532	Kilhgk32.exe
3512	Kmgdgjek.exe
2824	Kacphh32.exe
3040	Kdaldd32.exe
4196	Kkkdan32.exe
4744	Kmjqmi32.exe
2700	Kphmie32.exe
3188	Kdcijcke.exe
4240	Kgbefoji.exe
4712	Kipabjil.exe
5100	Kagichjo.exe
2356	Kdffocib.exe
1076	Kcifkp32.exe
2088	Kibnhjgj.exe
972	Kajfig32.exe
4720	Kpmfddnf.exe
368	Kckbqpnj.exe
2648	Kkbkamnl.exe
1256	Liekmj32.exe
2804	Lalcng32.exe
1404	Ldkojb32.exe
1156	Lgikfn32.exe
5056	Liggbi32.exe
4512	Laopdgcg.exe
4960	Ldmlpbbj.exe
1364	Lgkhlnbn.exe
2200	Lkgdml32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5400	5200	WerFault.exe	217

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1648	2656	c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe	83
PID 2656 wrote to memory of 1648	2656	c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe	83
PID 2656 wrote to memory of 1648	2656	c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe	83
PID 1648 wrote to memory of 3692	1648	Ifjfnb32.exe	84
PID 1648 wrote to memory of 3692	1648	Ifjfnb32.exe	84
PID 1648 wrote to memory of 3692	1648	Ifjfnb32.exe	84
PID 3692 wrote to memory of 4800	3692	Iiibkn32.exe	85
PID 3692 wrote to memory of 4800	3692	Iiibkn32.exe	85
PID 3692 wrote to memory of 4800	3692	Iiibkn32.exe	85
PID 4800 wrote to memory of 1168	4800	Imdnklfp.exe	86
PID 4800 wrote to memory of 1168	4800	Imdnklfp.exe	86
PID 4800 wrote to memory of 1168	4800	Imdnklfp.exe	86
PID 1168 wrote to memory of 4100	1168	Ipckgh32.exe	87
PID 1168 wrote to memory of 4100	1168	Ipckgh32.exe	87
PID 1168 wrote to memory of 4100	1168	Ipckgh32.exe	87
PID 4100 wrote to memory of 1020	4100	Idofhfmm.exe	88
PID 4100 wrote to memory of 1020	4100	Idofhfmm.exe	88
PID 4100 wrote to memory of 1020	4100	Idofhfmm.exe	88
PID 1020 wrote to memory of 4436	1020	Ifmcdblq.exe	89
PID 1020 wrote to memory of 4436	1020	Ifmcdblq.exe	89
PID 1020 wrote to memory of 4436	1020	Ifmcdblq.exe	89
PID 4436 wrote to memory of 3680	4436	Ijhodq32.exe	90
PID 4436 wrote to memory of 3680	4436	Ijhodq32.exe	90
PID 4436 wrote to memory of 3680	4436	Ijhodq32.exe	90
PID 3680 wrote to memory of 4804	3680	Imgkql32.exe	92
PID 3680 wrote to memory of 4804	3680	Imgkql32.exe	92
PID 3680 wrote to memory of 4804	3680	Imgkql32.exe	92
PID 4804 wrote to memory of 5000	4804	Ipegmg32.exe	93
PID 4804 wrote to memory of 5000	4804	Ipegmg32.exe	93
PID 4804 wrote to memory of 5000	4804	Ipegmg32.exe	93
PID 5000 wrote to memory of 2232	5000	Idacmfkj.exe	94
PID 5000 wrote to memory of 2232	5000	Idacmfkj.exe	94
PID 5000 wrote to memory of 2232	5000	Idacmfkj.exe	94
PID 2232 wrote to memory of 2660	2232	Ifopiajn.exe	95
PID 2232 wrote to memory of 2660	2232	Ifopiajn.exe	95
PID 2232 wrote to memory of 2660	2232	Ifopiajn.exe	95
PID 2660 wrote to memory of 2328	2660	Ijkljp32.exe	96
PID 2660 wrote to memory of 2328	2660	Ijkljp32.exe	96
PID 2660 wrote to memory of 2328	2660	Ijkljp32.exe	96
PID 2328 wrote to memory of 408	2328	Iinlemia.exe	97
PID 2328 wrote to memory of 408	2328	Iinlemia.exe	97
PID 2328 wrote to memory of 408	2328	Iinlemia.exe	97
PID 408 wrote to memory of 60	408	Jaedgjjd.exe	99
PID 408 wrote to memory of 60	408	Jaedgjjd.exe	99
PID 408 wrote to memory of 60	408	Jaedgjjd.exe	99
PID 60 wrote to memory of 1840	60	Jdcpcf32.exe	100
PID 60 wrote to memory of 1840	60	Jdcpcf32.exe	100
PID 60 wrote to memory of 1840	60	Jdcpcf32.exe	100
PID 1840 wrote to memory of 4236	1840	Jbfpobpb.exe	102
PID 1840 wrote to memory of 4236	1840	Jbfpobpb.exe	102
PID 1840 wrote to memory of 4236	1840	Jbfpobpb.exe	102
PID 4236 wrote to memory of 872	4236	Jiphkm32.exe	103
PID 4236 wrote to memory of 872	4236	Jiphkm32.exe	103
PID 4236 wrote to memory of 872	4236	Jiphkm32.exe	103
PID 872 wrote to memory of 3048	872	Jagqlj32.exe	104
PID 872 wrote to memory of 3048	872	Jagqlj32.exe	104
PID 872 wrote to memory of 3048	872	Jagqlj32.exe	104
PID 3048 wrote to memory of 4816	3048	Jpjqhgol.exe	105
PID 3048 wrote to memory of 4816	3048	Jpjqhgol.exe	105
PID 3048 wrote to memory of 4816	3048	Jpjqhgol.exe	105
PID 4816 wrote to memory of 4492	4816	Jfdida32.exe	107
PID 4816 wrote to memory of 4492	4816	Jfdida32.exe	107
PID 4816 wrote to memory of 4492	4816	Jfdida32.exe	107
PID 4492 wrote to memory of 3684	4492	Jibeql32.exe	108

C:\Users\Admin\AppData\Local\Temp\c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe
"C:\Users\Admin\AppData\Local\Temp\c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\Ifjfnb32.exe
  C:\Windows\system32\Ifjfnb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\Iiibkn32.exe
    C:\Windows\system32\Iiibkn32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\SysWOW64\Imdnklfp.exe
      C:\Windows\system32\Imdnklfp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        23⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        26⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        31⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        35⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        39⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        48⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        53⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        60⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        64⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4252
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        67⤵
        
        PID:716
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        70⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        71⤵
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        74⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        75⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        78⤵
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        81⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        82⤵
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        83⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2916
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3704
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        90⤵
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        92⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        96⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        97⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        98⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        101⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        105⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        107⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        109⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        112⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        113⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        115⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        117⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        118⤵
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        119⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        122⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        123⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        124⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        125⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        130⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        132⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 408
        133⤵
        Program crash
        
        PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5200 -ip 5200
1⤵
PID:5364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
62KB

MD5
f3849489e7887a60aadc03e1c6a971bb

SHA1
bc2a64e972573afb1601bef3965ab9f5a8322597

SHA256
f6eaf99ff7c3b87b311abf71e2f1f7779c7d4e8c469134b9f42cd5bffa3ad322

SHA512
98a102322d4f8f53e6070a3c7fbdd8b1cab67e69421fd68cd241ae66729d403fc63fb12a30e20bb0943bc22b1665b6ad3c5f5fe498d73464ef249e25d4205829

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
62KB

MD5
4fb8c6afcb976a2e5882b7381a969d54

SHA1
5fe74b7e1711b3d631f1eeabd0e69c8b940cb874

SHA256
0d7ee8cefe7a44fc9d254570638a2a4b5878f1c3f63846c288e0f92c784ae9b7

SHA512
86ffc60745a0a0af1ca3a8c13061828941ad75810a44d2af389d5204edec0bd4354dd8a37a98c8ca4a9d45f3c04ed2cc0597e57d10314ebac47d795aedbe15ac

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
62KB

MD5
26f126d3c3fbb5526029ae6de1a890f8

SHA1
18ece4f3eef638a31dfd9b6da108023517e3f992

SHA256
828ea7c63a1a009433ed1d628496c624753a7d5fd723373d7385360e62e22aeb

SHA512
b30a0738aa6b015bde1b2a18c3f36e990df7192043266916255349f2ef712e0ea38f0844e0ea21777a32dbab3032b1de2493e3e339de7a6d7c6abf281cdaa726

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
62KB

MD5
ea8659015826a0180832d64924646fd1

SHA1
c9ad72ef0d64e6714f16f84b0247e0c74134e618

SHA256
77649e659d36a5ef00c8fb7f562b89eed7f0c38abd5ee28b46d4237ab6dcf1aa

SHA512
4fa68f92d2569200ab3adacc6bd5627444967b86300913b93bc4cf2a5a92084c8dbd4ee1ddb896111095d984a30e84804ace0a63f209bf2709699ed6b5891704

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
62KB

MD5
4185db34f665e59677ac5e483c3c8865

SHA1
4e08afa9dba90b81281204bbb7464dd9a7a07b02

SHA256
30ee855828bcf7e8c9510954559ab31474135360b143b22cd0a035a91c9cadba

SHA512
805e1f6e38d105436acf852cf0e444df8083cb077bf36f71369eef4f8c99d000b97d4b688ce4492c8eda5ceca30d53e53c3ab861a4484150d12822076aaa2560

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
62KB

MD5
2f0ee51b94e0ec546baa44f095859065

SHA1
f0d4bbb37095429c607aad185e9d0f540a8a567a

SHA256
40d561053d64084395b1c6f5141513624f6f29dee37d2bb332a2df267545789f

SHA512
1ef1030336e83f97e332aa9b9b8cbf3f8c57ab51e420310ae4bdf18f358a6e7a6a36fa016dafcadc1e57654fe1119a60adfcd4db41c46fe2ffd13980ea4008b9

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
62KB

MD5
fe55bfe263a0d147caa3fba9eabfaa43

SHA1
7fdaa07b20b662b306c367630cbd149eade67808

SHA256
dc5f40b6fe9828810c7cefdab8ef754a8a6869b0905246e4ad9dbb39850f2e87

SHA512
4244b7aec768bf05c45f65f3cb80de45fbba5ba8c29f0f5151f856b67f889c9ce93afae17f3a0fa7b9ebee539b0551380d3fc4865c581069ccbea834e9bcb518

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
62KB

MD5
a9b3d4ae3e7f21082a20fae6721dea2a

SHA1
ee48b0f560fd7bbcc7548a53fe228e517ac27797

SHA256
7d6e2728c61a4fa3fe3aaffb609ee52e5c70bce180e110a59ee957cb65a0a35b

SHA512
ec0521d46435c535f7f4465003da0fd9ac53d2bcbe1fabd8652387dbea5e51d30af9d68fed32288dcf37c9a71e0dea392c86f97148d897ad6bf38c471ca2d995

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
62KB

MD5
0dc185e39893f1068dd38e847778ceb5

SHA1
330a1278f63ae31a7c6fa2affc43d78ba7fb6020

SHA256
5ba76e83b1f0d0eec58f33667f23a028434826227a709e1606132e251efe4d0b

SHA512
94a96c597c5fde7c6c6e809e75bd289c7814a5a496564b2eb2c3533033b79773111cb06d9e26ef19e08511dcc35578d0dc3a75f15c0e25d8e14e68e06c981154

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
62KB

MD5
732dcd096fd3c660724e1c45af856d99

SHA1
dc5fd975a2f89e9ffec57b1816d9d314806c23f1

SHA256
3bcc7160311650fb8b3cd38c2cf41c95d407c17d37965fa7b38edaa78cb49e4c

SHA512
0d9b26863b9ce361244773bdcf62f9e8f1acc152d4e468243903fa0f77456889f9287e4673c45820ad32c2746217134ebe8e0667c3802a4d1c0919adc6951f61

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
62KB

MD5
b9e4df7e0c53d1f7c9884c341fe88025

SHA1
2ae0ef00ad37309d6c76e5eed726c6341a49571b

SHA256
7bcd2093bdbf355d38001af8264cdd7b33e866045f39b2cf96c089f80a9aadda

SHA512
78155a2a77110d0bd05c042e0cfe6644e3dd5b1dfa3835838147771069bb84e2b36bd03347a33b4b114b8f18f2df05bf60037918770c991b3fd918d928671622

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
62KB

MD5
0873e941cf62a732c5d5f1aedf599157

SHA1
fac6f2ac6611b2d135adfa4bcba283d566500221

SHA256
a9295528753e00962be525dc4dc344e61c0331b965fa2a7be0401d796abcbf4f

SHA512
d1329e14d0b9aff56b775b712341769d8b3660117992b24886ceb36c7bc463ea519cea124c448f60b1897d859b5dfbeaa6098fddff06deb54be856e440955491

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
62KB

MD5
308d5ef9f07f3408f76e338e87e966bb

SHA1
75b1d29edfb32d028d7693b6d8afdc5cd9a3ce4f

SHA256
fd93c2a8cbccb788225d048c87025ef42129289c4f9a9bb315a7a4ca0fe939b8

SHA512
03d78f3f5a29b9bb890a46d6adf6518da4fcb62bf8e7d971a708aac7719eaf9d320b2918ece6cf1318c24df132fabac334e22956901737a9a9d2fea0cf26a1df

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
62KB

MD5
db0708b68f853dd867dd2f3395e038ec

SHA1
38b5a878dfecc3efa2642e73f63f83ac91f9b70d

SHA256
851e6a0ec5bc604d23ee5c4350fca2fba9f449a227d9749d8b3c211c5e86c6b3

SHA512
a50d9c91f115c9ae51eb298824cecdfa1f274648689e2dd3710b2d7cbdeb594ff7dc4505acbe683cf83e6784a52e7b288e106186b6f6fc6104f45ff44d8630ac

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
62KB

MD5
438fe0dc506bd5a4ac4a7ba0a8b772c0

SHA1
7bf3e9355d6ce9ada60c6a64fc4b13b21fa60482

SHA256
4e8e44185ad9b1fbe15ade0758aede7803d4902b12d95ce3b6c6c7729fca6e24

SHA512
eeef693cc4f01279feb0997eeac52a741069407d70a2aa9640b3ed8d1bb575285381ec567713369bba2cf597b586779315f3e56f166007044397d937e6c4076a

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
62KB

MD5
8edc77d3d67cba919efc4109634931af

SHA1
c0390ea6db0cb47e9723767b9fa76deb32c4d617

SHA256
27b6be0232a8b2b86aba3f0df738bfa9526dbdbe7196138f9ca325dac3f8a2f5

SHA512
5d99fc84f0e01ecf022a2bda382a1ff7fc849134f9482bc3082f0535d288d474692e7b125520e8152e9bc8e26d60dfe69ca9afde71b1b5022cfe768814103f4c

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
62KB

MD5
0cfa1b1d7743eb78bc26518ee567bdb4

SHA1
47400e4dd7bbaf5fd35ea9e47599e38a5ba78198

SHA256
37ad07d950e3148073f5eec8d35e2b704fba65be159ff8577f2f7e0f07f4154f

SHA512
86a18c5516e2c67042a52a30c8c4ad8020a75c79055ac5d51a7eca118d7a54a66aee40dfe9ca77369df430dcad10995f2a5d609e7090135bc6025802230b127a

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
62KB

MD5
e0f4230159d2078a606c1511f38860a2

SHA1
17cce476088128dff2140f2f5e5968a5b3c28608

SHA256
dd7c56e97ea0e1425a57d2b7b046fa6ac36c7d137a8ae45a066c5daab693076f

SHA512
9b1c279792a490237aac57f774292944026a01659ef341f5b460d4bb012f082d2e230fcb66ed2175feffc65c5716ea1620a8c46bb07b28fafbae4fbbe8b1e521

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
62KB

MD5
b9ac423ce49dddbd9f79aea213a50cb0

SHA1
bfae75a27b7939a13e258e298e8247e8acc7ef1a

SHA256
56a56fa6d2857349af607e4530579ce29900a7a288a5ae3b5924b0001d14a126

SHA512
b5c7f4b145112b4f228d5577ad668ffd32ee3d6ebfe55411dfa284d245a1d4857f63cb7ad7629004c28047c9f0d9e6379fbe4c47b06d319d9f182e0947bf4364

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
62KB

MD5
136d2fe80cc3ad746cba34646f35bdbf

SHA1
2c5225cace8a5df1b826bd491b44c3e8d3f9db70

SHA256
e224d74a7027423a0e243217b0c4cab6def8913ead0b916e2a3f550bfb80e1c7

SHA512
9955bfd642f9fb4646fd110b756e5dccc654dcb0a9921c276675742787cb071ca895c04d10193425f486fabc33518c3d088293718d36f53820c9232d32de33ad

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
62KB

MD5
d6c9fe525891d0688544626482b5d39d

SHA1
4ae2c7cd2c89299c3dcc465dd8bfdfc31d759410

SHA256
b6f8ec87d03f717d7369f9285c3b3d9a2d71c5120604ef5f2da7bd2022182b0c

SHA512
d4b23aaf1329d19a8ef98d51351d594f399849e7e6289620eafd25330def7e3da6c034d7df4d1e01149635b90a1cf41638d6315c1f6dac99226cfa87edf5f5f2

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
62KB

MD5
1ef91328864a1699e4258825d2b1dc47

SHA1
59fd5de9b54f26da5d923096c09c3adfe58607dc

SHA256
5fd60c221fcfeebc1c494107acc711fc6b2adb25c53547cfd8c9400d7d21e368

SHA512
72dfb707485891acb8e54ceb2d095910e5be03b93d73aeacdf3ee67a05c6c9dcd8a50878ae0e5185d8ba1e68c6857337b450a0a1024f9914dc7a40017a88b82a

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
62KB

MD5
218d0a65451dab553f79c070651e5054

SHA1
8f94bd19792368f83d91fa6c7e56c7cfe7043268

SHA256
f4cc63db56aacb71f5e4abb89b1c98859069c0f1d5ca0f909be54d8064dc100e

SHA512
72e252b8386b6384569dbf5b3c0b6d40f0e562ea69b6530609e76668f0fed0304400b79a98cb322f9043f20f228ef5b4077256ba773245bef9cdd34136c79b88

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
62KB

MD5
3c0f0bd7b7dee3aa5515ad29a8717d55

SHA1
b1172036a87d41d5c176d36ca9a40cf46b5bec3e

SHA256
fb6729f38cb1b81a88f582c91631f13eafe7ba7dc6b763f0df4fb04f4beba046

SHA512
3d84741912c4700d5abb4e86f2437200bba787a59ca5af98d4c06b1fd7dedb9d0fe0a039606f5463f1efd8c8d9d63cb7ecc2d1b8f0d8ff0a5cfee53b66add44b

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
62KB

MD5
253be551ff186228310d19d16e49ea28

SHA1
64e4d553c9f84a8f7552371f1213256c4f46bd3b

SHA256
28a98fddd8e9e44c000f125c0790b1547f2c0c119715d335a26d4a4531be38eb

SHA512
194c9cc08e9c4b5f63a9b974fab7ced8684d5ff63c64a749da4c4ce519c3a41218237820c816f48883e79f4cdf3874068e0392197515b8b49a06b4989bd4ba31

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
62KB

MD5
1782e5129f1d78764551721e3f643f3c

SHA1
b488c669807773a6a41c9e43d57996292080bbe7

SHA256
64732553553fdb325d1d8a8215b4b6976dd08cc958a9c1c25731929f39a4f81c

SHA512
2ad39df703a9be8449a7b22651edd798597835e0cf830391d97c5849e56ff34bf0049299974ecedb009980fac81fcecf734b2eb997b12762814dd58071c98fdb

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
62KB

MD5
9e7e319b20fc936cf1375e817901f9d2

SHA1
7d31a0a1ba4aa06c29fac1758a30094dcf7093a5

SHA256
0bcf27997ecd9250ac08814e1a89c6de46b1f1d810b59225eb46447210e872af

SHA512
a2796aa0df055b7f12e4845b8df37bc642b5a40b9ff8043a728dab438fbe4e455bcab347646e98fd62552ac65687b3ef5aaf59c280f0435153d516dc30adb57a

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
62KB

MD5
9d91f1904c4cbe427f87b8c23a97a1a3

SHA1
b882b8774769adb4d1c6c3cc16a1e6d287b92019

SHA256
6a9c6151f002db546fe5a473501b8b7460bcf28db3953fc2de2d7028f258ce92

SHA512
ed412ed4596ebce69ddb70944d91ee2b1fef70581e05a378f73187644c315d3b922f28f9e6c585461f8f44a84abaee1ba013ac4d765dc328eae00918216d59ef

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
62KB

MD5
e67fb26f923d719b09c0ac4b61f29bbd

SHA1
1f40a87e9e189db48b873e6205f751cd2a8ab0a0

SHA256
0b7467b9998cd5868e35946ac3a9cd97c0c909b9dd9f012f2819d79253db744f

SHA512
013081e4ac669b6a4d1cae6e93e175fc98565e53d396ae624ff4968165ff8bc0c2e213a1c34b309f28c09b2d23a5fe5ccc81c743214f2994f3b6088d319ccaa2

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
62KB

MD5
be6449046e277ce98ba089f84599c90a

SHA1
1d036c9f7d5c2980fa682720450b8affd49234ea

SHA256
a6ced0aad3a30e0d5829390068da0ede1a3b859cb9098c2e82efe6d10fdae294

SHA512
99ad5aaf07c57604c8ed3eb99bfca5deb9dc4bf8761676aeccae8641f6ed94adff38beb8cb0a4e0e4d498d2fc557bf7860c4b654158401368bfcedc7acadcd77

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
62KB

MD5
e30c9322df91039a32bfa481270ef437

SHA1
c2d0484d296348237999091fd8857bf24ed08836

SHA256
02342e81baff347c369f74d9fc3508bc0817875306d63463fc579e3d62656e96

SHA512
ac875af5a841774b1ed52cf67154d3a8a52178775f6e004226bda9edecb75b368d0fa84761844f04a0098585f07060a4ca6e5e2fa8e7c12ee831e6db7726d65d

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
62KB

MD5
731041fd8fa04ec3cd39cb8b427da165

SHA1
f74068a2eb3aef64beb819a2613094bb2932a612

SHA256
13c531334598dd9c3c4c5b6dc6a5557b19a937e39e086b5af1e5ead1b196922b

SHA512
8f2d14b5a86d43f0185effd872c8f16102e4c6566db9ead346e283998a1e2e38ef607647d15dfb61dd79ed14639bde3e2e99cd92a5bb7da6ec8815f9c7a13f35

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
62KB

MD5
0defec99dc212bb23753a3d977e4edfc

SHA1
1898fe3e250616b6ae8656958b1a9e099060e97d

SHA256
bc3ab310ebb881876f0445d09040f0305270bfe1b0b21a91430df3a761828be3

SHA512
fc1405c4ee6fb2963cffe0814413bc916a8b43b404768af101af50f2b5b7a338e993ce5768c52be33133b3b1ca31e3497a14cabd4d04a8455cb664d6327fb8c8

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
62KB

MD5
b54b886e2875ad3c3936725499bc18fc

SHA1
b84271fab3758370fef0e1d7fc249ea1d919e8be

SHA256
0b26e5e0b6affd35a6fbf9b97212ce16b3a0f67ea9084f22f4662139ff608ac8

SHA512
2b2d903ac5bd8a2b8f22fc06b8da5ff83159dedd690fec51a7978fdea45aed64bdf8378793b1c32122d7fe54ffb403f8cefe4ca4e44d12029283cde779ef76c7

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
62KB

MD5
619d13217d2b48c1abeeea6226c9f8fc

SHA1
9e66af5e7899dbb861ceda37d098aa6e65b78bc1

SHA256
3f8f30d79f52cbc782a3f897d18943dabd838228663b1f1e2c73a955d8edc7a0

SHA512
44665421cd4b43df392bc6382665303d64e9e571f3d87a6fb2d47d578dd8ab7f644f38d9c69694adc70cbca88ea7c7cf4bcb86709b7905be7c620eef03f68b20

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
62KB

MD5
a2dd3d9f1c01c5a8b4aa8542fa559e45

SHA1
476cdf3b9be4dde92f92575c35b674362668bc02

SHA256
fac2030940d6bf1429ae82c437f95e70522e3ce9a69b871acdf8e4b5d5725308

SHA512
fccc63bb16e82f97fafd47acc1e5ba7272c2bf5117c1778e77464f32ddf411a2622db4acdc95a1e12344b724c29bf40d02ec4538edb9ff1cb35a0e0456d787df

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
62KB

MD5
97c6203658fb99f5760e03a24706a253

SHA1
7379cf13ca8b8a4a2a3d097a83de70fa0abecd64

SHA256
d37e65d68b4df3608d502332640b2cad17a12aa11f130cb76ba4f5417f111435

SHA512
5574b0d747d115fab234d52004b0dae672bd83b9bf520ff6a0b45944237cbb580cec33ebfa83dcae4e679ad4964ef1b0d879d7f7004c0b22494c4233bc4f1fe7

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
62KB

MD5
8b59cd6f5701573a25df414dccacbe4d

SHA1
0ad44596ac48c88c28686a775dbe7028ec81b5db

SHA256
df22aaa15e08a35d571f7c5eb56438f877d0aa26b1efed7b2594280a0ea09ad0

SHA512
3c2dbd1a1f7a9a1a1149003e1f2575f366d7a91c096f71980be7cbe03c32cb8e41b7b693745e0c69e1ce73eec8edbd2459c0f975bf5b75218392bb0c0cb45165

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
62KB

MD5
02469366a0c69964651907eabb2e6f91

SHA1
40ee36d0631dfe18230ca5fcdc09f36db026ee1f

SHA256
d4fb3353db96c690747dbf830835c1e51d3d79f6c754944ffb4a38ed8497943e

SHA512
16d8e7c461e8a8b053f375e1558b63dbf53e83f70d19c2dd3725c41242ce08aa3bfe780da898716f9feed71566578cf34cba2a0874aaf1e40e1e0aa35c8f4bfe

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
62KB

MD5
b1a1631aa1b697a56ab0945edeb73d55

SHA1
0e21a83449dc8b8e822fb4dc0c40c16af8ea515c

SHA256
d0de1e5d42bad16341f4b4f77e806e7ccff65e92e01839706fdf157baa86760e

SHA512
a6572457dab35fdfe84a250e973a7ce72923e51f6e328e470364f2e0f91c511d6c683dad07b4d199bfaaf5cdae8e6c833ef78b9a11a50af2f6974e3ce42f61cc

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
62KB

MD5
4a820ba2f1d490e145c08f9c836acd56

SHA1
2572f0ccdbb991c680a8ab4e5d10e5ab54944f03

SHA256
871c33474b11add40aeaf1411a77ae9bc81351e0725e9f0af52edef758320c7c

SHA512
1ee6f6651bd4ee3ef05c2e585d3feabd5ea898a6c03f00ebbbe0c79cb68758eda729d55b10e341138a1009248088a9076ffaa0c88810750b18f488274b3f2f1c

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
62KB

MD5
8d85b4437233c16d4ccc3bca07548a8a

SHA1
6b364110374d6b7854a2d5c8fae803f2db8c5b48

SHA256
aee5f7219efa7cb2048ccc4732f038ceaa684d9e011661f48bbf2320a9835479

SHA512
a1e84bc72ac4302f5fda4a040c96ddd61a8a7ff1f1660a670710f3c4dd067a626c7af5a9b5a98a8016ea3c6b84d37c06528b44f8737f39eb46a59fad9a801a0d

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
62KB

MD5
45b84c04ab9c32c8da9329aee61a1f69

SHA1
4d138d48180fdabd2191ecb2fbe8d3549dc978a7

SHA256
3f61f57addd3d33727c3d03defcc997f315ed6988edbd4eef7547aa65949f13d

SHA512
4d2b56aff1925fec8f731577efe87edb05f0b48fe9c1f06a035852fbdcb3c263085d6fba646de166d7091108875418a2bffe8e3bd4e5fe4348b490fb8a13ccdc

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
62KB

MD5
738675a7bb31d79134ee3a63b39b0511

SHA1
73329fed987df19f311497a35437efece4863a1f

SHA256
a150d90fe70c8595bbd3ba50a41bbe9f868cea9c81b0c40e705a700261051d4d

SHA512
b29adf97706ffc3ba7801ccbb542e35d15584e158feadb3066f1e2bc76795a5885c936612fc168510855493c03d7e8d7efee48575f10c89f583e981711c05236

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
62KB

MD5
d3b39216740394a63670e6f1fd74d42f

SHA1
f54deb5903975e7f2061ada5a721c28e747e5a36

SHA256
baec73359484874e1ace68f1e291f24d11ba949542850c9eafbaf70e9079d773

SHA512
a44004eaec4d9c60b0d85ba64897fcf84c7eef241d524b05ed3ad1c92f312e69bb9cff5a5ff4fad203ea9e83bd25290683fe7b3601bf1bbdbb2adac1a7a0e671

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
62KB

MD5
33167b77c991a4366f8649c1f7bb120d

SHA1
6887cf32ef64fe132d997644ef10c13e0c6e3492

SHA256
114ac24323b5146d535e88a3ec33bf7ab0d967a9c0918ba22df7a51ae19d0f2f

SHA512
f52209fff699c1cd1a63ff5351dc42db8b8795f365c1442aeebef9503c80b9f6793008a1d966ea4b96470b1819c268f4be77c33583b313e4c00dd6ad526d781a

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
62KB

MD5
81e4c735b1c46a737308a689fb1de2ce

SHA1
12458e14db5e40bbcd93e77823a1275199234b43

SHA256
b179df5ccdafeacbedf354f56cdd333809331e6e158f5629ff20e8e5c3f52f47

SHA512
d310993cb7cdc61aa016c8953e262968071c6470403327f681cc6fffc72bdf73a0d739884b133cff613eecc8dedf1da1a5f3478ff94dd18edbb9dd34201f7bfd

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
62KB

MD5
3805306ed7ea3cf946b683bd644a2804

SHA1
48d96497d99a54bdd871b366613dfea2bb4e0059

SHA256
93ab1f6cbe11cf2aebaccace8195eaf57fdb727f2b22dc18b4c633f48ac18ec1

SHA512
793c9534dce4c4004a2815c87cd01fe1809ebb72cb605444937064528943e1a240fc3bba8e34617f319ed4536e1620cf18bb5deb1c3863168b79a94dd9842753

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
62KB

MD5
ca03b66b122a3c24272b70daca12b4d1

SHA1
05e97d12727bf0ad8736d14b3d5dddaec159252a

SHA256
f479857d3fecbc0da9344bb48f49dfdb7c5efa7d73a21f7e6817097cb890e215

SHA512
210325da129d91dbaceeecdd8aa3d2b558087a80c191545d90a7363ec1d06d4e050dfb1c72707b63627ee21cf9f2e1c70473d4d229cb79ab8cfa3ba7fd07d6f8

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
62KB

MD5
f55e2dca090caabed8a3db183ccd2b17

SHA1
e1e50558dec15c9a32910a66b6dcfc711d43175f

SHA256
18a22be5c6319ccef8a54ca2ee47703b880ad8111419da2e26b99e9a6a6eb320

SHA512
f955aa4b42ad6c8f3b5100017b3b70973e0d8a47509b81b0dd3854f40fe8d9040f6f62173b301e8a52742bba2ac41b7aa6435bcaf896816176cb4be8680305df

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
62KB

MD5
033583c09824a2d9205414588e87b40d

SHA1
5bfc0e866d84886d8807ccb99f803c583b3b6ae4

SHA256
1a116f83aba768b5ab5eca40d104e26496c48d158b82fef58b86af644edd42f6

SHA512
b95b507495502137c771d4e501cf212fdf2f22e40f0dd03db35d51cb6f08145a4904e003b6f16528dad4a0454a3db77cbca06e90746caa7a8477f46e7dbc9343

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
62KB

MD5
ca731d0bc0e8e6de34346b73be479fa0

SHA1
4d9dd421d05d3190d24e850dc03a70c7b809a2e0

SHA256
97d0d119454b7353acfb168335784b13528c4ff95ede0716892a3839c36b6a64

SHA512
e55046afd6156ab53aff10282f534bb62ab30713f7a62c2477311c2a69f22588ad07d74e57966d96cb3fa604e8048aca3faf81b1c699bc7fb9afe993b99196cf

Download Submit
memory/60-131-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/368-423-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/408-205-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/408-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/532-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/532-383-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/872-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/872-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/944-289-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/944-210-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/972-415-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1020-53-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1072-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1072-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1076-397-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1168-37-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1168-116-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1256-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1840-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1840-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2044-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2044-317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2088-404-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2188-214-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2188-296-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-179-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2328-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2328-196-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2356-390-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2540-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2540-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2648-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2660-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2700-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2804-443-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-331-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-396-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-297-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3040-403-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3040-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-162-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3188-429-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3188-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3488-271-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3512-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3632-308-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3668-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3680-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3680-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3684-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3684-188-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3692-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3692-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3932-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3932-197-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4052-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4052-257-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4100-130-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4100-41-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4196-343-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4196-413-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4236-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4236-230-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4240-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4308-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4372-354-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4372-283-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4436-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4436-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4492-180-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4492-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4712-377-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4712-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4720-420-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4744-355-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4800-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4800-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4804-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4804-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4816-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5000-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5000-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5024-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5024-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5100-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5100-449-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads