b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1.exe
Size

94KB
MD5

aa5a1641a39e7eaf8867eeffbdcbea0f
SHA1

2a65ce11c22dfe0370015b3326c16e35ec988b64
SHA256

b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1
SHA512

9ed8e76d7b8eae1f809827b81b7c02203e47255e62a456d0f84cb9c2461989e9dc0a742bae5578b2ad8b56fd94007d1f9c92778e5d0894bbb8108f0c8770b8e2
SSDEEP

1536:dMzD4uFk5d6TXs9FY3YwIxA1EJfKRbAc2LfaIZTJ+7LhkiB0MPiKeEAgv:C/4uFk0s9iIo18faMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe

Executes dropped EXE 64 IoCs

pid	Process
624	Ibccic32.exe
4236	Ijkljp32.exe
4912	Jpgdbg32.exe
3668	Jdcpcf32.exe
468	Jfaloa32.exe
2072	Jjmhppqd.exe
3888	Jmkdlkph.exe
1468	Jpjqhgol.exe
2096	Jbhmdbnp.exe
512	Jjpeepnb.exe
3924	Jmnaakne.exe
1112	Jaimbj32.exe
2324	Jdhine32.exe
3920	Jfffjqdf.exe
2480	Jpojcf32.exe
1144	Jbmfoa32.exe
1116	Jkdnpo32.exe
2340	Jmbklj32.exe
644	Jangmibi.exe
1608	Jdmcidam.exe
2664	Jfkoeppq.exe
4536	Kmegbjgn.exe
2168	Kaqcbi32.exe
2824	Kbapjafe.exe
3020	Kkihknfg.exe
1432	Kacphh32.exe
3528	Kpepcedo.exe
2012	Kgphpo32.exe
2580	Kinemkko.exe
4496	Kphmie32.exe
4764	Kbfiep32.exe
3724	Kipabjil.exe
3484	Kagichjo.exe
4112	Kdffocib.exe
3032	Kgdbkohf.exe
1816	Kibnhjgj.exe
3556	Kmnjhioc.exe
4920	Kpmfddnf.exe
3344	Kdhbec32.exe
4340	Kgfoan32.exe
4964	Kkbkamnl.exe
2548	Lalcng32.exe
1464	Ldkojb32.exe
4144	Lcmofolg.exe
2412	Lkdggmlj.exe
4872	Liggbi32.exe
1332	Lmccchkn.exe
1572	Lpappc32.exe
4772	Lcpllo32.exe
2316	Lgkhlnbn.exe
1196	Lkgdml32.exe
5028	Lnepih32.exe
1384	Ldohebqh.exe
3636	Lcbiao32.exe
4024	Lgneampk.exe
1504	Lilanioo.exe
2872	Lnhmng32.exe
3112	Lpfijcfl.exe
2404	Lcdegnep.exe
2360	Lgpagm32.exe
1796	Lklnhlfb.exe
4192	Lnjjdgee.exe
1544	Laefdf32.exe
2772	Lphfpbdi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jfffjqdf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5824	5736	WerFault.exe	200

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 624	4184	b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1.exe	81
PID 4184 wrote to memory of 624	4184	b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1.exe	81
PID 4184 wrote to memory of 624	4184	b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1.exe	81
PID 624 wrote to memory of 4236	624	Ibccic32.exe	82
PID 624 wrote to memory of 4236	624	Ibccic32.exe	82
PID 624 wrote to memory of 4236	624	Ibccic32.exe	82
PID 4236 wrote to memory of 4912	4236	Ijkljp32.exe	83
PID 4236 wrote to memory of 4912	4236	Ijkljp32.exe	83
PID 4236 wrote to memory of 4912	4236	Ijkljp32.exe	83
PID 4912 wrote to memory of 3668	4912	Jpgdbg32.exe	85
PID 4912 wrote to memory of 3668	4912	Jpgdbg32.exe	85
PID 4912 wrote to memory of 3668	4912	Jpgdbg32.exe	85
PID 3668 wrote to memory of 468	3668	Jdcpcf32.exe	86
PID 3668 wrote to memory of 468	3668	Jdcpcf32.exe	86
PID 3668 wrote to memory of 468	3668	Jdcpcf32.exe	86
PID 468 wrote to memory of 2072	468	Jfaloa32.exe	87
PID 468 wrote to memory of 2072	468	Jfaloa32.exe	87
PID 468 wrote to memory of 2072	468	Jfaloa32.exe	87
PID 2072 wrote to memory of 3888	2072	Jjmhppqd.exe	89
PID 2072 wrote to memory of 3888	2072	Jjmhppqd.exe	89
PID 2072 wrote to memory of 3888	2072	Jjmhppqd.exe	89
PID 3888 wrote to memory of 1468	3888	Jmkdlkph.exe	90
PID 3888 wrote to memory of 1468	3888	Jmkdlkph.exe	90
PID 3888 wrote to memory of 1468	3888	Jmkdlkph.exe	90
PID 1468 wrote to memory of 2096	1468	Jpjqhgol.exe	91
PID 1468 wrote to memory of 2096	1468	Jpjqhgol.exe	91
PID 1468 wrote to memory of 2096	1468	Jpjqhgol.exe	91
PID 2096 wrote to memory of 512	2096	Jbhmdbnp.exe	93
PID 2096 wrote to memory of 512	2096	Jbhmdbnp.exe	93
PID 2096 wrote to memory of 512	2096	Jbhmdbnp.exe	93
PID 512 wrote to memory of 3924	512	Jjpeepnb.exe	94
PID 512 wrote to memory of 3924	512	Jjpeepnb.exe	94
PID 512 wrote to memory of 3924	512	Jjpeepnb.exe	94
PID 3924 wrote to memory of 1112	3924	Jmnaakne.exe	95
PID 3924 wrote to memory of 1112	3924	Jmnaakne.exe	95
PID 3924 wrote to memory of 1112	3924	Jmnaakne.exe	95
PID 1112 wrote to memory of 2324	1112	Jaimbj32.exe	96
PID 1112 wrote to memory of 2324	1112	Jaimbj32.exe	96
PID 1112 wrote to memory of 2324	1112	Jaimbj32.exe	96
PID 2324 wrote to memory of 3920	2324	Jdhine32.exe	97
PID 2324 wrote to memory of 3920	2324	Jdhine32.exe	97
PID 2324 wrote to memory of 3920	2324	Jdhine32.exe	97
PID 3920 wrote to memory of 2480	3920	Jfffjqdf.exe	98
PID 3920 wrote to memory of 2480	3920	Jfffjqdf.exe	98
PID 3920 wrote to memory of 2480	3920	Jfffjqdf.exe	98
PID 2480 wrote to memory of 1144	2480	Jpojcf32.exe	99
PID 2480 wrote to memory of 1144	2480	Jpojcf32.exe	99
PID 2480 wrote to memory of 1144	2480	Jpojcf32.exe	99
PID 1144 wrote to memory of 1116	1144	Jbmfoa32.exe	100
PID 1144 wrote to memory of 1116	1144	Jbmfoa32.exe	100
PID 1144 wrote to memory of 1116	1144	Jbmfoa32.exe	100
PID 1116 wrote to memory of 2340	1116	Jkdnpo32.exe	101
PID 1116 wrote to memory of 2340	1116	Jkdnpo32.exe	101
PID 1116 wrote to memory of 2340	1116	Jkdnpo32.exe	101
PID 2340 wrote to memory of 644	2340	Jmbklj32.exe	102
PID 2340 wrote to memory of 644	2340	Jmbklj32.exe	102
PID 2340 wrote to memory of 644	2340	Jmbklj32.exe	102
PID 644 wrote to memory of 1608	644	Jangmibi.exe	103
PID 644 wrote to memory of 1608	644	Jangmibi.exe	103
PID 644 wrote to memory of 1608	644	Jangmibi.exe	103
PID 1608 wrote to memory of 2664	1608	Jdmcidam.exe	104
PID 1608 wrote to memory of 2664	1608	Jdmcidam.exe	104
PID 1608 wrote to memory of 2664	1608	Jdmcidam.exe	104
PID 2664 wrote to memory of 4536	2664	Jfkoeppq.exe	105

C:\Users\Admin\AppData\Local\Temp\b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1.exe
"C:\Users\Admin\AppData\Local\Temp\b1743ca04838deb997501db149b06388fc50a10708e93c8e1016ba77220cdbb1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\SysWOW64\Ibccic32.exe
  C:\Windows\system32\Ibccic32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\Ijkljp32.exe
    C:\Windows\system32\Ijkljp32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\SysWOW64\Jpgdbg32.exe
      C:\Windows\system32\Jpgdbg32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
      - C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        48⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        59⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        66⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        69⤵
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        73⤵
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        76⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        77⤵
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        82⤵
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1772
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:452
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        90⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        91⤵
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        92⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        93⤵
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3516
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        97⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        99⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        100⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3984
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        102⤵
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        103⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        105⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        106⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        108⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        110⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        112⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        114⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        116⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        117⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        118⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 416
        119⤵
        Program crash
        
        PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5736 -ip 5736
1⤵
PID:5800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibccic32.exe

Filesize
94KB

MD5
2fbd1e677c4a049a28caed98cd55d6c5

SHA1
75eec4e655f3434ea98eb2a9f018575e824542bf

SHA256
8f5524819fbcf4d22209c73771e1989cb4987b9630a32c342a6a97e00a8750fa

SHA512
b31819d838cbf927f4afe05025a4ffebae61d4f3e66097d7afb0e55fd508b928ecb1df5f3e6339db1937f3e33c4fae8dc9c6b3c5e162fbbdd0cf165e877a6a85

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
94KB

MD5
103949d53ae69caf90111902320a0751

SHA1
4780e7fd8a6e216050542b6815407c8420c5c95b

SHA256
64083ccfe96d249767c27564fad6216a0e10284d460b6bae8d0221857d9806a3

SHA512
d26ffecfd1c43182f3852f607229bd8714dbc5362644f44370305aa980420b972f6436c53ae4e7a7992446db46c275366ff8f693ae0387ea076166b9b725a938

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
94KB

MD5
a9eafb2d4270aa39087659af3c386a77

SHA1
9fa5798ee649be47ee9162009a16a40bd5ab27bc

SHA256
2537dbf31140cda58f4fa69b37061345c40f6515ff3fbf1e92c220616da5cd85

SHA512
7347f147959c1199592193a62733a69a344a211d7b3c17e51289936a3d613ef97830558a436a1e2dd90c0c284acd4f1a629373bc0695cf61d098a13a6de8ae55

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
94KB

MD5
92749c2db24a6ed0df3cb2c71144b23b

SHA1
cfcca119491995ce2ac07dd03dcfac79febb6cbf

SHA256
e58900b15c31794803446d72f102f31cede3ea189eb76284f4cdd26d08ed59f4

SHA512
af4bdf526a17be85a4ca9861054be8a31928556ace27add0a3a770b169b8afaacb0f331355b7bbd0f1907e56fe09e558435199629d28bf5b10017f71d6c8ddc7

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
94KB

MD5
86c2cc11c84093ff46a62e3d0a9f96a1

SHA1
3ca005d3df5b7e810e31240979aa3721ff3bdd3c

SHA256
9a2f199ad1d9a0049bc737a27118561753d99e9ccc1e11178f2dc7aa284c5fb8

SHA512
fe052ed9e6d3cbd5c21d730531812add0f286db40cbf76556f9061180907f892deddc07a4f015b45d92eeab9f51e89301899d74f9f630e5fbf393b5ffa351883

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
94KB

MD5
0648a60af89d391fbf87d3c31224506c

SHA1
3e4c8a76457416d23c9214c4535359154faa9e09

SHA256
16808597cd846e969c67bfd6e9a5a31e72b921b1b2a91aea48a2ea138348d2cb

SHA512
353453e2ebbaff27041ba847ca7887414e92b05ae327cc1436fffcc4cfd6e06abfaf63c65016b0a1ddd73d5c2c0e66aa302c506c0243319db947b82b15e6ae25

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
94KB

MD5
a2c918c9765c0efdf5e95620b04da954

SHA1
b5e31103085c8d2064f9718496dd94b5f89df1fb

SHA256
41a95ca411a5c3e82e6a59bf2f221db54e30b8e18a1b2facdc5d63ebbb557cf9

SHA512
a08f78970f15bced87a099bfb50e8baefa257f3a372c6031ff204fd85ce6ac80a0949d260e153243d0c4b3db658710d2325206c85fddfbafc9cf07fc2d030076

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
94KB

MD5
0c52d78c11d471a63b2ac285b18cb90c

SHA1
a3e042ac31cf8249715ea214c0621a08a40cf957

SHA256
e2bc55374b03a464045e4e0107018ac3f78fe899fb916c3e6dcd75fda4b567df

SHA512
d4821de18a01e93fb11a9f60726b07dc44a968721a74353fe0d99a7c1fd1be29449dbc7f0cea5411c2190d4555dcdf3a1d4e07d796721a2dba6058ba6523ccd3

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
94KB

MD5
1e162d44e22925f42a20728dbca79fc5

SHA1
538ce6d7e196bd1646baf346db9c0d83e50097b4

SHA256
4dae078668b0c4e52e3dad96e4836c2c909887f50410a92a5f8a51c59069e1f0

SHA512
95880ebd2dcd3bd165c40afb5aef0e76926e18b125c61927aae01b65680b2f67b4eee5286aa70b8573fb8e29a6f8d1f0c5b3597df2aa4606700dc901e3e41ac5

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
94KB

MD5
f36e89831e7ba0c4d55162e05e2134d9

SHA1
6af13eec33e07e67c4f6c10f1687d5340669374a

SHA256
3dcb79ce8fbae14d1af7ba6d3ca93be994f9b5e108a20cd7ddb02fe6b28b9b2a

SHA512
b56f85bd8b574eb5ec4b07f91b81a8839a9b745d0677890bed33a3229407f37341e4ed8f29c11821df166f424182b9a26244d279e93e4379f3161e93b30a4f1e

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
94KB

MD5
0a533c43571c612cd1132d82f8c849a6

SHA1
708722e96e19e004aa10f5c136789a29b2e53dc7

SHA256
b488ff0e57208895f086aeb94b2f60153b946f975ba7e76ab287046269a5023d

SHA512
0225bce902fcd7a60288e9c49595a1f0b25e1403e1a1fe334d5f723217e1db85ab6507424dcc875a4d4676eac73b2b0f042ad58df9db04085fab8a6a28d66213

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
94KB

MD5
3f1b88051ed427dd91eed868f7b1ce39

SHA1
55f45751ba2731b5a8597c1c0f2661ceed52f2b0

SHA256
60504fd546850b29acb6056e432218429a60eabf6da45ec0d65d9c47f9c59688

SHA512
61fa02cf514f0afe39bb7c569f7503c2b9b9563e83bf50821e8ac84ef3c066d298e995e4acca6ca3578906b3163d4b9bed5d2e1c81ce2a48d560f65bbaff95ff

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
94KB

MD5
f781b08921e84ee43f1e1c08285506ee

SHA1
8b5aae51c29ca1f45c677b891775c80f0b1cea27

SHA256
f21e4aca4b34c29f972746f343a9e9bf94062423db178941b2b5ed97cc845b7e

SHA512
09423becb933a2d756af7103e81d570b98cac2694cdc4ba5e49692dd1f887d6515383c71226b4b2edd6c18361031ad1deebbdccf86de8120abe33398dae8e27c

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
94KB

MD5
54d679d8418744312ea49015bc5480ed

SHA1
f1b2125c1f246475b4942a2b9f5e7f76de566b85

SHA256
e5ed974b4f0b8df0dfac51341b3c799f9440acbed791f6e05bff7732dae4c701

SHA512
e8a0864b39b5870d225e3c73bce9c7e2a7cb8f65a1b20549a515c9f3d114fa0756749eafc5032af0b94c0a34eb1cf18b96a0614af043e94b3f6a80d9ee24d4cb

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
94KB

MD5
88c1a8571140f791667e872fb97f84e2

SHA1
0ec3281a1c55102f60d9834fd5e563098d9c21d3

SHA256
a55be20af9faaef290e2af72e5ac759887b7e821f113467f1e9353d2b5389e78

SHA512
65eb89e4b0ff573e2f84233713433c2e3c1d14bbc37184657c7e46297088dd754d8caf549871b78d26266a645e89bbd8d5c8e97223c2c8b04e3a878acb983aa4

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
94KB

MD5
958024c9401ea51ca34cabc7a3ece9fe

SHA1
c65945daa627719bfc52fa35e593bb319daf6114

SHA256
902466a494e644eb72c0a221b5bf3440e5666ed1438dc610da2434d5f0b54ede

SHA512
8e018500dc3c29074c0128d26880891ba4029472a2d7bad756091e338100654960ac48feef5974a4e3b5341cf2d1b2d925b46b959c502bfedad53778f3ec1b43

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
94KB

MD5
be3dc6efbdb3f60157e1af9be3a92bc8

SHA1
1bcdfbff5b8d8928486b39113a76e15ca03c0a24

SHA256
6fe6a49647da2b7da4cec5ae4be428de701e514160ca328c5f8c56b80b1f73ae

SHA512
b385b8a571cdef4a8db3e92095b5b24f4894de5af6680c44be0b9e3f35375e4bbb29490b02ace302b47708879c060cfcb86719653a238af9e3a2df7032e4d38a

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
94KB

MD5
675e7064c066cb0c531fcf1658bf9a27

SHA1
7e43bac2fcc39a2c8b80b3bf11223a7b8bb84aea

SHA256
6e8bd6020f0f7f18e161c5fa27fdbd2cdb955fad33353e02a28f8d4bc31dfbe2

SHA512
4649309c5ab2eeaf6552f3c1321c0b8f9c2cc00a236e35f75ce98b9b1b10c9e0efda194d56f86165ee20ea17de66dfd15344f3ca3f81461dfcd3ee81a6841375

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
94KB

MD5
77368a1b88485a85812a4c9ee35a4d09

SHA1
48b26449a0be3d97e4ff75e46de957f5ea8c7463

SHA256
311d0e5dc7a193e3843ffcbac400892b2c7e531402f70420ba799176ad013abd

SHA512
f376195792b27d934b0bee74aafd476e3337b753cfb4a1f867311875c0060e3eae771fd7f0cf709cff7b2cf5af9575eea762d4c39237f1d0c4d48b8118836256

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
94KB

MD5
a27d75a0103f05019911b6175ee95a41

SHA1
7699a9ca47bdbfe68c9246eb4809c837a4cdb170

SHA256
d4b345d2f5739678eabb0d022e719d39a3b5f8e32abff8defb3cd46f06a50679

SHA512
bf34def8ae9ad4883de636e7a0face55244ed466c85714f0bc88b40cd34349ce5e66e8eade5e5fc5099f7ea7cec58d732bb62b3321f7bcdedad204796299b0c1

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
94KB

MD5
aeb94a71baeeedcdb91c59b5dcccb477

SHA1
1382059c5d4c58abbe4773140dd1edfb6aa8ba82

SHA256
cd17463d215c5af94c833e341684909038d19f0cf2715ae7c770f7642315cdf4

SHA512
018c3eceb33e787e2541e4869e1e989f8a4ac747a282372081a62fd47214ef79daafab0f2632685abd0af8815ea73b85e5d571114d064631ee083603481128ee

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
94KB

MD5
c4b0787d9988cabf5c8b7892be358efc

SHA1
17f514234ffbfeec36bbc9f39c93d4e90f976e8c

SHA256
b932df8f15a9be58a8d508cd9956db8c8a96ef0cdc0fe2df5962e53357af51b4

SHA512
164940a2b1b974ff1fea701876592e3e4f5edb29b3f581574615f5ae47b193faac1d21cf7bb8266ddec8220f26bf90349b026b4901c25aad11bc2a9cc81fd867

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
94KB

MD5
de9e454d8d317f69f92c9a8136a1870a

SHA1
e4579bf19a706749bab21851e9d052ad6f90ee4f

SHA256
28596d067e7a7b26d79fe6ba2a31718a7bc09cd4f3521713610287e0228d61bb

SHA512
e7afda9bdae65cd5ef3d32e2d7cf5c091118ba2c0e58f9863b9c5aa3b074349e290c3974686f424bde5d4f7107599efb794e7f461e6ac03ac6c077f249904cb3

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
94KB

MD5
ca4b81f52db24aad212d78e0c9fdf2c9

SHA1
6f6529b18dd38fafbaf7d55f5344063b616a60dc

SHA256
7a76dd7e44217cdfc2d40afb7a025d3611de180f1656393483357d48ed8125d2

SHA512
db8e5bdcf569d7cb3febfe01a4ea22a86d2fc994e85baaafa4972f85d09f91a895483b85aec2bc03be0608dda2ba8935ca7b790b46ca144efa762ba59870c7dd

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
94KB

MD5
6e8e3d1a7b542611ceaa1818914a1a64

SHA1
7e70069be4bc3139ce1ae339511d864c1e652a80

SHA256
b491e8e8886fcd541f1eab779f20676a6ea4f835b2ed20ee1d6ed182053d6058

SHA512
7e820ed67a6c51353d0e97c562517052b76af6cd2f9c9bd4c71f6fd1ca80da6be13c5c1ce0cdee3d0d07c2406a4bbe3a176764a19a7ade6667ba9ab6e2255c2d

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
94KB

MD5
33a47e941d5802454322bb49c5b6728c

SHA1
03bca83086fc5bc30ebc2fec28c505b5014e8c2a

SHA256
0d515ac93b4c11f9383674b523915b426cac2878398e25f671b3812202377ff6

SHA512
d96b671f069ada99e828a8d74c9b20a8e3ead1841ef321bdeb456e42892bf94c76b70a378b2c4936fe3e92a08654386be92300b1eded7bc080699bfe9fc83aeb

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
94KB

MD5
b3504383db0e78f6fc40773858a312af

SHA1
bbbfdf13a03ab6dfdf27c5e8290217730b88dfea

SHA256
2f3821f234ee803ab4fc918a9e6decc40c93ba13accf95201d4c2b7582222184

SHA512
325905006f6f36fdc5711ce8572f750fa249447a14aea067a12c7b4763ddc356bd5fca8002e5f3d8da7169141f561c886b9f4e4a921338fc325989650b4a0390

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
94KB

MD5
f12d0e62bfa55e1e95d93bbdbadafe5c

SHA1
ffba150b76f2709fdabbc475ae8379f4a6327137

SHA256
5395aa475ab55c23717c49b875984a30b3654807d8eda74f686fd5230e523923

SHA512
4a27f02a0c73246167f7b3fe60478b2b293a4bd1106db545a2efa725b9268d449d6655af6a49857432c36fdb565bc1330fbe700a444fadfb5ce3fe2ae3f8e5e1

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
94KB

MD5
05f159dda5e8a4fc03b1133fa1e96a49

SHA1
697d3fa296bbd6c78c4f86730989149155b7a128

SHA256
b95ecc1f990e6915431e7a34589f6d341182dae34a8c8a692f2a6b6d6c536cd0

SHA512
2785039f18d29bbfd9b7db345b7e4d61950ebe07cc7ba7094dcb51fac9dd4de83304cb7522260313f74ed6aa423c4d84aacd15fa78f02fd0b0c343bd2abeb4f7

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
94KB

MD5
344da5a600d05221cdd75373a82b3a96

SHA1
198420b66a95596df5503e81f2e2dd9b15ee9b83

SHA256
1aed6fb3d12b8e1bce681201704ccb4850ee50314b8c8f20e93b377d53271b5c

SHA512
c77d0ac4b3c00cdb7c293962f2a1d637aecc47bc4c0e940981afcbfda26885eaae922acf72f904b1b1ed541c32ba46a758cb322e6941fb870e760e1dbc5151a7

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
94KB

MD5
d09db4bf4bca9c48364be21efa6ea707

SHA1
729768e26803b5839d442aa5b2f43ad0d7316c48

SHA256
8681fd28ce0006e7e826a2bc896374a553dc728c2254f6ba762cb141ceda9082

SHA512
ed41406f0d4797fbdb01cce41539e50247c1267595d0437adf2b9030a6aa1658b733f9db0aff43d4bbbf190cf2b384a0488a2e51d3074e787c3e19e8e94a697c

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
94KB

MD5
dae273c414702595a42a36ce3819621f

SHA1
a2fd45bcb091d027886b621ea5b7ac253b7e976a

SHA256
3c370133c2511d5fd44ea6f2c9d65b6b188804e16e2cbbc59a2773ea64357caa

SHA512
89977d605a2eb2d6f0e4944adcb30c9f4847af5f598f929586028e37d8848c885ef33cd47ac44b4759b48458af9af56bd264045fd355e283f15d3229f27dc455

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
94KB

MD5
43a6c3f2805b05349618d2574226ccfb

SHA1
4c9c2b4c47668f35df73edd216246c6353f875d1

SHA256
14758bcafe40281beb2197cf3c2d835921eb7b2982350f18c69020d05cb15586

SHA512
a5fd0349bc6223e004a3d9dd2093240f4418b7a01cb59808c06848bdff6ca187990d6b77974bf1375aa4f3a8a54a99124458d8288ace1a196a0acbe05fe6b06d

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
94KB

MD5
b8035144e1fa12ca463b13edf3f07c17

SHA1
e8ef3f7a6e30cfc8eb3cec7cd7853d148c7b8d07

SHA256
af776a5d5afb01e3c1b7e04f88651144cde1af24d0f5d135c4377295da364326

SHA512
5b01442a6fc4d1e8a952928e492db677b2d4dd0f5bffbab68fb368959f1f1f9f62344ba0d3ef5583050cc306fcc0de33665a0a2fb8f60b8850a7b4b4d816fb71

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
94KB

MD5
1c48ffe808f40b53dd122593af8a4185

SHA1
6c82872967e75d56193274e0824e120f1f0c3220

SHA256
2a2aaa8c5dfb8a331ca8c6d808f3ca143088818378fec30e4020c3a663e9f725

SHA512
2198ab2af3fbdda49c61076ca7fd99c39b05021ad32049fc7b87f16dad2da1daa1901742e3fac76c331d7394e47c66aa868291364c51497124db8008a7340df7

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
94KB

MD5
04536f8fa4f84674ce37b5cf8f9f53a4

SHA1
f568179dd86538a15c7af2ba0e6e0305dcc7b076

SHA256
20072ee2d349b216ec486860b4e023bfaa742a9c336ede639289b7b4286e2d5d

SHA512
87f5d0f20c2c4e7ca16555d0f09a826ef081047c76954af2fa6cc52eb5b692db83650163a4f5424ede8034ab762304d758b541657e9b24812723be1e48c231f6

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
94KB

MD5
a3d2808ad0c0c5134661c5a1035d5d9e

SHA1
2de793c91d91b7bd0e96a6b3f226dbdeb9fbda42

SHA256
bbe4048715d9d04e10680ef79b66e62340529f2d6dacc2a1d9fff122ed469342

SHA512
b806b19e6437fdb27d04379a8df2c9eaefd52a013080288739ea6ae0af4d9fb4a3009c1eb80479c7783b50fb63693b03c0a8c3e35198df349edd7b126c4a6f12

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
94KB

MD5
9dc015ddfe0a317d4546bcb9043177b9

SHA1
774e8b0f2125ea1af9274d6510cdb48b0b07d744

SHA256
af73d6331f9c87a8191eef9b503cd27da82cee656fdbcce62fb7c04fbe2e4bca

SHA512
399ec6fd51146597522b54fa6df8449da5cbc377acf527c17d7daca19ba4fb472f2c0f48547183390d2272572f0f36f792087c56bfc69815b3ec7f28e856bb35

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
94KB

MD5
e2780b0bb7b449be0d5f5cdf480ed835

SHA1
a51d9a07db11002f83f314a104dfa687736a3a62

SHA256
4d50888f8e140df2b0e63c498f2a38b912e9621c9d55a8ade4d04e3f941f0462

SHA512
f432ac2da7636a129500c41a2a99c4f30e9ac00b2e77fc702142e5b4cfe9dbbadabff56d84f9e8c6c34a2edd3e85c2e2769e5b0db9183781b65bba37abec1ecb

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
94KB

MD5
7133152b37d01874bad0dccbb3f54d16

SHA1
194558da06485ed6214c544f5518a5aeb9249796

SHA256
5ee0c46f6f0ff72dd1fa60ef5a17e66d28294b5f59c1d65872a24a2a06ac9981

SHA512
f1e1026aa23b7c7e5e892d2bb7204da62904023834f9f640708f86cddcfc0af87307b57eeb5dd08fb4fb5b521cc220cf8df27b6c32124cbcee568169b486ca82

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
94KB

MD5
a77523a652bd6f847e4aff2897bd6e0f

SHA1
f331b4eeec15bc38668f43b18aff2b1734474e4d

SHA256
b812cb74070d10af4bc1f81d4abb9007e453e0be31c3e97aa30ab1653d704878

SHA512
741ef6b95a42c5d3be5106aad439519107c4b15de60c60a3d1ea0f3096b9a901789b26a11f0799b8df2bd85aed0c653524182cdd0458b0fd6fc14df67606815a

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
94KB

MD5
2e7fe84d80a6319e9b499630f7988caa

SHA1
11fe30c0cf84075b5195247d596ed25b0aa3d340

SHA256
ef84f3dc32497378a0b2aa9667c139998cbf2f6d4f64ea5acdfcf082a1f9f698

SHA512
9c782e3436f3fceea373341a337d6952a81ce3dfbaac0bb699146e14c4d181ff9d8c9fd6aca68bbd0cc87ad0706cff72cebd31f2771396d24cef30acbaaae94f

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
94KB

MD5
ca09769e381cb4c0f50a462973f38acd

SHA1
1d944355a6c65a0dfb316963c2c747603677b325

SHA256
95b516f9a5704604d4f144c744a417a5b887ade0dfa1c79338c1c4b22cfb9c61

SHA512
b5bce60bbb4a15c19416e0353d303fd8869e511c579d6196c68781f18266e0f1c16f07f363a482ccb85822bdf94f2f478d7c4cf98917c10e5fd17e70e705b42f

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
94KB

MD5
c0c7ccb5abd15f47983988efeaf8f9c1

SHA1
6ac13d9861c4f14b665ae7b1052aea55e9e10d3b

SHA256
dcfc5b184ac4c1960fd045a9c4ef8c578ae9458c40de3b101cd0d5d357668760

SHA512
5d3f94586111df295bb5b975093fd08ddee1cdca430f968f6b570ec373c50f7c7b31b49b527d58f3b8f58c6b9914193ce36415615272f02b80083513f04a162f

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
94KB

MD5
e8c2ef1dcf25e945ed3187119eaa17a7

SHA1
6ab521c81f64e995523b7eb6b29f4ca09a62186d

SHA256
bd8d7a8cb612dac880b2e32ec85b2ba81cbe1d4aed2fc201d22fa09e786d3ffe

SHA512
0d782d18fadcea3db9032bbcf3d61f33ad71b22ee3f4a142cee2e7e0e8228d3fb7e9ce8e1f8b7d4b7a6db46b014d41842d3e6660dd4cee32f65ab4f2aa983531

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
94KB

MD5
4150a3c81f8c9bb015212963600a682d

SHA1
a9fae0b62a33dbb7bb604bc0f9c09b45f56ea769

SHA256
085a612bc3c4465c0799363d13104f54dd8a529d51bc393c7b1bd31dc9f7f699

SHA512
8f6d9a6c80fd8579066ddbc739023ae90c74d5924f5aee3dc3da25f12b58382b2d2946881f81f3db197c91307a83ffce92c7f3f4b9eb755ff6ddb0b1180eedaa

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
94KB

MD5
0291f18eebff9b275a10c24aa510e767

SHA1
ddd9ea8243698788e26691adcf0398cf696496e1

SHA256
05063276e59ddd6751d3cd0ad7bf47fa4f03b4c0a1b2cf74ea9b3b05a4867c09

SHA512
51f3ad8acabfc00efa39b415df1388d65ba9f44c636a0e7db10e0db726b0d52fa59404b58dbeee8619e8f4506c3e5a8087adb8ae536374839c20720fa52b014b

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
94KB

MD5
4545c00650a471642eda85523d378cd0

SHA1
48529b82f70779a9070f6842959734fd87aa97d7

SHA256
400c95160ab6f7069064fd6b20266ad1aa5f28509f41e99e847f5cef310e236d

SHA512
abee41f2530013b6bb1ea7bd293eb5c23e1775e921f8d10f53e8f899bf7e809a623f11e6560ed5daa8156d2aa5e184e619b6bdc77af42addfe240f8c8944d4ee

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
94KB

MD5
2115941148d30d52a9ed1080db194927

SHA1
8e90ecceafde5e5080ebca89ac7798a0ffe758f1

SHA256
fa5c40afe58b07f0057ca490a33324d3eb36e07e2422e70e800ea27c305c690f

SHA512
2638b16a431d0f0cf8e117193b8babceda6f174df4d34429696da04fbd52110f95a59be38d79d0c6fcc2b8dbc408eb4f5bfcae3926279c502ef96a01bfc6fe0b

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
94KB

MD5
39066c46ce5642614a1d8d1a97dededc

SHA1
d22c5ba209a6b9854b4548f027285461d53c17a5

SHA256
d72f7f3f7591a735575e976aa9147ac34deaed7ea4d7397f9005657a8d893e72

SHA512
92ae292bbe857d5e394b42fc6ec8c786ac0385d6f653f694d93967448bbe5fced0c89366bee67737a358f9de84d22b63af36e512ec3d3ce11479f3477537f1bf

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
94KB

MD5
155432308199d2c454e2bbf4b5c93532

SHA1
c1fdaa7a652dd1a5194081e83eb59e8df6b39205

SHA256
38bf21a58a3f0cd981e673c11bf8ec9caf3e6a326b583e4d978a97f0759d773c

SHA512
7c3075a8eba395f0cc712eec7d2a3d4b9bbc44f947c9d8ba021cd35d78ae74a6ab55bb9f7e0b56e996bf6749510adcb584fbdd2cc3bffd74ca851596f28650a5

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
94KB

MD5
eed3db1d1179ca7e0b4845bdbf2e7a91

SHA1
abeec15e096908d2f6e1b11f7adc2e8774cd5792

SHA256
9ff41b2e7d843c58351ba664d3de8ad976112ec49d4dd13e95596ce00d132cb9

SHA512
4120671dda8ebafde6b6ca458da5edc29bdf553a0c28e2192ce7d6c58cfcbd3fccc50bb6bceb4c019ff8d88b1abc92ac5c4df54ed35c49d8209c296bded84fd2

Download Submit
memory/468-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/512-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/512-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/644-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/644-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1196-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1464-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1468-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1572-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1608-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1816-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2096-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2096-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2412-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2412-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2580-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2580-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2664-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2664-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2824-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2824-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3020-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3020-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3032-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3032-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-392-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3528-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3528-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3556-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3636-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3724-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3724-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3888-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3888-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3920-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3920-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4112-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4112-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4144-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4144-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4184-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4184-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4184-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4236-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4236-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4764-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4764-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4772-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4872-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4964-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4964-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads