bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe
Size

96KB
MD5

08e75f4b47acaf1146566c230abbc4fa
SHA1

aabb8180fabf3980a51a19b1aba0740b26dcb707
SHA256

bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0
SHA512

ccd0497c506268fb5abd9d37af142047897348b5677a091ee860e2a791ed1b541f927e9d914790de0f58cbe01302ef66ccd9317bf314945788b69d5d5d8d210f
SSDEEP

1536:wEMYaQwhXfJlXg/3jVbUP0a2L5ZS/FCb4noaJSNzJO/:wEna1Jp0VUP0n5ZSs4noakXO/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe

Executes dropped EXE 64 IoCs

pid	Process
4740	Jmkdlkph.exe
664	Jpjqhgol.exe
1680	Jfdida32.exe
1992	Jmnaakne.exe
4528	Jplmmfmi.exe
4656	Jbkjjblm.exe
2488	Jfffjqdf.exe
1688	Jidbflcj.exe
4696	Jaljgidl.exe
3944	Jpojcf32.exe
1192	Jdjfcecp.exe
3200	Jfhbppbc.exe
3948	Jigollag.exe
1960	Jmbklj32.exe
2160	Jpaghf32.exe
2812	Jbocea32.exe
4992	Jkfkfohj.exe
3380	Jiikak32.exe
4080	Kaqcbi32.exe
4968	Kdopod32.exe
948	Kgmlkp32.exe
1652	Kkihknfg.exe
896	Kmgdgjek.exe
2412	Kpepcedo.exe
3684	Kbdmpqcb.exe
3116	Kkkdan32.exe
5004	Kinemkko.exe
4720	Kaemnhla.exe
4488	Kphmie32.exe
2948	Kbfiep32.exe
2392	Kknafn32.exe
388	Kipabjil.exe
5052	Kagichjo.exe
4292	Kpjjod32.exe
4956	Kcifkp32.exe
4988	Kgdbkohf.exe
1220	Kkpnlm32.exe
3176	Kibnhjgj.exe
2604	Kajfig32.exe
3464	Kpmfddnf.exe
4388	Kckbqpnj.exe
4592	Kgfoan32.exe
764	Kkbkamnl.exe
2828	Lmqgnhmp.exe
2268	Lalcng32.exe
2744	Ldkojb32.exe
3040	Lcmofolg.exe
2852	Lgikfn32.exe
2796	Liggbi32.exe
3964	Lmccchkn.exe
1500	Laopdgcg.exe
4768	Ldmlpbbj.exe
636	Lcpllo32.exe
4764	Lgkhlnbn.exe
2232	Lijdhiaa.exe
2972	Lnepih32.exe
5048	Lpcmec32.exe
336	Ldohebqh.exe
3384	Lcbiao32.exe
2680	Lgneampk.exe
2724	Lkiqbl32.exe
400	Lnhmng32.exe
4920	Laciofpa.exe
4616	Ldaeka32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5140	4732	WerFault.exe	200

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4740	4068	bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe	81
PID 4068 wrote to memory of 4740	4068	bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe	81
PID 4068 wrote to memory of 4740	4068	bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe	81
PID 4740 wrote to memory of 664	4740	Jmkdlkph.exe	82
PID 4740 wrote to memory of 664	4740	Jmkdlkph.exe	82
PID 4740 wrote to memory of 664	4740	Jmkdlkph.exe	82
PID 664 wrote to memory of 1680	664	Jpjqhgol.exe	83
PID 664 wrote to memory of 1680	664	Jpjqhgol.exe	83
PID 664 wrote to memory of 1680	664	Jpjqhgol.exe	83
PID 1680 wrote to memory of 1992	1680	Jfdida32.exe	84
PID 1680 wrote to memory of 1992	1680	Jfdida32.exe	84
PID 1680 wrote to memory of 1992	1680	Jfdida32.exe	84
PID 1992 wrote to memory of 4528	1992	Jmnaakne.exe	85
PID 1992 wrote to memory of 4528	1992	Jmnaakne.exe	85
PID 1992 wrote to memory of 4528	1992	Jmnaakne.exe	85
PID 4528 wrote to memory of 4656	4528	Jplmmfmi.exe	86
PID 4528 wrote to memory of 4656	4528	Jplmmfmi.exe	86
PID 4528 wrote to memory of 4656	4528	Jplmmfmi.exe	86
PID 4656 wrote to memory of 2488	4656	Jbkjjblm.exe	87
PID 4656 wrote to memory of 2488	4656	Jbkjjblm.exe	87
PID 4656 wrote to memory of 2488	4656	Jbkjjblm.exe	87
PID 2488 wrote to memory of 1688	2488	Jfffjqdf.exe	88
PID 2488 wrote to memory of 1688	2488	Jfffjqdf.exe	88
PID 2488 wrote to memory of 1688	2488	Jfffjqdf.exe	88
PID 1688 wrote to memory of 4696	1688	Jidbflcj.exe	89
PID 1688 wrote to memory of 4696	1688	Jidbflcj.exe	89
PID 1688 wrote to memory of 4696	1688	Jidbflcj.exe	89
PID 4696 wrote to memory of 3944	4696	Jaljgidl.exe	90
PID 4696 wrote to memory of 3944	4696	Jaljgidl.exe	90
PID 4696 wrote to memory of 3944	4696	Jaljgidl.exe	90
PID 3944 wrote to memory of 1192	3944	Jpojcf32.exe	91
PID 3944 wrote to memory of 1192	3944	Jpojcf32.exe	91
PID 3944 wrote to memory of 1192	3944	Jpojcf32.exe	91
PID 1192 wrote to memory of 3200	1192	Jdjfcecp.exe	92
PID 1192 wrote to memory of 3200	1192	Jdjfcecp.exe	92
PID 1192 wrote to memory of 3200	1192	Jdjfcecp.exe	92
PID 3200 wrote to memory of 3948	3200	Jfhbppbc.exe	93
PID 3200 wrote to memory of 3948	3200	Jfhbppbc.exe	93
PID 3200 wrote to memory of 3948	3200	Jfhbppbc.exe	93
PID 3948 wrote to memory of 1960	3948	Jigollag.exe	94
PID 3948 wrote to memory of 1960	3948	Jigollag.exe	94
PID 3948 wrote to memory of 1960	3948	Jigollag.exe	94
PID 1960 wrote to memory of 2160	1960	Jmbklj32.exe	95
PID 1960 wrote to memory of 2160	1960	Jmbklj32.exe	95
PID 1960 wrote to memory of 2160	1960	Jmbklj32.exe	95
PID 2160 wrote to memory of 2812	2160	Jpaghf32.exe	96
PID 2160 wrote to memory of 2812	2160	Jpaghf32.exe	96
PID 2160 wrote to memory of 2812	2160	Jpaghf32.exe	96
PID 2812 wrote to memory of 4992	2812	Jbocea32.exe	97
PID 2812 wrote to memory of 4992	2812	Jbocea32.exe	97
PID 2812 wrote to memory of 4992	2812	Jbocea32.exe	97
PID 4992 wrote to memory of 3380	4992	Jkfkfohj.exe	98
PID 4992 wrote to memory of 3380	4992	Jkfkfohj.exe	98
PID 4992 wrote to memory of 3380	4992	Jkfkfohj.exe	98
PID 3380 wrote to memory of 4080	3380	Jiikak32.exe	99
PID 3380 wrote to memory of 4080	3380	Jiikak32.exe	99
PID 3380 wrote to memory of 4080	3380	Jiikak32.exe	99
PID 4080 wrote to memory of 4968	4080	Kaqcbi32.exe	100
PID 4080 wrote to memory of 4968	4080	Kaqcbi32.exe	100
PID 4080 wrote to memory of 4968	4080	Kaqcbi32.exe	100
PID 4968 wrote to memory of 948	4968	Kdopod32.exe	101
PID 4968 wrote to memory of 948	4968	Kdopod32.exe	101
PID 4968 wrote to memory of 948	4968	Kdopod32.exe	101
PID 948 wrote to memory of 1652	948	Kgmlkp32.exe	102

C:\Users\Admin\AppData\Local\Temp\bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe
"C:\Users\Admin\AppData\Local\Temp\bb15e81c289bab0c115fb4fcb6a7f05d0b6323732ab7b650d1f03b03f125e7b0.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\Jmkdlkph.exe
  C:\Windows\system32\Jmkdlkph.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\Jpjqhgol.exe
    C:\Windows\system32\Jpjqhgol.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\Jfdida32.exe
      C:\Windows\system32\Jfdida32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        25⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        32⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        41⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        57⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        60⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        62⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        63⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        66⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        70⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        71⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        76⤵
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        77⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        81⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        82⤵
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        85⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        86⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        87⤵
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2464
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        90⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        92⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        94⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        96⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        97⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        98⤵
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        99⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1324
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        102⤵
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        103⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        105⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4300
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        116⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        117⤵
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        118⤵
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4468
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        121⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 400
        122⤵
        Program crash
        
        PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4732 -ip 4732
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
96KB

MD5
21393c4f14bb7becbaad4defb0e47ccd

SHA1
e647c7b52f9cc27166d644fc725dd817fbc63368

SHA256
13dc624cda0213c1f06c745edaf720256d68398c4979120754c0ad8c6bbe055d

SHA512
2ac0f9bb7776d5d8b89a49be3de55a97a25804228122107817a0ba21e0c5e3d8acd9d7826ba34f039dd302365e9cc00eb4e1ac875965a3307bbf243f343d73d5

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
96KB

MD5
2d40cca2fd77f6ea452b0a27af5a8461

SHA1
787df903bb6ad749b37f2157bf4e0a451f18eb6e

SHA256
ac96d3d89d5767e92d16e9056d01350c55dd5d72172b29d0d31f867975c25b10

SHA512
027b0d9add52c1326a8136503aa5dfd0a3864f497f19977a2383a12424b1ef87bdb884243d260b011ad5e7f974af581f53644fec6f04e1b9aff5da307d1c3980

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
96KB

MD5
4a339b803fed0d5a74fd3d88e0b95bfc

SHA1
e4b162dccc4cf9d433fdf9791c28d89d7bf225fc

SHA256
21d73c7c54a21badba66227d897abc9dba42a6bf04eb76cac9ac2b2c8a6061a0

SHA512
55de8a491d2a21a96710d4b674f2135eae6b386fa4726292b5bd9291b12617b343c303ae46fdb95f7df8b7017a6ed211ef542eac0eaffb9215b50f4880b10bfd

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
96KB

MD5
eadcf5a5bc51320f0dd065459f217a97

SHA1
2dd2a66fbb405e9a8e72fa4078bb111f4e68e05e

SHA256
f80e3792b72bcc4e8d5379de4acbddb6cfd1190e379a0b45637bfa6136d85b74

SHA512
8d9113b9bb1fd979527f5306dc42e20dc8fc0431bb4e1f62f03bbaf8e87201d615a0608e2310ba1317eed4267c5af3215fb54249f88823a308c646b4c91729ee

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
96KB

MD5
154bf2514b2c5ae4cf70eed80f51a8c4

SHA1
9a34e1702b4233030046b3891befac7c60e38b96

SHA256
d01ed65573c2644f66bb71df65f228fefdc776e646db6e454a886a5f0221ad72

SHA512
c3dc183cd95f9064abbe4ac73e4bdbfd3cceb769bd5343582591efc414932cadd1c29c36ed77808c64a8dd454525b2893c040b239155c339492c4c7ddb298530

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
96KB

MD5
208c32dd53e484385b57c407bc246660

SHA1
2d0eedec5eb1a4aa350c1401c65ff6551d283d57

SHA256
476c0a1b2d7c93388017c7fbb1b2a4e222709b3453dff8c6906f6744d89e4c40

SHA512
134b7ca96726615f157ba2be1f97338a4895214042874d9be78087301cf0221f13a93d8d5926eafb161443be7675d67cef70773552778ef24cdc93dc7f798b53

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
96KB

MD5
d3039bcd150fe0650087e81d3ff5512e

SHA1
09322964e072d66f1caa3d19000818c2950dbb8a

SHA256
eb8aca72d180e73e61869dbf46c3164c89a622ee3d2e698492a693513eefb2c2

SHA512
dcf38710c9e946a2e25b0b21a2df955f000a52061f95dc17752d0d2b3c10914b7fe2c2c1a8b0771d3c90e727dee042d401388e3f9667b0a74e91a29f8a88560a

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
96KB

MD5
25bbcc3fd999824bedba06a08a62f027

SHA1
3beaa5aaf133586f5ceabc13308636ad5a0d94fd

SHA256
258b24215a05f4178e1eff30cd7986bac22f934376e465d47fb1a31e5af95750

SHA512
6907915e36fe712795715bbe294a63214d56e2f080ce990dcdd2264bf2dd458ad6cb0863cb5196b630610521c2dcb1a757d97327a6211edbf7b6d37af579c1cc

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
96KB

MD5
146d7fde02ef43874d769046da98e694

SHA1
c753196067f4fb38381239c2b282c18c60189a31

SHA256
706350960f0f44e3f17044a4ecfc8917119fbb05c6dfce66e7262b35f5f05516

SHA512
082e57fd156836860178640b467fc156e96dc4426c14186c026fa3f3a68506e847fb413747aec27944abb653002adacf2fec1ab3207c53068f2ead1397db21f1

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
96KB

MD5
abdb34e27d702dbf1292c8ca94a24baa

SHA1
b4c3ced7a67ddcbc9517a7af73174cd33c97a514

SHA256
8d193662f7faf457f377881168bfcd597d4dd74bf432b38124d57e6261ea995f

SHA512
a1592c118cf8ccf16917a7b380ca5f95c80dfffda619da3ddf7b5522afbf1b5f3644fe78f1bce280b2a9d34e2804fec930c0a15eeefa957347d23c7a82850159

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
96KB

MD5
74959068ff9181b14297795516d85a1d

SHA1
a918dc1c58e9496bd8027f8b464457206b9c676a

SHA256
6e4da3bbae96790d650f7c640a9d4f585f314aa70458994c0b23c1fe109723bf

SHA512
5a6014b2de4c7bef75b5f28ea64b17aef91f1e30a47bd8f62c8ef8a8c70f63e7900965d201f7cc3b6779dde2055fa672df463d7239501d77b7da82229cd22ecd

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
96KB

MD5
8dd2e8682936fb8af23e244dc2d4117d

SHA1
937c9a688ee2ad3519af2332b3a345484e1ff4a6

SHA256
c39edad34e7cae2ec8c2ff1dc99da1c429912cabdf0aba8d01a5de4637d67974

SHA512
4486b371ccf2bcf6dee60d15355c814b54ee4a63b86ac320ec99a571498884d730221bb38a0ba3a5a3ca07c6c294b29d32d8fcac795e77c58ac368c7495d8067

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
96KB

MD5
8fa87948d3d11c4c9f5d587a83674b41

SHA1
ec2466d6d26a9863d5d592a38c7594d6a216dd5d

SHA256
a70e5c7dbe2f986e449424873ff91a7ce66c1cfd8a659071976a00ed3aaabe4e

SHA512
d7fadca3ec76f486773c970702c6bd4c37c222e8c51500e61a576a1335689ea1cc04976a63c679197a2f70ec867f23b19f8a18a49617e4bbdf090887da77988d

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
96KB

MD5
43d6aaf7a8d2cffa3bd59100c72b4f3d

SHA1
4a15cbad9b457b5055df6a113e3e4beda01ed329

SHA256
46b6f8877614cf01f1ad85ebcad82d2047575cb014bd8ffa0afc3f8495cb2a0e

SHA512
4c1a473e010a879d9438ac70d94b20abdd64c02fd4f718409308a6df32100c4436f0750d450d2067177dfeb601f85b92fda4c88e11e4a472a59f1178a85c5e6f

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
96KB

MD5
f16e697a07fb86bb5a7d2677ae97cde2

SHA1
a653f71a6883471c87af7bf052e6b6aac6805601

SHA256
6a31db19ddfd89a4be2516adcdf1057113c8657b8d4bb74e8e5b95ef32d4db81

SHA512
cf35ec5c8c9b4f098f0a9c752ca5fa0d315c9e289e8f5a72e62b25bfca97a05b16063e19511611ec522170ddb077b21c145f779cdf18199f4bcaed22008c1852

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
96KB

MD5
84a173eec8bc034d8286d433edc71337

SHA1
9bdb48a01d90deffbfcfe46475f07320867f7c5a

SHA256
6eb0b36c8d0f05b6d06afa95cbf096cb786db52d39e11f1caf4a99c560798087

SHA512
35f0992af3ad4c71d1202c8f4c8eb3b424316e0daf43e6af3435784a53976629a3e5e73bdaece2dabc17f3ca810b58d736cf60ebb30bf328c6fd7b09f4e1d8c7

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
96KB

MD5
153fa4449d1af3994ee78157303d33cc

SHA1
d22c888e73cdc55cea83248772de212c36ec6213

SHA256
dba3db42c5cd6b288828b52e285a3a389a64865dbeadd76f50944246fc5f5828

SHA512
6ff40b3bc409cdaf005f89b1ee904beccdceb2c9bb205a7ac3b030e65f50406461c731e0516cb2c333331786eedbf637f93730aaaccdb58f6e402a97ab99862e

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
96KB

MD5
623a1275c39ce55720af939017968836

SHA1
ab885581becc38c83f2bcf74344aa1266006aa61

SHA256
dee48bdaccba012efe4e528690095e211951eb2927e44af5a3e0f065b8f6e4e2

SHA512
96bfbb98f82dcb97ef26668dce55096f19d497fff31716518fb889d57eb501e0b5e8acac7cadcfe848b770cd893616ce0fdfbe70a2a1f6d95e81501111b1d109

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
96KB

MD5
4c69725253060e549f429d7d56dbdb8d

SHA1
73a917552814ff620c596fdc584fab3174ffe9e4

SHA256
6cf89ae3cfb9eebbc41cc070ffd7a56f615a1e35e8f1500346c9e4c3c6cf833e

SHA512
230850cb4139b3b932c36d75f10817af30cdfd7763380ecce9b2618fab9bb2d5a96da54ffb259e7ebdef35f0022ba4780fdeefdf3477d20351ef1296d1347adc

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
96KB

MD5
fd2e6c4d70d94a2839fc5191d49eb78d

SHA1
45a9d046b2888dc8a6aad3f4f2b38e447f85c2f1

SHA256
ae71a58e7f4c7d875bc664c3e526286812734ee8cab638abbe3fb8a9dd5a630b

SHA512
764d3c70b5e520b47a9731b4124f559cf36eacb9c5cf68494cf91d0e78916f1a2b5a5fa9462e10f569beaa9e4c9af6d2df9742e88f4a11515b498405cd364d7f

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
96KB

MD5
bfea8f3d8456632cf6904a5ea5864e1a

SHA1
64e63a5e9371e870dae02b79712752ce6ba9bb1b

SHA256
00cd16e5884b217aa04f3be87288347494580e26c543f7663473015d67574b70

SHA512
6de7b66061ef1dee4004663db2c38c94377b5b86b4d79d1966d880d61739fde0f467491ba795f9b7ca304070864340fe7b86487769e5685223ea0ea6b51e43d2

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
96KB

MD5
c0c6b56a181665ec3388d496f63666e4

SHA1
339a290d38fa5d6f2f3ec81b957a096ec0435a75

SHA256
08fc8ea53e9bd5c0fbfbb442edd2385feb835cdcf82c1b8763c111be83359f67

SHA512
40954d159e8498974a2fdb734072e3aa808986a531b81ab43c168b370f52aa887b5574d2fa5770c7e59a3812809a5ed4bc7fc85af06b6aacb4ddb8b94966e078

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
96KB

MD5
35b3f5ff327dc56ba177d744a2188304

SHA1
df5ee866675cf929383dcb355205795a09c48902

SHA256
923d469d09bfc6d8c2ac03bee3644da103ff92e988cabdffbda486a6d512ed09

SHA512
9231390c574fd969cdce87db04cbd264afc65e5cd595a02b705108bca97b29362ae0154215131269e4c250edb5d2271d84fa6788eb433fb870d3e9ce0579dfcc

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
96KB

MD5
7784a7f94062af078e3601407090d29c

SHA1
025f9798ce8c444acf5b04893aed795bc9147329

SHA256
6aa375328a0416f1dfaf7102bc3252ae983cfcd063b354ad57b9696d5bfeddde

SHA512
6e26b8ac31dbfe0d2754ec96e4bcf98aba43f21b461a60b56495da86b7241638853e7fa0689c976ea1b2ba925ab5c50ae656512cb6092baa0066639c257813f8

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
96KB

MD5
1c4bc17c38b6e472f8e2cddb6b89ebb0

SHA1
1ff6f1be848e6b97bf19a449ffbe9a9e1f83af5a

SHA256
2d031dc35cdf63d2d5f5df130b61fe1f951b40923abbbfb11bbcd4f950145b68

SHA512
30215ab656449b82ee8dcb2f59406bdb4389f6053416a7d9ad6d7deec94d7acab1ea95a81781ec25aa41ea8d0ca0fb0b87997a9f6af12ed80a3b3440d77fd14d

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
96KB

MD5
87ff1613fd123b523212978f7d845225

SHA1
1adb3b46a5d83bc6a8c1f8d343469b677f177487

SHA256
d0116fcaae2eb92cc7eab2856f6706caf74ef935eb0730ebf72d7a66336e5de7

SHA512
12a2233d0617b28773c5a7137ce7afc68dd136e5e7c97ecaabb90ca7a20f733286a696ed389808e91efe313e5102bf0027184bce49d347ef01184e1f42f4ac75

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
96KB

MD5
30bd62bb6e33358be95c4313801c6037

SHA1
adcbafe2a500819ea0c1ab97dd3a2590292e5efe

SHA256
b1e47964e07cb820eac0a4407264b0f6d26817efc80a37dd16f57e01a6994dca

SHA512
9734821eb2f90796e1a596c0f8073bf8ed0aa743eaa4c65bfe2b0f34d15e375375419e354eb862e553174b8d3a0553873cce79d0f589765fd3138da7ed7aac7a

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
96KB

MD5
de09c51372e8cb6d840841df572c7e38

SHA1
d91f8edba8f450ec07295e329c90db7de8082fbe

SHA256
0a2ce71a8f6f37f65c09870388ab13c625887ba904a3d0db3a154ef6ea21e07d

SHA512
23477649e8a4de7a9e16ae14a257e5c1fcc934cf6e9464027fee76ebaa6aad73c7a7e4693e69303e7be529dde38c4a48f7590ea83ddf2692fad352111f1737af

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
96KB

MD5
943e42b09b7c60f486c740ecef727cef

SHA1
6fbd423f949d107bfaf6d09e5bb9e6b9263ae37f

SHA256
1abfc3cd23faebbcd0617e8a0800f4348dd3f23add6caa327c3889db66aec888

SHA512
8d80bbe8156041aaf0a90054e55d9092e7283ca5a6cc700b63e5a7a23da2e22e4f6e8e02e673c3bfd5938b3e92d4ae59cab11651c2be5e48d0be1391b2d6a489

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
96KB

MD5
1e1e73cde8b0a74bd7a473a4cc852cfa

SHA1
08db7092592adb6740de30d29236f9e4a5701f95

SHA256
7e6207ce0967931c59af4a36a7a1b33c36cf64a9aac133356d7588ce225e80fe

SHA512
47943f17ecde0447e5f6450865d6a3154593fcc0c121dcab6fb133a7a2e0d795d224e2cf29dfa56177d0758a0c6bb27d7ab165c025d2f19dbfa644b6a9380792

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
96KB

MD5
6408237ac3a0d9b649b5fd001d394542

SHA1
2d7d32f3b7188e4931759362b6076a4d8778aa6f

SHA256
bb5ce69a26a10fd56cb517c814f48d02b28fd5b80f8576a8b28c746788e1f5b7

SHA512
53a6fc46bd98bd70207b77e04d10b98b6f9726304cb3599d4a346ed7348f390c01a74c4319cf9cd5b987607dc53f624117e4e297066ba8f5ec9ba4511e44da98

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
96KB

MD5
088b64a5879099091df71d6d25045c9e

SHA1
141b319f9038185932e6b91571356d28a94b6e20

SHA256
35f7753b347fddc280cb10b13b6f9cc4cbb36d9754d570589be4ac296f71fbc0

SHA512
1924f3af7f4fd80dedf036a41ff3b4efe3af923f661a593b03f3204f725ebf648244ccc8fea72557ab8206cc79a08fad9ca2d15d4b9eb03f0398b5da070f1345

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
96KB

MD5
ab3095f798f657abf0bcaff0caf6578f

SHA1
8003991aa5660e8a004340829419bb61b003b138

SHA256
4a158648e43568900c5a7a9071e66bd8eb4ca616520f3106cac1b0912d5791b0

SHA512
a817939b6f0139b215e5fd8bf860dfdec3bb893bece6fab81b83d5b26798ff6ee871fc6124ac98c0cd86a35db2b80ab73fce470d117e183a55224fea08c20925

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
96KB

MD5
b4544542f860330123ac6dd50ea3ce73

SHA1
8c2683af3d03974fd5ad18e030184a2006a93104

SHA256
1afd3e546b7aa4a37d7fd8c9e19befe53fdb4c6590c8f66048eed1261445fe8f

SHA512
69bebb299e574843a536f2c8d8fb15cfd68667feb41c9fa653ed9f4403021fcc58017b5f573d7606ff16f943ffb6928ee6811a9878bcec689aa8aac06904da6f

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
96KB

MD5
504a98811b65612baac09efe2b87a9d1

SHA1
ea144e65b7d26652be8430b0ffe30155b7863fb0

SHA256
97955839cd75cae1f6892b45350db7b80427989c567ba01b28ba5cb40aef53ce

SHA512
d6a3bb198717e24c5969da25d1c9c8366fb6a0bc6f2ff5a2ca4557aba78defd1700cc80c4f2ffef930e9a782c72fa62b6561e7a22e0d5745e58b826f306fd485

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
96KB

MD5
1f2f5c7fd17aeac4874fa62d867581f8

SHA1
e97629843957ed862d31d38486e73848ca4549cf

SHA256
cde47416877603981a6479eba213c05130e3bc5323d847b2c3c56fb275fe9612

SHA512
c0182f884181581164ee08b0076df47d99a6f8c6f24e48ee9640512e7969483ca5475cd264a10fb189a2081aaca14f45e1e7b0065e939fe5b8af5d2733ae1b75

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
96KB

MD5
a3363261731a68c28aa69cd7f4b0a624

SHA1
2e37748aa93a563eaaeb1182150684a36828ced3

SHA256
3eaba371042f1713f6f67c51244cf6a2c237d221553c426cd5950478d9355d16

SHA512
980147b14ccd9027bb25633ae43048c09e0bdd5ded7aca19f10e38b62edea16cd2f3b90508f378ce8efa3b2df5262f49b9412ebcec9816499274788457be68d0

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
96KB

MD5
12d9d9dba904eac250e7917735208f12

SHA1
365251168fd06e4949ad3c06fcc477cffd689493

SHA256
d3569fc52061ff7191c26f9ee1fcad862b80845f169ecae1aaf07494d3e4b05a

SHA512
fe10e71fd8091f40f45d28eb818494137ffe63e4c9d0aa5bfd20069f5ec94807af0ade51cbc5e0ffd1795e9e407e38c16a633cb5432fdc6a973c4b7953d25841

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
96KB

MD5
a27c8f4d6866ff489c26390fab89d1ed

SHA1
ec3afbbed979bdb1cff311b4b9202f820bf91749

SHA256
c70bb80936ce493d4ea089a2edc4840d825f768d52222cba1c9d4e1d4c8ff7b6

SHA512
65c1ec70d1adafb0d2c514c41e5cbb868024a7bc37a8aabe521e424cc961ee98cc161cec61dedcb93960525e6b44aa72e511fa59c33de8ca1701700492a7da11

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
96KB

MD5
ddd9bd065045b6e09efab6514648812b

SHA1
66a74a1adc36d7708825ec86b73a97d336020c78

SHA256
2e37a45050bcb99dc368a0d1659539bfee5f69312188eb6c83cfdee42b399634

SHA512
50fe94b16535ecd3f885686a3c2d677df23e2f22a9fc37830629fc72a1a606faec53bba99f1576435a25ab6e31d9985d867decf4291e77053f207e82009306e1

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
96KB

MD5
c310e4ac7cb796d5a71ed4c810750e5a

SHA1
03ad32e0ed763e0e2630899ea1a7ba83ca29a16f

SHA256
0be6a1079d788ab1a628e00673bec98677cd0470ded943225074cd98fa1d0c3e

SHA512
5eae48c69dbe52e8a1f8c3b42bb19dac819ed4c55827e03084b70282da13b770fce1be76ed4297dbb7d60ac0a7713cb20dba5cfe28ff225667cb6901531252f9

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
96KB

MD5
a312b4ab79a0fe9c8dd0ecf3a9240d47

SHA1
a857e957c38089e312e63d4923e50f64d5a93e00

SHA256
37b60617d5d8a69d661633c176800197fb2bd9a10fbfe4881e8451c6255c1c12

SHA512
76878b94dc65ff886a88d490f3463bc456f28467279547ee372642fb9988d77a441a09a68ab0cbded5f97470e99aac84222e46f3761d20d388f55ab849e6f786

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
96KB

MD5
0c519b9ff52ceb2650b29125941ca7ca

SHA1
f5ee02252f68b4882dd153edbb4727c5634c8c1e

SHA256
18165753086ba78b3ee1e6e2882febc5d38862320f90523ff2e453aa78298c1d

SHA512
c97f4b977fbdd44694edc8f3bce95f34c20985a19f742fab70480860ba069c2bca20981db90b63fd43e6dc50ecb693281bf7969e8d0b247ae08f65758908c61d

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
96KB

MD5
80a3e0ff308b4db9848b0ecbe4f99adb

SHA1
1b6a1bdaf64e770f0ad846555695b51ccd2656db

SHA256
5e5a6733618659ff61c18e69dd89d27b3b871663a4564623aa083c6ce7b2ef69

SHA512
ed6a80961d142a706bfc9bec34b51c53748236b19fed80bc19e599e9d9bdf1e13817dfd74d8218db7492e577478e84b2ba109bb344cab203b16890d40c55fb7d

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
96KB

MD5
70c601a46a7e41e1c7ac67007465d7ca

SHA1
d88d786235ebc4f66a48c49b5981aa2fde290b4f

SHA256
f63c427a98f4f7056676370eb6b265a6b92a4da430af4d0fb45b21e1a1658421

SHA512
2844f7a76cc1dd0701090ceac420becc8ca80f9980ae03d672febe20268be1a2f11293f857455099fc56a6feaef5869dd59fe90b647041e41496b9157cf7caa4

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
96KB

MD5
fe121e0e2a39dcbbcc70ce7ff7f2d604

SHA1
23e33b6a8ed4960049c4ae9ef1640d8307ea98f0

SHA256
dba001e396767c8dd3f2db2b5b3414bd9a2b776cca0206ded8a34ac26807de47

SHA512
1e0ce5dd04e89a35c8274f085d01cb1c2f64719717db562bb2b0166154a8cc300205850d72a159583976e4cc4b289323fca782f32cd25c093f63078d3facf225

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
96KB

MD5
c5c84fff1994659ade1566761fb0ddbe

SHA1
4c7bcb4439cfd75b5188472499e9403b68c32730

SHA256
1a904d1593c72256d860bb21c521813d27d3d852417ae106f1c86e83fafa0802

SHA512
0183888904391d66de43bcbb18736e1546ce67e3cfe7164ea01ca9673abeccbb937684e764b8711c463800d6b2308df1d976ece9257c6e29db93c5c8db49aa53

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
96KB

MD5
d8fb3e5aa3e5d525d549488bea13d868

SHA1
902a13e4cb01fc7a0d171e7f1001db3796dbdd62

SHA256
02a8a758d4792b9aebc5189d0a254788284a17cf71bb5fcf95032f2d276a5d31

SHA512
b6ab91d421b927e041a2c81a168fee326cbbbdfd949ad088f511771dde08666b9c7202cc8e145a07164eeac818bd6662010a8b9fca1e0d19832ed09f0828947e

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
96KB

MD5
825f9d49298bd020921ce84b3d38c4b6

SHA1
b7e540baf7427fb8442665206967414ca497a3fc

SHA256
c3209508d721d90b27297de71b3a139771d9e48e9417f11c292eca1cf3dc5f11

SHA512
f5d97517cfcd813dd2a50b9901fe8e6ba14fa45de26738078cbe125eabb6f18db981422399235bd0ff39febd4674ca3af61b38961e96fce9cf92eb7ffedb275d

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
96KB

MD5
7936e3abe0ba9cf9a90bbfd7b5bc354f

SHA1
a9f43c86dd74adf3a8b6e98d75f4c856c3b46d55

SHA256
05eb1c8a29b55992f842fd48bbaeadbf3014930f1471aacadb0cadf6e6fbe467

SHA512
b58bfdb7ddbbf82e8ec6237349a424db6e5e6a81ef1ca99e59155598df276189a55f3047c8f82de400eac66cf18c8240fa8110fbe9cabdb66344db395413a00c

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
96KB

MD5
f9e195be526e8834ae15139b7cb6362d

SHA1
523a5243bb645ab1ab0f7ed32a1b52e2fc9dc496

SHA256
52be6cb8b240ce96ac04dc4d989829900e2b3a240bd2e93353e42a15c849fbcf

SHA512
3be24d7d759887958fead43d74f185f861bd4f4d2f2de8415bf92e9f8712152bb426f8a52dfb2fd98a2310136b1be918c280172fc37e75de5678fae6ff484734

Download Submit
memory/336-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-894-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-875-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-890-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4068-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-868-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads