20701ebc22289176347964395c43a2543457ba7b9c25f30fdce0ab905999730d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20701ebc22289176347964395c43a2543457ba7b9c25f30fdce0ab905999730d.exe
Size

669KB
MD5

09cd9b7b9cf5297f3a8870ffa95a3e8e
SHA1

49a561dec54fa74da03cf10fda67c21bbb269d9a
SHA256

20701ebc22289176347964395c43a2543457ba7b9c25f30fdce0ab905999730d
SHA512

2bd351d1a30d0c034d0cbba23693a30c4c8ec1da0f05e190136d2215b5d9d09294244c0f931140f62aca0495319de9dff1517794fef9512cb631a76b220aa63b
SSDEEP

12288:R1veVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:RQchMpQnqrdX72LbY6x46uR/qYglMi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe

Executes dropped EXE 64 IoCs

pid	Process
5108	Jmhale32.exe
1516	Jioaqfcc.exe
1116	Jefbfgig.exe
1960	Jlpkba32.exe
3512	Jpnchp32.exe
3280	Jblpek32.exe
4880	Jifhaenk.exe
3240	Jpppnp32.exe
4816	Kpbmco32.exe
2108	Kfmepi32.exe
2712	Kikame32.exe
5080	Klimip32.exe
4544	Kdqejn32.exe
3940	Kfoafi32.exe
3644	Kmijbcpl.exe
3764	Kpgfooop.exe
1144	Kbfbkj32.exe
528	Klngdpdd.exe
1172	Kpjcdn32.exe
1180	Kbhoqj32.exe
748	Kefkme32.exe
3060	Kmncnb32.exe
4004	Klqcioba.exe
4952	Kdgljmcd.exe
3692	Lbjlfi32.exe
4324	Leihbeib.exe
4476	Lmppcbjd.exe
3872	Llcpoo32.exe
4528	Ldjhpl32.exe
1664	Lfhdlh32.exe
376	Lekehdgp.exe
4404	Ligqhc32.exe
4208	Llemdo32.exe
908	Lboeaifi.exe
3332	Lfkaag32.exe
4076	Liimncmf.exe
5056	Llgjjnlj.exe
872	Lpcfkm32.exe
3624	Lbabgh32.exe
3496	Lepncd32.exe
4256	Lmgfda32.exe
1564	Lljfpnjg.exe
2944	Ldanqkki.exe
4844	Lgokmgjm.exe
4160	Lingibiq.exe
1816	Lmiciaaj.exe
3504	Mdckfk32.exe
2728	Mgagbf32.exe
3824	Medgncoe.exe
4488	Mmlpoqpg.exe
512	Mpjlklok.exe
1160	Mchhggno.exe
4084	Mgddhf32.exe
4868	Mibpda32.exe
228	Mlampmdo.exe
1056	Mdhdajea.exe
736	Mckemg32.exe
448	Meiaib32.exe
4536	Mmpijp32.exe
4728	Mpoefk32.exe
4484	Mcmabg32.exe
2344	Melnob32.exe
3304	Mmbfpp32.exe
2780	Mpablkhc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kikame32.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Fllifblf.dll	Jmhale32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Mdhdajea.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ndqgbjkm.dll	Jblpek32.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gnbinq32.dll	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Kdqejn32.exe	Klimip32.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Fqplhmkl.dll	Jioaqfcc.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6148	7064	WerFault.exe	256

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqgbjkm.dll"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 5108	3164	20701ebc22289176347964395c43a2543457ba7b9c25f30fdce0ab905999730d.exe	85
PID 3164 wrote to memory of 5108	3164	20701ebc22289176347964395c43a2543457ba7b9c25f30fdce0ab905999730d.exe	85
PID 3164 wrote to memory of 5108	3164	20701ebc22289176347964395c43a2543457ba7b9c25f30fdce0ab905999730d.exe	85
PID 5108 wrote to memory of 1516	5108	Jmhale32.exe	86
PID 5108 wrote to memory of 1516	5108	Jmhale32.exe	86
PID 5108 wrote to memory of 1516	5108	Jmhale32.exe	86
PID 1516 wrote to memory of 1116	1516	Jioaqfcc.exe	87
PID 1516 wrote to memory of 1116	1516	Jioaqfcc.exe	87
PID 1516 wrote to memory of 1116	1516	Jioaqfcc.exe	87
PID 1116 wrote to memory of 1960	1116	Jefbfgig.exe	88
PID 1116 wrote to memory of 1960	1116	Jefbfgig.exe	88
PID 1116 wrote to memory of 1960	1116	Jefbfgig.exe	88
PID 1960 wrote to memory of 3512	1960	Jlpkba32.exe	89
PID 1960 wrote to memory of 3512	1960	Jlpkba32.exe	89
PID 1960 wrote to memory of 3512	1960	Jlpkba32.exe	89
PID 3512 wrote to memory of 3280	3512	Jpnchp32.exe	90
PID 3512 wrote to memory of 3280	3512	Jpnchp32.exe	90
PID 3512 wrote to memory of 3280	3512	Jpnchp32.exe	90
PID 3280 wrote to memory of 4880	3280	Jblpek32.exe	91
PID 3280 wrote to memory of 4880	3280	Jblpek32.exe	91
PID 3280 wrote to memory of 4880	3280	Jblpek32.exe	91
PID 4880 wrote to memory of 3240	4880	Jifhaenk.exe	93
PID 4880 wrote to memory of 3240	4880	Jifhaenk.exe	93
PID 4880 wrote to memory of 3240	4880	Jifhaenk.exe	93
PID 3240 wrote to memory of 4816	3240	Jpppnp32.exe	94
PID 3240 wrote to memory of 4816	3240	Jpppnp32.exe	94
PID 3240 wrote to memory of 4816	3240	Jpppnp32.exe	94
PID 4816 wrote to memory of 2108	4816	Kpbmco32.exe	95
PID 4816 wrote to memory of 2108	4816	Kpbmco32.exe	95
PID 4816 wrote to memory of 2108	4816	Kpbmco32.exe	95
PID 2108 wrote to memory of 2712	2108	Kfmepi32.exe	96
PID 2108 wrote to memory of 2712	2108	Kfmepi32.exe	96
PID 2108 wrote to memory of 2712	2108	Kfmepi32.exe	96
PID 2712 wrote to memory of 5080	2712	Kikame32.exe	97
PID 2712 wrote to memory of 5080	2712	Kikame32.exe	97
PID 2712 wrote to memory of 5080	2712	Kikame32.exe	97
PID 5080 wrote to memory of 4544	5080	Klimip32.exe	98
PID 5080 wrote to memory of 4544	5080	Klimip32.exe	98
PID 5080 wrote to memory of 4544	5080	Klimip32.exe	98
PID 4544 wrote to memory of 3940	4544	Kdqejn32.exe	99
PID 4544 wrote to memory of 3940	4544	Kdqejn32.exe	99
PID 4544 wrote to memory of 3940	4544	Kdqejn32.exe	99
PID 3940 wrote to memory of 3644	3940	Kfoafi32.exe	100
PID 3940 wrote to memory of 3644	3940	Kfoafi32.exe	100
PID 3940 wrote to memory of 3644	3940	Kfoafi32.exe	100
PID 3644 wrote to memory of 3764	3644	Kmijbcpl.exe	101
PID 3644 wrote to memory of 3764	3644	Kmijbcpl.exe	101
PID 3644 wrote to memory of 3764	3644	Kmijbcpl.exe	101
PID 3764 wrote to memory of 1144	3764	Kpgfooop.exe	102
PID 3764 wrote to memory of 1144	3764	Kpgfooop.exe	102
PID 3764 wrote to memory of 1144	3764	Kpgfooop.exe	102
PID 1144 wrote to memory of 528	1144	Kbfbkj32.exe	103
PID 1144 wrote to memory of 528	1144	Kbfbkj32.exe	103
PID 1144 wrote to memory of 528	1144	Kbfbkj32.exe	103
PID 528 wrote to memory of 1172	528	Klngdpdd.exe	104
PID 528 wrote to memory of 1172	528	Klngdpdd.exe	104
PID 528 wrote to memory of 1172	528	Klngdpdd.exe	104
PID 1172 wrote to memory of 1180	1172	Kpjcdn32.exe	105
PID 1172 wrote to memory of 1180	1172	Kpjcdn32.exe	105
PID 1172 wrote to memory of 1180	1172	Kpjcdn32.exe	105
PID 1180 wrote to memory of 748	1180	Kbhoqj32.exe	107
PID 1180 wrote to memory of 748	1180	Kbhoqj32.exe	107
PID 1180 wrote to memory of 748	1180	Kbhoqj32.exe	107
PID 748 wrote to memory of 3060	748	Kefkme32.exe	108

C:\Users\Admin\AppData\Local\Temp\20701ebc22289176347964395c43a2543457ba7b9c25f30fdce0ab905999730d.exe
"C:\Users\Admin\AppData\Local\Temp\20701ebc22289176347964395c43a2543457ba7b9c25f30fdce0ab905999730d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\SysWOW64\Jmhale32.exe
  C:\Windows\system32\Jmhale32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\Jioaqfcc.exe
    C:\Windows\system32\Jioaqfcc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\Jefbfgig.exe
      C:\Windows\system32\Jefbfgig.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        23⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        27⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        30⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        33⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        34⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        42⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        44⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        45⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        50⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        52⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        58⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        61⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        63⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        64⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        65⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        66⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        67⤵
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        69⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        71⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        72⤵
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        73⤵
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        77⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        78⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        79⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        82⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        83⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        84⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        85⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        86⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        87⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        88⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        89⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        91⤵
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3264
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        97⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        99⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        100⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4980
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        104⤵
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        105⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        111⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        112⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        114⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        118⤵
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2900
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        122⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        123⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        124⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        127⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        129⤵
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        130⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        131⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        132⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        133⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        134⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        135⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        140⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4932
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        143⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        145⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        149⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        151⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        153⤵
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        154⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        155⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        156⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        158⤵
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        159⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        160⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        162⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        166⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 140
        167⤵
        Program crash
        
        PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7064 -ip 7064
1⤵
PID:7132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
669KB

MD5
de697333a74f8b3a07beb07679d0ad9f

SHA1
e0705f378251eea2ce2fa83593aa3e136f59caec

SHA256
89922ded539238266dbdcd3d0040fa6326d2d857279913c67e62ab66f4f7cb63

SHA512
cd2f61e6fe9b0557798372f148fd6c65b351c87504d828ca510a216a26f1fc609eead960cd75d37c47300d0097a2e79ad41cc07cc251f0bde911aa7fdfea73ff

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
669KB

MD5
babb34425205bd746772243ea384fb85

SHA1
f55093226bc3ec0d74820a03594928e3e7494bb8

SHA256
7fe0918f831785a049a8e8411b0fc30e383f138e0a8cd2f373772a40e85c1f41

SHA512
479bcd95a334a163b7cdc2054bc4d0d5682a350b184a20431d18f7540cf76ae48b0d869937c7b58cd7c2ea0402b1f6bf74bcc65dbc1c817a51aba45e7382493a

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
669KB

MD5
67a5851945ee625e0fdf3253c716b819

SHA1
ad5d0de2e4f2fa2de7583664e4362603aadf0674

SHA256
4b679ab94cfd47cbec5b5da8f3c808f958d9a1043b11d83d1d4436e933e4eda9

SHA512
a6ea4decd678efe79cdbb89e1e24e5f85887d4e6a776b7cc99e36d4a6f7d505af7c28f07cc758e448d17bf128437536bf6027ec14b0cea6f65a1ac8b1d3ddbc3

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
669KB

MD5
af4a536393f717317dc9cfb5bee5c592

SHA1
1a28e547e483dac3d7a0f3f2a43e7327b384845c

SHA256
dd05dde48ee570fa972c612cea37e84975fd2915dc9d4ab877cfe162c4ebbfbe

SHA512
f66791fa1dff2e2faaf47067228c93e17bb81b1db234d3c2964b6932cd3a56c6eeca866a501b7e205f43a990ce69eb730a1b54974cfab7331716ab48b3c4a530

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
669KB

MD5
81e5adc127008d0f33398a3d7f9f56a4

SHA1
f3074b391f96e073a7e4febb2ba418464d4db5d2

SHA256
f3bd63a5b3b4fc60e5e5c624be40a69685e429191b96d5a19841dbb69b2865f3

SHA512
c23113d90553222033413bbdc70d40f1797bd75f96264a299a4d8fadad5ea6b59d4d68b0e62b5ef630e8bf57af0e8f17d5b1bb6f680fc3111f85aafee496753b

Download Submit
C:\Windows\SysWOW64\Cdbinofi.dll

Filesize
7KB

MD5
af46df0086a883f37f70463501ca1f1b

SHA1
361bf61dcb18230357cd23a6618286efae9594c4

SHA256
6c8df196be934174e6143645dbb31cf674440cf40732c66d22d59b8dffd29e53

SHA512
62f61b910c0330aaad017568cda2dc0cb717f95929c6b1d2fbe51de1c6cce8d41983d4323b415a999837514f1baa132296a095cf5a94b5f415ac52d2cd7ef8eb

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
669KB

MD5
133780e5c147b1d96645c04d758bf04a

SHA1
0f6f162fbdb63454256df6c282861a79909b3f3f

SHA256
97482d5f2ed85e2e2812a4048cf0441453101f81aa2fc2d09cef30ff847a8076

SHA512
9d99b7570971e850bfeb0ab95ffc45a09aea796261b6bf2a903539cc196565b6c9f99a349ed0ac107cc60ab72dc54520fbac8d1b3cbed6f90159fff5d9c8abb7

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
669KB

MD5
67f4a5f584bbd205da07be56073713a0

SHA1
b0a1ea083c5e323ffa6e9285c2ac4a59a699d477

SHA256
c2c59f961d47fa8800486ad554be017033bcabe43f36c352c7665cf89a7b8649

SHA512
d6166097dfb222f47f028fa7b0b1e427dcb4d7576713318b3f103f967c2dce6da39b9ae45f03a3bea972fc8986fd495d17f488eaa44888576847ebed8510fbf5

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
669KB

MD5
756b3846fb2ab72496647237d014bb5d

SHA1
dbd4432c7bf6acc3b9896d1f9a9b7f94040b9d90

SHA256
0e9ee1942367fad4550cc926133198384ba977c003bff7a8e048c09f12387e75

SHA512
22a271433ec03e7e3d1c1e77c7fd6ccbbbea97116c8e651b381bbafbdda4ac964c7c784459d83b332ce2eca0c84b4466343fe4013c2b7399cb94aa0e48ed4e4d

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
669KB

MD5
97bcbe78198e53d4eba8c8ec2842360a

SHA1
64a5d0a6fa32aa3c750ccad7cb8397006d5a906d

SHA256
00d9c6229d850934cb90d5e789e88f2e5a7630f887a7c832eef67cd9ea128419

SHA512
11d75f8f41b18e91238a6bbaa5f0f7c917a8b755db71c350b3bca00a1a575bb4db8f0a68a42ed6c1eaca152df620efb26d246fe9ffad6b36e706b4755012b162

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
669KB

MD5
5581586df444701dca6ccb275ba38376

SHA1
f66b2c444126fc14eefe51cddf0e448073654571

SHA256
aa9ef5f25b5eaf1c1a3b1cc59ec42b780a02060efd01954a2e0fd81a7350cabb

SHA512
46e0fb7b4464a8086daa81c75e57c3d585368d83f2bc7735bc2c90a13cc8bcc388ea2c908b0a221ebaf45db7872d8d8b440c48da5bf9898807b299a4a4f39662

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
669KB

MD5
4566db17b7085125c29002576569d635

SHA1
787951bcf7993d1cff8ec34e6251a4a5ffa2bfbe

SHA256
ab7e568ad172ac3663d3cadc1efcd5fb28af3a4f833aa7e4e3bd53f18ce91f22

SHA512
df5df660f68f6d09514522c7e69b75029c591c3e73c801d39d62b85262c699d4d476f6659fabaf6bccc37ff91b6cd87fbe338cb359172bf300e6b3ca5d62a1e2

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
669KB

MD5
8d9faeeb245e017f82c58ec9614b0998

SHA1
a6e858dcdacf16981116f1041842bdff0dc818d8

SHA256
7cc2fa357dcb5b9c6bbc4f15068142af5adb28de0e39ad6c7be7faf264c653b7

SHA512
6c1ae8a3372c71962c36aea3f64c997e1335a43313a2919e1432414712db08ac3321d6209360e89c6f25b741cc9ffec843b5b2ca914ac05646a4fdd4bd360c65

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
669KB

MD5
5c5325e0ffe602998acd4514a7f8ef66

SHA1
0daa1b0b344e39c0c40e4a43f7637e04707c1d35

SHA256
aaf8d698fd9d326356bb98480faf5bdbe6bcfd5e29410502512435ca67def9d1

SHA512
7d7553ba054a576127edee0e123e9a5d847841998a61cc1655e0a17aaa25c6e8b1dde1d222e552ce645ca43274e3c5ca43fa7d6be66e2e909ff7af254bae5632

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
669KB

MD5
87b6f2585b95acd8569a017f01272514

SHA1
86800bebd794c51b439179eb02c8cc86241042ba

SHA256
2a5405c3fd9b8fe88c469e2c5ca2b1f6477487b3be2b8662f101c80d0ac44392

SHA512
b336d13cf182af72086b2cd1cc4b79b1b8730bf3f67bf7f7ebc13291be8299b5de4cf93032a517d7567eac0a02ec83c058e4d343e22f3a3e4c2753cc46a24cf8

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
669KB

MD5
9c398f40fbe146fa709065190622baa6

SHA1
0c109919ecadceaec2f9c8ee78fd2388109297ba

SHA256
4148a0202bbcf06f44f63e4cf4831afd1bb3bcea53c65124119badf61befb88f

SHA512
89e5de281645e8fe83853063c5623784992ea766fa23e64169530359db08e15e90030c2083df29e37ae73bb7eb17499b598ad09e8efded50f80ce3065df8d479

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
669KB

MD5
a6dcdd4ef023278405177ab9dea91818

SHA1
dc489500d8db372f6b49b73c8409b670c151be66

SHA256
fabf1a773374fcbf245e64eff5942b17dec0e32908b227cb66bb7394018262b4

SHA512
a8adc9ee5d60247f0ac4abb6b9027c6b3093b7d6e8f4c86541bb00ad5b80b4ae45a9895f2838f98696f9117c8824b9a7691c57e1684ee1b6287a527d7b38b44d

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
669KB

MD5
fdea43be0c7c52c764ee6d13acc9663d

SHA1
703797f8c41c4aad34d713ccf768a1560d66af78

SHA256
ca349922a6850c7b98a1d91aad35a7dddb483951aa07c115b1195fcc85b4f3de

SHA512
e27983ab6715ad6e0c5a7ef2bd0eabb184d5a3ee4c361625d5858806b737c3efc01c0315e15a705d6278cfa2cb3254cf4f2c1a129e3ce9ad08914ec07540ee58

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
669KB

MD5
f89902a1738fdc9ceb5fecc52642d149

SHA1
58e04d1d6a2833f35947d88e587b24270302276c

SHA256
6b4ea76238d59c241db02abd9aef372cdb8368c4448e93be6aba7cca13278234

SHA512
e5cc0642449df7addd2880003d3e6d946d7397956ae80eed36917462f7e745d7b53199996fa4e078c23df7efe3a4e466a490702ae03b0fc8a7b6437b51cbaff9

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
669KB

MD5
98a7cecc6cecb1321edf21208c1273e4

SHA1
c7b46fd013d6414c3a0215b5dead8e641b7432f0

SHA256
c2cbb460b858053232274697856c1e4db2ba45d4cd9d11388e1a806b17fb0660

SHA512
3bff2b6481335d8089e5a753c5645b04ab5ec494e1a79fc4acbb61b441ec8b1ce9c05b3a90fa776e4d244c41a8552855cbd90d9d528023ad99d0bebe5f3cd0b9

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
669KB

MD5
d676dcb70f4c9b8beb15adbb9aad90a4

SHA1
3678a8f1f4f675667d2e0d0edd7f6ed973283cc2

SHA256
6cbd50d8e6d64842af76b183f1d17219b6568cb6adcace2cba3c9e307b4105c1

SHA512
9195f7a0aea72d2b2723405b8235a0658dde225770f5a05e7176769ce4260995651b1765854501b8b2215b85901b572df645c22968ad8d8bed86856e9eded321

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
669KB

MD5
930741eccf0c8dd09ca1be2ce40718c2

SHA1
800ac513c2eb390c3778701de3ad275fd74beb97

SHA256
8106d5bf2b01e40a4a246ddf384ac65ad05446c3a6c48c3d6e5cda1627b62a96

SHA512
1b755e56020a1f0a2c1b147b3fac4cbe91a35f0e452b17736a3597994611a6f5742d8c6f2c7a75fc5f18b53bdaefb49b0d867ff1d9537b12182023560bc5c11b

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
669KB

MD5
0e551533cc1f1345ecafca3719dd740e

SHA1
68a59aa27f79460c9414323bea7c3c5ab706a8c6

SHA256
e9647b75e66e8409d87bd20fa5040dd05f81bb02aec5802ab5852cb23db3368a

SHA512
f0bb00742542e64560a89acc6bbffc437a17acd14589decab3bcc0f5930381bd49e904f87f329b548d568fb52515080d4686e451be83f4800af6b1042971f390

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
669KB

MD5
be542a88526d2a5cec749fa7851b383f

SHA1
87b880ea1b785d6d7eb910115afb97fae2ab5209

SHA256
9ee554e2c805b9a669280802035f7f3a9b0a839191c05e7eb79300a541d0c4e4

SHA512
a872c1025c725d26f922ebefe2e52a7c48bfedcb92c586a65f1a9fa5eab0e1d10815ff7f4e8137173108c97271d5ede98d707a3a469e5e51160e18dfba7954b0

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
669KB

MD5
8c85aa676ece5e0dd87880a84c6a5077

SHA1
1ff865a4a4a0bbafdfb44410b485eaca1aadd6d7

SHA256
00a4eaf2ff3509fc2ae3544edf6ab5aa53ea0186e5f8aff1d892a6a29d9d91a9

SHA512
e435a9087da483c0155195ef37d2fcbc122590960df68c3e5172bcedfd4023568772153898cc056040579e9b63e045e6ad752f89abb7a85fb3067740c3124797

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
669KB

MD5
6ac1d826f9096253e82525fa23567dbc

SHA1
a51925c0002f2cf1de897171f742a33e7470e9fb

SHA256
be1f754fc8beeee5f1f0d47a28606d5c139b18e46a7712b9140f2fa8098eaa53

SHA512
617b832618704294f3afc2585c4e850d01c7b3855bbced0c29b401a0b7521d5b9ec6a23a3471c9c6d35b46ffc2170b2badbdbfb90faf99a90dd6da285c9d77d8

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
669KB

MD5
45044b069bef6e288bc260a7e83c428f

SHA1
e848830f84f926c2603a0eda2b41034a8863ba32

SHA256
969c0aedba195fce26dca2cbabfcafa48c2ca647585ebe53fa102830a75fc1ea

SHA512
435de1c693e2c0c90254b8851d5921ba982bdb8ba0f2ab828cef8887151510dbc3575ab5c73b8e71f463a424fc5ad3fc1b1dbc9adfdb535f9912009977320d02

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
669KB

MD5
8ccbb2baf947e8499040501c2ed88096

SHA1
d68976c1f9fd49e8deb40fd3ed5e30f53b8e3c93

SHA256
7d0c1d28fba9bb318554eb201e2881ad2bf517fe977e23d9220165b3b2cdfcb7

SHA512
494b87835570fcd0f7ec7abb78a307d7d4cf68591b1f29a7a3abb850cdabf67354615b4b7e7544ac304c7141a67b9d4c1cd87294d06e039a20d19788049d6f30

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
669KB

MD5
1c2cbb8581613b2368af3ca473bd3df7

SHA1
f503c35a4a50ed957bfc7bda437ec1377b0015a9

SHA256
bf2d4f89cc6d9cc8c64435243f1ceb8c66cb6fc9987eb050253768e5765b3999

SHA512
d582fbdf61051dcd0139c3b203b49b95d39b449f729d07d9afe8121f51a53423e42065d0fcaa7aa83a8414091a9086947c59dffc2d1429a6adb45fd587b8757c

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
669KB

MD5
ff0f2525a9a61f3f68bcc281418a9156

SHA1
9e49b8d5826c3741666ab4d3db064980a55b41d7

SHA256
70dd9feade02d63ad98a601e0b54001c73cd0bc1a59ccb03f69ab0347f930b42

SHA512
e97a6e325fcbaa6e419869390ce7f1d88774a270d70bdf861f577b9b3d9b3d8e4714b4272d75810b4c080931e44e97c56a5cc9ba8db2fc7e11c3c219b1d4e7ce

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
669KB

MD5
bace6e651de9976117fc9488bb44b96b

SHA1
c421bb749e4032711fda14cffabe8c073b326190

SHA256
628214403909b70ec355e508ec5c6f3703e4b0d75f50fae90ae9479e38b542a1

SHA512
50049e7a79c82fe6e706a381c344db1dce3ecc01297816c58c8114160e13f340a4ff131aeeb504d43a06b1125f859ac2b0be7851b67758e34d5722164e10ead7

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
669KB

MD5
6d1e8b4692a0277e4e59a03ed84c7cf0

SHA1
b0c11008f456eae5813fccb2f2041a7c462b75cd

SHA256
25b9a1cf85df631e8339a0987366e76c322add08a02d8a8109556c0545c43f9d

SHA512
79f6a6e13483cd9890b87217022d741b9c05274ea67fec15938883fdf49ea84ba8e6db10dc7516117d28d1c3af4a99d3a42aae7d8ed5d7c09a455c5bca4fa1c7

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
669KB

MD5
50b827e62c33a4ef700930415fbd5ee0

SHA1
8205b3299306f50aea5f2b2ad7b332a662915613

SHA256
7dd1edbd87e63eb727ca8c8b720c12fd9749edefe18a8d417a7cc2e38d363909

SHA512
c0b258e64be65b50501a41c3aca22fc9804add3ba740947c210b178f78eda75f95da2ef007f9f67dd28bcb85a679f5065853097f0e9bde6d903c73c1e7a5adc6

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
669KB

MD5
57051d976740c3fedc4b334d2d9b7b79

SHA1
8ff79a3f61d7227cc5d840176acfc5218c95c56f

SHA256
3594b4a64c3b8c23491568dae193f89a4eee535ba3138800952f511b58303e8a

SHA512
27a4074dc6a54d879c727dc9799f36d0d60fb4501235be99aa17f4d18db8a1ee90a9101df3d4f3d7f7a35f7b93cdb91705d5b480d14e575d20e5e8809efb1dd9

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
669KB

MD5
3149b6ae04c43d02cc53c059fd766632

SHA1
476c5c2149e543de34fb062b3a98391a01623eee

SHA256
72e5c1b507fdcde8a8529f98a0d8f3666b9ffa3d440e5aaaa69abda89b892266

SHA512
784e3e81b370d9a12af6a93d74826532a9d16476372c3d1c64de7500e7d1b2fea1a87d5c46ec630d2564b7292228da8060aeaaf6820af502a6bfa0fb62e90e0c

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
669KB

MD5
5ae348548299e7cbb45b3b27c72d61e5

SHA1
39398693d6180597e38403968ae672b2a0f089b9

SHA256
3203dc305f9153f4842319e5cf5c539220cfb93f42f05c2e0f73ccdeefc2614e

SHA512
5b3d6d3732f00bc26c3b7882316cbf9f20ef430084b6483bc9f78a5ac897cca2d6a6f74a54d256cdd5b2bc51fff1d028362880527f1736af583be76de6bf1a31

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
669KB

MD5
63bd8c647ec2db04056fa78180a8b6af

SHA1
59e4192129047eb608bd91b7a7f713c8f6c13eeb

SHA256
a1021552ba37b0d6cf28320494bef6df08d2ba4d6e8d82c87ea647ede5b50418

SHA512
dad434ccfdedfd3c61b6b7b37210153b244106a17bcbeeba3de5fefce5a93222c979e386556ecc98f71b5cd09202c486f23aa24c90a29ca6f2bed53f9ac4edb0

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
669KB

MD5
f357924cbb78a982981105e76fd69017

SHA1
0aa1e5119a09f8bc068d38eab6df25670950610e

SHA256
01bc7baea6dbafe130e28a47af07ce0a1f86cb41ddb8a7a5b969f95eb219c892

SHA512
0470455fa72f01b69c027312997990452ace1f2256705895d2119d54139961370154dbf20ec9dcca9a6614f778054aed7e1e3c9c5e4c802fe7196f07f1a91599

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
669KB

MD5
e38e95fca11de6c29aea13c41f449526

SHA1
0546dec27215f2edbf588629216102e52cf9fb21

SHA256
7c7e65ce8c29218ed901fa765020b3562cafbd04ac618a5f7a436447a1497b36

SHA512
c6c2f048acff9cf2ba19f7ca74b4b88569466e864bcc2f72a5da80c27b86bc4c3a91df998cb43f829e703fb0fc06b0fcd80e62de610eff876eb270c5d3b40234

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
669KB

MD5
1dbd36e9c2a2030cf473ba39fdf5b7bd

SHA1
c8cdecd020f34be3d6eabd384e56ccb171b9d6ab

SHA256
fc09c5b6b57b8905304bbc0f1c2ade01e8b92b4115a934fc4727f52d151274f9

SHA512
789496b88ed9f1aca27f9c2dff82ee011c86abab4d75c91bb0a016900e53cf596af0c4179b7440edc7649d945b1233b9680d0e60359b69ff92b180a7f37e73a1

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
669KB

MD5
5337e6251c75a8be189edd87ca13a18c

SHA1
b52f536c0c04e2e12282cc17b5c387b32abc79cc

SHA256
43c235866b888e2786108452ef9e07932ad1bfbfa3cd365fb9b9c193de739414

SHA512
46b30c479ef34a3ab3d061eaf989e6fd9c747e127b05b48d86b06a1bf022c50da0e2439ecf18945370d5e28a010cfc2cef982ca31d48bdbdeb9d9e935efe0d3f

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
669KB

MD5
97740241bdfea76cd6c389a3b50f2360

SHA1
ded57fcc84eea11825e46901133521939ff2b92c

SHA256
8c9362fbb9d4a0b87a21214eaeaeb389a33a0c0a1129adc1547679465cdf3f28

SHA512
c23e321c5a400fbef68e802d3b68de24c225a9c66f164cd183cb01440cc709f8d661343b3fb40351a9fdad0fb64db295ac60feaed0ed0c2a569940b7825ccf35

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
669KB

MD5
d6064c41e53d6b95115a43a05fb8d006

SHA1
3d511c3650f64c18678e977aee896c1f7aa9c573

SHA256
c426aee3d27b9a330aeca727d43d7a4d5b5a64f065cdbd05c2953a2633738840

SHA512
fa50b19951fad4e725d949254e44847e4480f2e4880782ee30a62fd88e7ee7c4561b99f9d62546cb31316134b0aca70c1fc38e859711b0e03b337d0a4ea76807

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
669KB

MD5
fa426bbe6280f9c2f1609e27d4c76baa

SHA1
ef70beb8135c90dd3d82c177ba97d093ad67697e

SHA256
b902646619974685c0e2cb3a20a86205117cc2368ab05feae150baa9595b7cac

SHA512
a8c638cd04a10402c30763042b45549ddb1064881349e420ae0e47f0973e17ffc375a5ec3c856133a8a2890b451463139a4120e77b599f788d457c7847838b81

Download Submit
memory/116-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-610-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-616-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-622-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5124-632-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5128-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5164-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5184-635-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5236-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5272-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5308-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5380-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5416-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5452-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5488-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5524-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5564-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5600-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5636-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5936-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6108-1103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6140-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads