2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 19:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Size

128KB
MD5

96e48e26ddbe27eb9730302b5f0b1134
SHA1

2fc4141e06b844783ec8df238d0a9c0eac743451
SHA256

2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2
SHA512

a7bd9ce7a7826a7941d0e4160c5cb5900b7b6c885bdb95b1060ace8af7118e7712cfdac69a0ef233fc59d76fe4a205ed5472fefad85c7bad695ad076b394077f
SSDEEP

3072:h/g5f4nYV7qEGG32/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:hIf4nYVW5s4BhHmNEcYj9nhV8NCU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkagbej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe

Executes dropped EXE 64 IoCs

pid	Process
4784	Jfoiokfb.exe
996	Jlkagbej.exe
5084	Jbeidl32.exe
1652	Jioaqfcc.exe
1168	Jlnnmb32.exe
1900	Jbhfjljd.exe
3408	Jmmjgejj.exe
4480	Jcgbco32.exe
1096	Jidklf32.exe
60	Jlbgha32.exe
3312	Jblpek32.exe
4392	Jmbdbd32.exe
1036	Kboljk32.exe
4800	Kiidgeki.exe
4852	Klgqcqkl.exe
1084	Kdnidn32.exe
5092	Kepelfam.exe
844	Kpeiioac.exe
1172	Kbceejpf.exe
3504	Kmijbcpl.exe
4020	Kpgfooop.exe
4820	Kipkhdeq.exe
3632	Klngdpdd.exe
2780	Kdeoemeg.exe
4568	Kibgmdcn.exe
1568	Kdgljmcd.exe
1416	Liddbc32.exe
4528	Lbmhlihl.exe
376	Lekehdgp.exe
900	Lpqiemge.exe
2284	Lenamdem.exe
1020	Lmdina32.exe
5056	Lpcfkm32.exe
4836	Lepncd32.exe
5024	Lmgfda32.exe
3000	Lpebpm32.exe
1664	Lbdolh32.exe
1564	Lebkhc32.exe
4544	Lingibiq.exe
2084	Lphoelqn.exe
412	Mgagbf32.exe
3080	Mipcob32.exe
3304	Mlopkm32.exe
2564	Mdehlk32.exe
1400	Megdccmb.exe
4980	Mmnldp32.exe
2184	Mplhql32.exe
1124	Mckemg32.exe
1884	Meiaib32.exe
4452	Mlcifmbl.exe
904	Mdjagjco.exe
4848	Mcmabg32.exe
1068	Migjoaaf.exe
1624	Mlefklpj.exe
2592	Mcpnhfhf.exe
788	Miifeq32.exe
4916	Ngmgne32.exe
1208	Nilcjp32.exe
4708	Ndaggimg.exe
1904	Ngpccdlj.exe
960	Ndcdmikd.exe
2764	Ngbpidjh.exe
1580	Neeqea32.exe
4312	Nloiakho.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Kiidgeki.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Kepelfam.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jidklf32.exe
File created	C:\Windows\SysWOW64\Lphoelqn.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Jpphah32.dll	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Klngdpdd.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Kipkhdeq.exe	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Jidklf32.exe	Jcgbco32.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6376	7144	WerFault.exe	262

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpocg32.dll"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll"	Jblpek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfoiokfb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4784	2816	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe	85
PID 2816 wrote to memory of 4784	2816	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe	85
PID 2816 wrote to memory of 4784	2816	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe	85
PID 4784 wrote to memory of 996	4784	Jfoiokfb.exe	86
PID 4784 wrote to memory of 996	4784	Jfoiokfb.exe	86
PID 4784 wrote to memory of 996	4784	Jfoiokfb.exe	86
PID 996 wrote to memory of 5084	996	Jlkagbej.exe	87
PID 996 wrote to memory of 5084	996	Jlkagbej.exe	87
PID 996 wrote to memory of 5084	996	Jlkagbej.exe	87
PID 5084 wrote to memory of 1652	5084	Jbeidl32.exe	88
PID 5084 wrote to memory of 1652	5084	Jbeidl32.exe	88
PID 5084 wrote to memory of 1652	5084	Jbeidl32.exe	88
PID 1652 wrote to memory of 1168	1652	Jioaqfcc.exe	89
PID 1652 wrote to memory of 1168	1652	Jioaqfcc.exe	89
PID 1652 wrote to memory of 1168	1652	Jioaqfcc.exe	89
PID 1168 wrote to memory of 1900	1168	Jlnnmb32.exe	90
PID 1168 wrote to memory of 1900	1168	Jlnnmb32.exe	90
PID 1168 wrote to memory of 1900	1168	Jlnnmb32.exe	90
PID 1900 wrote to memory of 3408	1900	Jbhfjljd.exe	91
PID 1900 wrote to memory of 3408	1900	Jbhfjljd.exe	91
PID 1900 wrote to memory of 3408	1900	Jbhfjljd.exe	91
PID 3408 wrote to memory of 4480	3408	Jmmjgejj.exe	92
PID 3408 wrote to memory of 4480	3408	Jmmjgejj.exe	92
PID 3408 wrote to memory of 4480	3408	Jmmjgejj.exe	92
PID 4480 wrote to memory of 1096	4480	Jcgbco32.exe	93
PID 4480 wrote to memory of 1096	4480	Jcgbco32.exe	93
PID 4480 wrote to memory of 1096	4480	Jcgbco32.exe	93
PID 1096 wrote to memory of 60	1096	Jidklf32.exe	94
PID 1096 wrote to memory of 60	1096	Jidklf32.exe	94
PID 1096 wrote to memory of 60	1096	Jidklf32.exe	94
PID 60 wrote to memory of 3312	60	Jlbgha32.exe	95
PID 60 wrote to memory of 3312	60	Jlbgha32.exe	95
PID 60 wrote to memory of 3312	60	Jlbgha32.exe	95
PID 3312 wrote to memory of 4392	3312	Jblpek32.exe	96
PID 3312 wrote to memory of 4392	3312	Jblpek32.exe	96
PID 3312 wrote to memory of 4392	3312	Jblpek32.exe	96
PID 4392 wrote to memory of 1036	4392	Jmbdbd32.exe	97
PID 4392 wrote to memory of 1036	4392	Jmbdbd32.exe	97
PID 4392 wrote to memory of 1036	4392	Jmbdbd32.exe	97
PID 1036 wrote to memory of 4800	1036	Kboljk32.exe	98
PID 1036 wrote to memory of 4800	1036	Kboljk32.exe	98
PID 1036 wrote to memory of 4800	1036	Kboljk32.exe	98
PID 4800 wrote to memory of 4852	4800	Kiidgeki.exe	99
PID 4800 wrote to memory of 4852	4800	Kiidgeki.exe	99
PID 4800 wrote to memory of 4852	4800	Kiidgeki.exe	99
PID 4852 wrote to memory of 1084	4852	Klgqcqkl.exe	100
PID 4852 wrote to memory of 1084	4852	Klgqcqkl.exe	100
PID 4852 wrote to memory of 1084	4852	Klgqcqkl.exe	100
PID 1084 wrote to memory of 5092	1084	Kdnidn32.exe	101
PID 1084 wrote to memory of 5092	1084	Kdnidn32.exe	101
PID 1084 wrote to memory of 5092	1084	Kdnidn32.exe	101
PID 5092 wrote to memory of 844	5092	Kepelfam.exe	102
PID 5092 wrote to memory of 844	5092	Kepelfam.exe	102
PID 5092 wrote to memory of 844	5092	Kepelfam.exe	102
PID 844 wrote to memory of 1172	844	Kpeiioac.exe	103
PID 844 wrote to memory of 1172	844	Kpeiioac.exe	103
PID 844 wrote to memory of 1172	844	Kpeiioac.exe	103
PID 1172 wrote to memory of 3504	1172	Kbceejpf.exe	104
PID 1172 wrote to memory of 3504	1172	Kbceejpf.exe	104
PID 1172 wrote to memory of 3504	1172	Kbceejpf.exe	104
PID 3504 wrote to memory of 4020	3504	Kmijbcpl.exe	105
PID 3504 wrote to memory of 4020	3504	Kmijbcpl.exe	105
PID 3504 wrote to memory of 4020	3504	Kmijbcpl.exe	105
PID 4020 wrote to memory of 4820	4020	Kpgfooop.exe	107

C:\Users\Admin\AppData\Local\Temp\2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
"C:\Users\Admin\AppData\Local\Temp\2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Jfoiokfb.exe
  C:\Windows\system32\Jfoiokfb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\Jlkagbej.exe
    C:\Windows\system32\Jlkagbej.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\SysWOW64\Jbeidl32.exe
      C:\Windows\system32\Jbeidl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        24⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        25⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        31⤵
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        32⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        34⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        35⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        39⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        42⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        44⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        48⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        49⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        50⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        51⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        57⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        61⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        63⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        64⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        65⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        66⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        67⤵
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1472
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        71⤵
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5064
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        73⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        75⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        76⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        77⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        78⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1404
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        80⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        81⤵
        
        PID:988
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        82⤵
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        84⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        86⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        88⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        92⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        95⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        96⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        97⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        100⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        102⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        104⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        105⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        109⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        110⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        111⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        112⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        115⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        116⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        117⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        118⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        119⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        121⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        122⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        123⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        130⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        136⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        137⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        139⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        143⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        146⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        148⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        150⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        151⤵
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        154⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        155⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        157⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        158⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        159⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        160⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6436
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        162⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        167⤵
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        168⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7048
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        170⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 396
        171⤵
        Program crash
        
        PID:6376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7144 -ip 7144
1⤵
PID:6244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
128KB

MD5
533e8470a82a1449d09ef9d72a8f2d97

SHA1
460e10115446f981c10da6e7a5b60ae7b30977b4

SHA256
3a65958820eb1065369c522a2cc33f3e5e97b4dd4a46438f1b29ca4589298db5

SHA512
c753f5bd584b38814f8d3c984581c056a5a97d377a9e871e889b4ecd85c8ef7f1f2cc6769dcbf34fb34ecca0be75e6c6c252328d132d067e507b83a967a7de2e

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
128KB

MD5
59a3432ed64a13c0dcec0fb45df4e2fe

SHA1
56a24e41c7600d63282d77a90ff1adb5c7a10a39

SHA256
2f9c888fc038eba655aa538799cea31071ac1224a92d9134b75deb9538ca40c2

SHA512
5dbde38c0345a764b99e649a5591acade0c56fe65130ed3c05a33a66f85b6c4b00f8639d0320add3caa96c538501f1674dfbf936e1cdea9249f63214c3a3e4e5

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
128KB

MD5
3e29d0b4f803ed340f37710f20aac5ab

SHA1
eaeb3f765bb393e49694bfec09024a71acd5a6f8

SHA256
e0edefb6fdbb012bf6a5c8ef9841de64f143c0d1cfa379be706e959feccd83e5

SHA512
7b8d0920df58c9b8ab608e4020089938b4a575476d6f836359deb1ac59f4514cd65647b76fa26667a60795db8bbc767fbf7c7c1cb4c5235019f0fc366a76c7e4

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
128KB

MD5
6a071e519e7b432b95531df6483cb351

SHA1
cef7cf066efabee9db71d69b44b9673be8791a9d

SHA256
c561ab3bd16d786dddfdde4297377f7fbcbdbbdb2bec3d0e97138cffdc68d2c9

SHA512
9d7fc24f299ecc2088b65bff32e2fd51511ff6595e37938f23befce0dce14694fcb874e4b7e85ae6ab5d08fcf26ef886efbbd4639c311cb03f0fff5773deedd4

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
128KB

MD5
55fc1ef8b995a23d5c406e3838af2d58

SHA1
473ad52255081ed623af5d97c1f965a57a888f9f

SHA256
3407d138ae5e0f137ca4099b5ba93fd698762c47ebde5fc1ba1265fc8eb7b7ef

SHA512
16081dbdb37551e411213b43786a9e2f646804d6bc34b851a1f6eedf41028f2ae1887bfa3cd9c73eb363c641771df5ae3a456530abf40c214d686db808320391

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
128KB

MD5
bdb6e1a9dab5c998624506a5f9b8a692

SHA1
e4dcae89c60696b7584c98e781ec62e4ab302ec6

SHA256
dadc6a316ba891a432198703a62b00016e0e55f447065d3d31c8e389210e1717

SHA512
28169af6312107bc9fdc92101e4b3ed6d0e2151e3b6816430569e612fc4f446d798f3eb6eaec63e7ba6ab5b745adaf9c31a60b463157474ea94becfe4f506b08

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
128KB

MD5
4e8e7effa8e06bb1b208c12d59f8377d

SHA1
5a07f299f65fdcd3eb75474577ccbf21b66f4b7b

SHA256
616906f85ce4b1e4468e88b9edeece6be2883f232b44761c92be10baca8fe339

SHA512
7716e3ae42962246fe0c277f88f020c29b598ad9502df2a52e58a0ca5fe3518622f83b2ca383c8aea339022531e427fd03ed0f39da120c9e9aa462905f52fdfd

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
128KB

MD5
6d6c43a2bd760a0aa3b042678963d52d

SHA1
941a105fadf1dd5c4490694debae51ca2a5f8c36

SHA256
5e801fe6f09c571aadd0f29177ec2fd15314c785695d642394879a1ccb7313be

SHA512
2c96abb6f816c149873ee690aca18c15ea3b9e84de982f00894207013d3b6c3b8f61381dd1f603b4a0ca0c27fec54926db709ed63e1bec70566e2befd097aac2

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
128KB

MD5
ab0352249dcfc074d6cabcd339f93f01

SHA1
74a7f295c2fa8f4844fbab9500c4a0f97b003d8a

SHA256
3bf8ba2c8de7bd865b2c22707a8aaf518d35c7747cebf9a13568a06cddcb7af9

SHA512
9c4655d142d7e751b6aff7c2401d6577dc32145af22d843c8f2753e78c86fecce8d5059aeef522c0b8083b55b00577ed1f021190237e39e20856f3da10f8e51e

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
128KB

MD5
f9d9d2be20a87b1ef5f4426921f4852d

SHA1
f5cdc250cd2bd0e7eb32345c55138acb50b63e97

SHA256
dee442db51a50df03649aac627bfcc5f366cf83fd678f73c6c49478608ad7708

SHA512
a3cf8b5c64b516b69597feec6896f1ac30130dc0a6647622d387dae97d36dd64f637a6512e1ec2f562946802b06324109e9977fc0080a62f1e2c37a0a1de9a58

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
128KB

MD5
4fd421758f9d18b2dfc58bee4442823d

SHA1
3425d3f195d5590bc446fcae40ce6e80a6e71ac0

SHA256
52816ff4c066e038e2e0502b7912c8bb4e096ec9efff5e56a954a300efdac0d4

SHA512
e916ad81e5320f440465b3c12c834923a1ca88c905958943db21b9a76cdb196fc8324988cd1faadb72138b90f977c14fdab7fbbe0a868b804baac163a34f556c

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
128KB

MD5
a3a68d1df4373542afb7f769d9d24db6

SHA1
cf7876e9a3486a45ed27404f79e75d00edc69654

SHA256
b8f48b63450587a9fa3a2cb67b3bbc074d8f19e230d5233b011db082779607ce

SHA512
705e560a1754b255fac81e9cfeb1f87ec717e50269d31fafb7c8ae7781bda9297cd4475993cb9fb36ea20e6fc0bc4297e24d01c94638bad64c4a658eb5f659dd

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
128KB

MD5
335c517e8560615511baf0bf860aa4bd

SHA1
9316983717f33335eeb956e494857a78b4afaccb

SHA256
de25a40d59cf22dca6edcc40c582b39d797964a56f4aa2c6df5019ef4271d087

SHA512
9a432e4609a6fe3b3820a7dff7b2b0a47362300f98f9c580900bd94d573a2087c1c6a95e81475bfc85ef2e529d36087ee03c4385c7a853edd7b6bd43d5a4cdc2

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
128KB

MD5
9d2851e2900a5810bc27653e97edc7fa

SHA1
f4ef7e67c382fedc22f35b255d4b17a83bb80f51

SHA256
b224417f942ca98cfec8dd9d1ded77a1b08d3abc4f8438643042c1829dce09c8

SHA512
b8fc49a52a44123f3cb5530c9db4710f9b161d07215ff63d3a75a6032fcd3de8f3efd58b69516a5a2cc481a739440fb3f13fe720e9d025e0af11562c4e74134c

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
128KB

MD5
f0a35ef98e25fad10b8521e323f27b6f

SHA1
fdd90606be531cca7cabd1d6ac3c37cfc0f95400

SHA256
31dbb950acd3cf7f7f5ba55f80cc5edc85bb5ddf2fb733be23c586f6ae0aa43e

SHA512
a1f137f5c47a224d63f23c700565f557275594906afa25f66a6a500a5778897047f82bbed93da5db4af75805ede1494a3ffffeb8954c9a5a5eae7c1854e33e5a

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
128KB

MD5
8832c6cbbfd4374080e24d7207581727

SHA1
e08465a0482df7a30dae82118a451929ca6cf851

SHA256
68c352e3b464765e852b32abaa5cf8aa03bb29ba9a789bbc51ccb5984c019ea5

SHA512
58c87f446d1bddb9815297c412a6c8bee7ce8d432d4b2a9d1bf65814110df51302bc46f54369294f89e00c6d41c72730bbe099750a87ad654a0da0a50baa3682

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
128KB

MD5
3bbc91f8e07ba84fabe7a2a11f623a0c

SHA1
b2a64caed2c1ef1a9777183d78edb9c92e561858

SHA256
0a2879c55d247672355f519c5455f7d484ed02c23c36cec2711c22527b0b4b1a

SHA512
cd5087852c4ec14a10ecc693c0cc665610b29a507a07822902628c4085e5ea9c57ceb681ae023d0f66be133a097aa205004ee83fd70e1eb76316394738b05100

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
128KB

MD5
52467f396ddc1d4d8b10655779d914c7

SHA1
316796f55d0415ec1ca454d2e2018a86becab385

SHA256
0d900dd95ae1f20c744b4858b5196e7e77be2ed376f6a30f06b4241e0480b677

SHA512
ea8137a122dca4760bf06c311087b20a21bccc393ba043d6b88ae43d6eebc0ae731b00a68654c220c9d65975ce5bef95577e99362b0906863e33b028c529d0f4

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
128KB

MD5
0298adaa5c344bb8c69bd38fc7adca0e

SHA1
0d164753ffa94427c06335168c0264e78c25b7b3

SHA256
2733d39c433a216ca50c79411f03dc57281abbcaf087d75adb77a82241143153

SHA512
c4a056b468df262007e93dd69cc8f1857a994fd1c594a83a295460574b0b3048bd87ca4b1a91cccbbf5cc495987b555e43a4d82dfe9fae8435eb3105f0afbab6

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
128KB

MD5
c558fe95fd18f8e61398d78f2f6ace75

SHA1
36d8fb7bc46186a9a2c38c5071a139defa009996

SHA256
8039a342e3ef82ab6e7e7b5a6b8c05ed83dc0062c69da83cf215865074cd6b57

SHA512
7495eebf0250315d32b7af6b99960367e79b5e5bd41068a4592668b2534da51d90a071089a86b30c48aa1d29bd0338b91517f0706d584c03f591d943f83e025f

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
128KB

MD5
72038c99317342974f66deac7ef3d76c

SHA1
e162f010cb435c720b660efb688e90b8959259fb

SHA256
914d3eead2f540ff681a176ca696cb5047e579e716b6e707fda602c37a422782

SHA512
c01338b67203a5db33a4a2fcfc51e1f205a32feae08c89af059b584517d99e16e2cf1fee6a1451cee099e432a3ac297d47e217a80336f5d8d15ed41684584a38

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
128KB

MD5
7cf0d744f4b41e73b761d4db770a556e

SHA1
3cf7689e541c95cbe4dc7758411f937151821980

SHA256
0b732a7244d7f5ad9e5d8ea0130e75f913379d500603ef795adebdb210fcb090

SHA512
0bcdcb112a62490e3ff5d08f41e55fb5cad97caa066639e293324317105982b90022fd51a551bbef9942f877ecd431b8c0205436fd317218c30018037c923bb9

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
128KB

MD5
e7a1c54547dc2013cba3e3e15825504b

SHA1
d98bf573fc7e8b90b3fbb5c309ed5024aabe016b

SHA256
1114ebf0b301829162c7b17e446c86cd5b882ae06f0a57a9388c355532f7b23a

SHA512
e76c29cd613fdcd416413731d676ea10c4cc6f02bde6ff720b269e2cfbcbc1eafd17095a88fbee3c5434cd25fa43e77272054e0ac30245c2709f9e1f7a36f2dc

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
128KB

MD5
881882519de8fa4e11dddcac48cfff12

SHA1
252aa15d8d4ac044d06494fa44f5eb92e367feee

SHA256
58ceff01577668e82d0850e05f938fbad45bde3ff485078cd095c56be5c35e7a

SHA512
2565b1c1efd9d71dc8988b92c02647bab1d22536e70659746e4f949db4e84779a07b92697e69ca5e740945deed4ec71e91e57c0fd87c09bbb40843767a6fb5ae

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
128KB

MD5
9fc8c9d02e4be5bbc3aa32462e27b5e2

SHA1
52bdaa899f6172b5c440a51f70d8367cdd8a335e

SHA256
87a7823d25a689db2456d4facf2e3fefd1e5861ba983dc1bb0dfb2a05de8a46a

SHA512
b02931af0a9674282695fec16e954a67ee3ed42dde05e518429fc5042de86e0cee1242f60efe1fe663f7493017b52ca3c458514fcdf65df82529e4f6ad17e7cf

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
128KB

MD5
21dab48e3a687fe26c1cf63ec68849c2

SHA1
b95852e4bf4b87e3c1ea7181ac8344f36575fd70

SHA256
5a456c329179306522ce1f6c9c2ba3ee4272b567414bfd1b196c1feffcce9744

SHA512
bd3036100649d3c65bd7c0f940bcd08fe0ecb55a5a8e862963824aeab613aa70f405a3586a4b5f53b7afae1ed872c65a676a9b785df7f055fcf7bb6e77e0a58e

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
128KB

MD5
26fd97d427e1728bb58f1bfe1d45bf09

SHA1
7b0425ad51111993512ebd8cbc1442d62ebd4de1

SHA256
09be33423a385dc69d959cfa14afea27e48c3b58c090a8443ff8a00f147d0c26

SHA512
6a2eefb114c5bce54bf408b4545b230b4c928572afeb8535f0660d1b823fa5960bb4215712e47af090b748030cba280cb76677bedd6c11b444e65ef0c69a7c91

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
128KB

MD5
5b93dfdb8b6f7e2bf976218602aefe32

SHA1
ecfad8f6e743daa3836e85af9fa4b27cd00e1483

SHA256
6d2a41d567ae9e1850d35d4ac0af8452261879ee00646f59d6f313e47a7a09c4

SHA512
399b88d60421dbb624eb1c6cfecafbf2fbc01075deaecc6e720f0c15de1bd9461b3fc6d47b2f6171d0c09d82b798f22895f84ada6d4bf718f1df9419193996bf

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
128KB

MD5
08070e5633cdaafd52f9a61e6b3d8a5e

SHA1
77b083c96593858b5cf57badc76de2ccc9d95f4a

SHA256
c5325d633e554a607ded366aa674c1058944188f17d21f426240470f4378fc4c

SHA512
1c96ab73365c3a1c4f52e8bebb632f00621ec99e21d72e265d6d731d1ca4ce965f3a65c18bcdec43abe87792a53607a25a40ebef959aebe72dfa2f48a7a9a781

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
128KB

MD5
f99ee7cab088afab544d6a188c509607

SHA1
05c1516580a08bf5153ca66ae8b404abe1d2ccf4

SHA256
e0d1cb12628efca0c9375916886d2d8d402d7f8796c650d6c7d2ea244ff8a829

SHA512
ed9499da8cf6f129abe845a28bb93ae052b224694eb5e3591928f600adde158a8b59c68044d5d818fe71555112a7c8b50198dccb2ce33312b7d97967fde14420

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
128KB

MD5
6dcff71876a1bf6ecd5abb3dca471e12

SHA1
45ac39d40830fd99c8adc51671982efea193f725

SHA256
8c91e3ecb1965c56efd9b1b5dc8f2c34522ced948bcd7e97b6ddf620c58a730b

SHA512
e3fdea86edbc359c8c7fcef392ce61fa8dfb3a117a828148659448cf67f05c420a8e50fafb20fa487434040317c002dab5b234218e5c4570097fbef97da52772

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
128KB

MD5
ad3bc86fcdcb1a4c087bb64230ecce32

SHA1
1af054b42b064ad16cd6ff7ec7d252826f85e0da

SHA256
1dd4eb1d5a87fa06760f4815a09ebe3367b4d362c90f5d50357c571497a6cfc1

SHA512
468fea5b7b1dfe8a85703a7d798276ee8bb33d98f985b7ff129aa3c95a118e933c9e326f22c03a24df7470f803ce4d605b9d30f84fe5ba448ee6812db5d6e68d

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
128KB

MD5
72be5a7a9725b827b22a1da140ebd150

SHA1
59be3140ce2a84b1d5195bb7aa8ba23df9d6319f

SHA256
e3f39925c7fc48c5c8dfe6d9141a0c8c97a9f804d0fcbb46d3a5a3ee7167828e

SHA512
6dd70c4645d193a3c10b4a25289e68ca53e2304b6a2adbcd11ba78800ee61ec5b4eb201f1c1cf3a8d1446ffc9d893c130452c65e8993e99a8130b2dac08581ab

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
128KB

MD5
d291b1429fc0c9a5e73d8cefa3561923

SHA1
55657c833f428aeda6b283d2cb81d3a61ae5d062

SHA256
a644b20a28f4e7ccc9338c92bc4c50b14439cf5668e6d6787cbf15d245971e24

SHA512
51bffaf672e0a14101eafcee2994e3a7e363bb867ce0ad7e5c04386df0b88e45b8e775ccdabaff3f8ed24f37eb804c1e80f746b1cdfee511e408fdfa71cc7e54

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
128KB

MD5
fde7bc80ea2276b493d9d00b0ce0d2a8

SHA1
878f964f8ee64368149a27dbfbba46b1fce0cf2d

SHA256
a26fee912ea37377923567ad61085fa8507e0e61f070f5f618d0acbeb2d94776

SHA512
d5238e0f9ef3a3d62c2f9b6df33825b1fe208e1ce1bb9598e002d4228f1bc396b09fcf6b561f1b018611c866d16544c7a3c31ecde5692b19955d3566c0ec00bb

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
128KB

MD5
3a7182a3cd953f0bd218b2d6a6c8ebe3

SHA1
69c5f97c4755bfc8547cf6cf59249dc338aa134a

SHA256
1f2ba321cebf8a9bec779b097b5691ec85443f37001e9e416a96430a11e3876a

SHA512
10a0dfd39f805ca256cf762da6268add39c86437dbddbe0c9baa2b9fb2462d5c6786ffcf78d3d96f3d8a1d50027085f069a38025244213568cb09718e6527596

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
128KB

MD5
b8938ba6dcbc61a7a5d5dee042fdd520

SHA1
4163bb7d55894f64bc519aa12c50fcb052e150fd

SHA256
805e96028c580ef50ead1b13cee0f9993a060524848fbad09baaebc8a904b648

SHA512
9220cf58cf03371649d35fe16d2c1079fbb762f18b6a2ea0f51df04afebeb8d6e6603bb63803f26366f1e61dade7b98d3e8724eee0715c2fca11603b831180ce

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
128KB

MD5
c499cbd46bac6f6162cf35e2734fa338

SHA1
0898510e6acbb5ac1a06f251bed5c6540b22e3c0

SHA256
22dbb06e7b781ec6d45b4d5278b6bef236f887163445977581ce2a96a0113794

SHA512
54326bda6ca0315a39ed3b0cea17450a8311700852b83c779cc51b9bad0c959b6f44f9cfdc93d410e539bba5ec2e87972e1d8d7d7e78f6b93cba2e21a047d0f8

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
128KB

MD5
ad6c8d3b238eafb981cb74f762ad93e4

SHA1
75a110f0fb799aa4fbdaae02ac541b70655740f2

SHA256
4eae3c4d0948d1c31fc4b521f4935ce3ce961cb92784dd807c708b11edf32c18

SHA512
e8c43ee4e30da2fe522c52cea73f9b39c61bd788be1f6a63996c225cc74115dabb0d88f4366e8ef203f844f48aa01eb169f6d7b9d4cb3bc6b1e80481978c28b1

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
128KB

MD5
5f616a6ecbf868dab163527346c50855

SHA1
f715b81c97650f8bbc49c9dc233ac0009f449b50

SHA256
abb5c7be62732633010d92548c82110a14abf6de1ca84608fa85ae17a9a3a91d

SHA512
b6d9f732bc6642ded349bac2c3f3ed7020bb1a018a865d01ccd9939faca2c7b0b9c6b463d6d504e23f2c904fc1b0293cbcca3bb9808e36d383d2307a9bc8ddcb

Download Submit
memory/60-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/376-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/412-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/448-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-513-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/788-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/844-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/900-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/904-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/960-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/988-550-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/996-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/996-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1020-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-387-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1096-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1124-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1168-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1184-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1404-537-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1416-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1472-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1904-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2308-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2380-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2816-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3080-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3408-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3408-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-471-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4080-489-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-531-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4312-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-557-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4452-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4544-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4800-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4836-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4852-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-525-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5124-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5172-571-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5236-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5308-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5360-591-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5420-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads