xmrig | b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5

Analysis

max time kernel
24s
max time network
122s
platform
windows10_x64
resource
win10v20210410
submitted
18-07-2021 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5.exe
Size

1.0MB
MD5

11c760e98364a8b796bdc8714c55df6b
SHA1

901e5f56e218c397a07f852affc1c9d72ceae99e
SHA256

b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5
SHA512

22eed55f5e02995c84000ecb8ee10719a24ec3097210af67b4daa7d608e85a98dc41a1eb9702f5b7df8dd2b1b279d63bef6913bf108f049921003f49ef39b910

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 64 IoCs

Processes:

Bhnhcodg.exeBddihpjk.exeCedebc32.exeColjkihn.exeCefbhcpk.exeCjcjpjnb.exeCeiombmh.exeCoacfh32.exeClecplcb.exeDooogfhi.exeEoalmf32.exeElelfj32.exeFophnd32.exeFdlqgkhn.exeFapapogg.exeFlfemhfm.exeGkbhoc32.exeGdjmhiln.exeGopaea32.exeGfjiblcp.exeGcnjkpaj.exeHidejehg.exeHfhfci32.exeIoecgo32.exeIfoldhqh.exeJmpjaa32.exeJbmbih32.exeJigkfbga.exeJljqnm32.exeKedalb32.exeKbhbeg32.exeKlagnl32.exeKbkokfdd.exeKpoodkcn.exeKlepil32.exeLbphff32.exeLdoepigb.exeLfmaldff.exeLmlbdnim.exeLbikldhd.exeLegghp32.exeLlapejne.exeMdhgfgog.exeMiepnnmo.exeMpohkh32.exeMgiqhb32.exeMijiin32.exeMpdafhqf.exeMgnjcb32.exeMmhbpl32.exeMpfnlg32.exeMgpghafp.exeMiocdmed.exeNphkag32.exeNeecjn32.exeNlolfh32.exeNcidcbib.exeNehponie.exeNmohpkih.exeNdiqme32.exeNggmiq32.exeNldeagnp.exeNcnnna32.exeNeljjm32.exe

pid	process
400	Bhnhcodg.exe
1332	Bddihpjk.exe
1576	Cedebc32.exe
1928	Coljkihn.exe
2164	Cefbhcpk.exe
2388	Cjcjpjnb.exe
2648	Ceiombmh.exe
2708	Coacfh32.exe
3512	Clecplcb.exe
2840	Dooogfhi.exe
3748	Eoalmf32.exe
1200	Elelfj32.exe
2124	Fophnd32.exe
1360	Fdlqgkhn.exe
1248	Fapapogg.exe
2080	Flfemhfm.exe
1792	Gkbhoc32.exe
1012	Gdjmhiln.exe
3984	Gopaea32.exe
2716	Gfjiblcp.exe
4112	Gcnjkpaj.exe
4140	Hidejehg.exe
4168	Hfhfci32.exe
4196	Ioecgo32.exe
4236	Ifoldhqh.exe
4268	Jmpjaa32.exe
4296	Jbmbih32.exe
4324	Jigkfbga.exe
4352	Jljqnm32.exe
4380	Kedalb32.exe
4444	Kbhbeg32.exe
4476	Klagnl32.exe
4512	Kbkokfdd.exe
4532	Kpoodkcn.exe
4556	Klepil32.exe
4580	Lbphff32.exe
4600	Ldoepigb.exe
4620	Lfmaldff.exe
4640	Lmlbdnim.exe
4660	Lbikldhd.exe
4680	Legghp32.exe
4700	Llapejne.exe
4720	Mdhgfgog.exe
4740	Miepnnmo.exe
4772	Mpohkh32.exe
4796	Mgiqhb32.exe
4824	Mijiin32.exe
4844	Mpdafhqf.exe
4864	Mgnjcb32.exe
4884	Mmhbpl32.exe
4904	Mpfnlg32.exe
4924	Mgpghafp.exe
4944	Miocdmed.exe
4964	Nphkag32.exe
4984	Neecjn32.exe
5004	Nlolfh32.exe
5024	Ncidcbib.exe
5044	Nehponie.exe
5064	Nmohpkih.exe
5084	Ndiqme32.exe
5104	Nggmiq32.exe
3920	Nldeagnp.exe
8	Ncnnna32.exe
2804	Neljjm32.exe

Drops file in System32 directory 64 IoCs

Processes:

Hdnpia32.exeMpohkh32.exeNmohpkih.exePnhdmg32.exeAnbgcf32.exeAfbechde.exeDhbckfoc.exeGkaadm32.exeHgfokl32.exeInijndjh.exeMlebfcfd.exeBmgmlpae.exeDajhclec.exeKpgbieej.exeKbhkkq32.exeMgiqhb32.exeNeofpm32.exeAjkdng32.exeDamdikca.exeAfdbig32.exeCecnhm32.exeJiakqm32.exeOcbgiaag.exePcnfeogj.exeBjbjofhi.exeIkfdgj32.exeIkmjgiia.exeLpeojc32.exeOjahajeo.exeAndcif32.exeChiqdggn.exeEhkfaegh.exeGdlccb32.exeBqlbkp32.exeDngblaje.exeInpghfbb.exeIopcaiie.exeJbaejahc.exeMpdafhqf.exeGdbpmc32.exeGohdjl32.exeGdjfnbhb.exeLhnfif32.exeMooegojm.exeb0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5.exeOpdkmebc.exePgloknnp.exePjmhmika.exeEklobp32.exeHndglgmp.exeLebgcj32.exeGopaea32.exeJigkfbga.exeLegghp32.exeNcpjca32.exeJfjdeqbo.exeKngfob32.exeMhemjebp.exeCefbhcpk.exeNlolfh32.exeFkebio32.exeFnihpigm.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Oqdlebfj.dll	Hdnpia32.exe
File opened for modification	C:\Windows\SysWOW64\Mgiqhb32.exe	Mpohkh32.exe
File created	C:\Windows\SysWOW64\Ndiqme32.exe	Nmohpkih.exe
File opened for modification	C:\Windows\SysWOW64\Pdbljajg.exe	Pnhdmg32.exe
File created	C:\Windows\SysWOW64\Aqpcpa32.exe	Anbgcf32.exe
File created	C:\Windows\SysWOW64\Animdedh.exe	Afbechde.exe
File created	C:\Windows\SysWOW64\Djqpgang.exe	Dhbckfoc.exe
File created	C:\Windows\SysWOW64\Gakjagin.exe	Gkaadm32.exe
File created	C:\Windows\SysWOW64\Ehjcoobn.dll	Hgfokl32.exe
File opened for modification	C:\Windows\SysWOW64\Ifqaobkj.exe	Inijndjh.exe
File created	C:\Windows\SysWOW64\Gfnncf32.dll	Mlebfcfd.exe
File created	C:\Windows\SysWOW64\Bcaehj32.exe	Bmgmlpae.exe
File opened for modification	C:\Windows\SysWOW64\Ddidpgdg.exe	Dajhclec.exe
File opened for modification	C:\Windows\SysWOW64\Kbeoeadn.exe	Kpgbieej.exe
File created	C:\Windows\SysWOW64\Kefggl32.exe	Kbhkkq32.exe
File created	C:\Windows\SysWOW64\Gfpiij32.dll	Kbhkkq32.exe
File created	C:\Windows\SysWOW64\Dnbngb32.dll	Mgiqhb32.exe
File opened for modification	C:\Windows\SysWOW64\Nnfnaj32.exe	Neofpm32.exe
File opened for modification	C:\Windows\SysWOW64\Amiqjb32.exe	Ajkdng32.exe
File opened for modification	C:\Windows\SysWOW64\Edkaegbd.exe	Damdikca.exe
File created	C:\Windows\SysWOW64\Nibloohg.dll	Afdbig32.exe
File created	C:\Windows\SysWOW64\Bdkkjbgl.dll	Cecnhm32.exe
File created	C:\Windows\SysWOW64\Jpnddhfj.dll	Jiakqm32.exe
File created	C:\Windows\SysWOW64\Oeacelqk.exe	Ocbgiaag.exe
File created	C:\Windows\SysWOW64\Oandmq32.dll	Pcnfeogj.exe
File created	C:\Windows\SysWOW64\Bqlbkp32.exe	Bjbjofhi.exe
File opened for modification	C:\Windows\SysWOW64\Iobpghgb.exe	Ikfdgj32.exe
File created	C:\Windows\SysWOW64\Jnlfcd32.exe	Ikmjgiia.exe
File created	C:\Windows\SysWOW64\Lbckfo32.exe	Lpeojc32.exe
File opened for modification	C:\Windows\SysWOW64\Opkand32.exe	Ojahajeo.exe
File created	C:\Windows\SysWOW64\Adnlfp32.exe	Andcif32.exe
File opened for modification	C:\Windows\SysWOW64\Cnciaanj.exe	Chiqdggn.exe
File created	C:\Windows\SysWOW64\Kkebfpll.dll	Ehkfaegh.exe
File opened for modification	C:\Windows\SysWOW64\Ggjoom32.exe	Gdlccb32.exe
File created	C:\Windows\SysWOW64\Hkieff32.dll	Ikmjgiia.exe
File opened for modification	C:\Windows\SysWOW64\Bgfkhj32.exe	Bqlbkp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddkeh32.exe	Dngblaje.exe
File opened for modification	C:\Windows\SysWOW64\Idjodp32.exe	Inpghfbb.exe
File created	C:\Windows\SysWOW64\Gqhohfhb.dll	Iopcaiie.exe
File opened for modification	C:\Windows\SysWOW64\Jikmgl32.exe	Jbaejahc.exe
File opened for modification	C:\Windows\SysWOW64\Mgnjcb32.exe	Mpdafhqf.exe
File created	C:\Windows\SysWOW64\Gohdjl32.exe	Gdbpmc32.exe
File created	C:\Windows\SysWOW64\Geblgfem.exe	Gohdjl32.exe
File created	C:\Windows\SysWOW64\Gfjckgkb.dll	Gdjfnbhb.exe
File opened for modification	C:\Windows\SysWOW64\Lpeojc32.exe	Lhnfif32.exe
File created	C:\Windows\SysWOW64\Okdehk32.dll	Mooegojm.exe
File opened for modification	C:\Windows\SysWOW64\Bhnhcodg.exe	b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5.exe
File opened for modification	C:\Windows\SysWOW64\Ocbgiaag.exe	Opdkmebc.exe
File created	C:\Windows\SysWOW64\Nqlhob32.dll	Pgloknnp.exe
File created	C:\Windows\SysWOW64\Pmmhha32.dll	Pjmhmika.exe
File created	C:\Windows\SysWOW64\Ebbpdm32.dll	Eklobp32.exe
File created	C:\Windows\SysWOW64\Hdnpia32.exe	Hndglgmp.exe
File created	C:\Windows\SysWOW64\Pgimmfkn.dll	Lebgcj32.exe
File created	C:\Windows\SysWOW64\Mfphok32.dll	Gopaea32.exe
File created	C:\Windows\SysWOW64\Fbhjma32.dll	Jigkfbga.exe
File created	C:\Windows\SysWOW64\Llapejne.exe	Legghp32.exe
File created	C:\Windows\SysWOW64\Jiaiof32.dll	Ncpjca32.exe
File created	C:\Windows\SysWOW64\Bjolldkn.dll	Jfjdeqbo.exe
File opened for modification	C:\Windows\SysWOW64\Keanlmed.exe	Kngfob32.exe
File created	C:\Windows\SysWOW64\Mooegojm.exe	Mhemjebp.exe
File created	C:\Windows\SysWOW64\Lbnckc32.dll	Cefbhcpk.exe
File created	C:\Windows\SysWOW64\Ncidcbib.exe	Nlolfh32.exe
File opened for modification	C:\Windows\SysWOW64\Fapjehck.exe	Fkebio32.exe
File opened for modification	C:\Windows\SysWOW64\Gdbpmc32.exe	Fnihpigm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

8176 8124 WerFault.exe Menfoimd.exe

pid	pid_target	process	target process
8176	8124	WerFault.exe	Menfoimd.exe

Modifies registry class 64 IoCs

Processes:

Elelfj32.exeMgnjcb32.exeNldeagnp.exePdncob32.exePnkacgah.exeDngblaje.exeInijndjh.exeMhemjebp.exeCedebc32.exeMpfnlg32.exeOpnncd32.exeCjepkchd.exeKifmbj32.exeLhljdf32.exeLpcbed32.exeAgmhbk32.exeAnimdedh.exeBeaabmpd.exeEhkfaegh.exeKbkokfdd.exePgloknnp.exeEoaebpbj.exeHgohjman.exeJokcmgoh.exeKpgbieej.exeKefggl32.exeNmohpkih.exeOpkand32.exePlihcdlh.exeDajhclec.exeEoeono32.exeEmkkok32.exeFdljld32.exeLebgcj32.exeMooegojm.exeMpohkh32.exeAcoolm32.exeHgfokl32.exeMbojbmna.exeBjbjofhi.exeIhmaenlp.exeLfacmm32.exeOeacelqk.exePdppdblj.exeBfndof32.exeFgemmq32.exeJiakqm32.exeMekjii32.exeCjcjpjnb.exeFophnd32.exeCecnhm32.exeKbhkkq32.exeJljqnm32.exeOjahajeo.exeAdnlfp32.exeAchbbl32.exeGkoeomcd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfgfh32.dll"	Elelfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgnjcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolmac32.dll"	Nldeagnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdncob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edccec32.dll"	Pnkacgah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dngblaje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Inijndjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhemjebp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnkknh32.dll"	Cedebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpfnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmeeqfmp.dll"	Opnncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaffld32.dll"	Cjepkchd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kifmbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhljdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcbed32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agmhbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Animdedh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafea32.dll"	Beaabmpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danehmmk.dll"	Dngblaje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehkfaegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbkokfdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqlhob32.dll"	Pgloknnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhekd32.dll"	Eoaebpbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgohjman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jokcmgoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljaeb32.dll"	Kpgbieej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmplmop.dll"	Kefggl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmohpkih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eamoeblk.dll"	Opkand32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opnncd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Plihcdlh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dajhclec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehkfaegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoeono32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppcfh32.dll"	Emkkok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdljld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lebgcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mooegojm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpohkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkhlk32.dll"	Acoolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgfokl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Inijndjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbojbmna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjbjofhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baaalo32.dll"	Ihmaenlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlblc32.dll"	Lfacmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facicapl.dll"	Oeacelqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poffigqh.dll"	Pdppdblj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkkka32.dll"	Bjbjofhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfndof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkbncmh.dll"	Fgemmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiakqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpebcb32.dll"	Mekjii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjcjpjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbliepb.dll"	Fophnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beaabmpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cecnhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbhkkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfnnm32.dll"	Jljqnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfbojgn.dll"	Ojahajeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjmiiem.dll"	Adnlfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoaobc32.dll"	Achbbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dajhclec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gkoeomcd.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

WerFault.exe

pid	process
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe
8176	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 8176 WerFault.exe
Token: SeBackupPrivilege 8176 WerFault.exe
Token: SeDebugPrivilege 8176 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	8176	WerFault.exe
Token: SeBackupPrivilege	8176	WerFault.exe
Token: SeDebugPrivilege	8176	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5.exeBhnhcodg.exeBddihpjk.exeCedebc32.exeColjkihn.exeCefbhcpk.exeCjcjpjnb.exeCeiombmh.exeCoacfh32.exeClecplcb.exeDooogfhi.exeEoalmf32.exeElelfj32.exeFophnd32.exeFdlqgkhn.exeFapapogg.exeFlfemhfm.exeGkbhoc32.exeGdjmhiln.exeGopaea32.exeGfjiblcp.exeGcnjkpaj.exe

description	pid	process	target process
PID 3908 wrote to memory of 400	3908	b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5.exe	Bhnhcodg.exe
PID 3908 wrote to memory of 400	3908	b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5.exe	Bhnhcodg.exe
PID 3908 wrote to memory of 400	3908	b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5.exe	Bhnhcodg.exe
PID 400 wrote to memory of 1332	400	Bhnhcodg.exe	Bddihpjk.exe
PID 400 wrote to memory of 1332	400	Bhnhcodg.exe	Bddihpjk.exe
PID 400 wrote to memory of 1332	400	Bhnhcodg.exe	Bddihpjk.exe
PID 1332 wrote to memory of 1576	1332	Bddihpjk.exe	Cedebc32.exe
PID 1332 wrote to memory of 1576	1332	Bddihpjk.exe	Cedebc32.exe
PID 1332 wrote to memory of 1576	1332	Bddihpjk.exe	Cedebc32.exe
PID 1576 wrote to memory of 1928	1576	Cedebc32.exe	Coljkihn.exe
PID 1576 wrote to memory of 1928	1576	Cedebc32.exe	Coljkihn.exe
PID 1576 wrote to memory of 1928	1576	Cedebc32.exe	Coljkihn.exe
PID 1928 wrote to memory of 2164	1928	Coljkihn.exe	Cefbhcpk.exe
PID 1928 wrote to memory of 2164	1928	Coljkihn.exe	Cefbhcpk.exe
PID 1928 wrote to memory of 2164	1928	Coljkihn.exe	Cefbhcpk.exe
PID 2164 wrote to memory of 2388	2164	Cefbhcpk.exe	Cjcjpjnb.exe
PID 2164 wrote to memory of 2388	2164	Cefbhcpk.exe	Cjcjpjnb.exe
PID 2164 wrote to memory of 2388	2164	Cefbhcpk.exe	Cjcjpjnb.exe
PID 2388 wrote to memory of 2648	2388	Cjcjpjnb.exe	Ceiombmh.exe
PID 2388 wrote to memory of 2648	2388	Cjcjpjnb.exe	Ceiombmh.exe
PID 2388 wrote to memory of 2648	2388	Cjcjpjnb.exe	Ceiombmh.exe
PID 2648 wrote to memory of 2708	2648	Ceiombmh.exe	Coacfh32.exe
PID 2648 wrote to memory of 2708	2648	Ceiombmh.exe	Coacfh32.exe
PID 2648 wrote to memory of 2708	2648	Ceiombmh.exe	Coacfh32.exe
PID 2708 wrote to memory of 3512	2708	Coacfh32.exe	Clecplcb.exe
PID 2708 wrote to memory of 3512	2708	Coacfh32.exe	Clecplcb.exe
PID 2708 wrote to memory of 3512	2708	Coacfh32.exe	Clecplcb.exe
PID 3512 wrote to memory of 2840	3512	Clecplcb.exe	Dooogfhi.exe
PID 3512 wrote to memory of 2840	3512	Clecplcb.exe	Dooogfhi.exe
PID 3512 wrote to memory of 2840	3512	Clecplcb.exe	Dooogfhi.exe
PID 2840 wrote to memory of 3748	2840	Dooogfhi.exe	Eoalmf32.exe
PID 2840 wrote to memory of 3748	2840	Dooogfhi.exe	Eoalmf32.exe
PID 2840 wrote to memory of 3748	2840	Dooogfhi.exe	Eoalmf32.exe
PID 3748 wrote to memory of 1200	3748	Eoalmf32.exe	Elelfj32.exe
PID 3748 wrote to memory of 1200	3748	Eoalmf32.exe	Elelfj32.exe
PID 3748 wrote to memory of 1200	3748	Eoalmf32.exe	Elelfj32.exe
PID 1200 wrote to memory of 2124	1200	Elelfj32.exe	Fophnd32.exe
PID 1200 wrote to memory of 2124	1200	Elelfj32.exe	Fophnd32.exe
PID 1200 wrote to memory of 2124	1200	Elelfj32.exe	Fophnd32.exe
PID 2124 wrote to memory of 1360	2124	Fophnd32.exe	Fdlqgkhn.exe
PID 2124 wrote to memory of 1360	2124	Fophnd32.exe	Fdlqgkhn.exe
PID 2124 wrote to memory of 1360	2124	Fophnd32.exe	Fdlqgkhn.exe
PID 1360 wrote to memory of 1248	1360	Fdlqgkhn.exe	Fapapogg.exe
PID 1360 wrote to memory of 1248	1360	Fdlqgkhn.exe	Fapapogg.exe
PID 1360 wrote to memory of 1248	1360	Fdlqgkhn.exe	Fapapogg.exe
PID 1248 wrote to memory of 2080	1248	Fapapogg.exe	Flfemhfm.exe
PID 1248 wrote to memory of 2080	1248	Fapapogg.exe	Flfemhfm.exe
PID 1248 wrote to memory of 2080	1248	Fapapogg.exe	Flfemhfm.exe
PID 2080 wrote to memory of 1792	2080	Flfemhfm.exe	Gkbhoc32.exe
PID 2080 wrote to memory of 1792	2080	Flfemhfm.exe	Gkbhoc32.exe
PID 2080 wrote to memory of 1792	2080	Flfemhfm.exe	Gkbhoc32.exe
PID 1792 wrote to memory of 1012	1792	Gkbhoc32.exe	Gdjmhiln.exe
PID 1792 wrote to memory of 1012	1792	Gkbhoc32.exe	Gdjmhiln.exe
PID 1792 wrote to memory of 1012	1792	Gkbhoc32.exe	Gdjmhiln.exe
PID 1012 wrote to memory of 3984	1012	Gdjmhiln.exe	Gopaea32.exe
PID 1012 wrote to memory of 3984	1012	Gdjmhiln.exe	Gopaea32.exe
PID 1012 wrote to memory of 3984	1012	Gdjmhiln.exe	Gopaea32.exe
PID 3984 wrote to memory of 2716	3984	Gopaea32.exe	Gfjiblcp.exe
PID 3984 wrote to memory of 2716	3984	Gopaea32.exe	Gfjiblcp.exe
PID 3984 wrote to memory of 2716	3984	Gopaea32.exe	Gfjiblcp.exe
PID 2716 wrote to memory of 4112	2716	Gfjiblcp.exe	Gcnjkpaj.exe
PID 2716 wrote to memory of 4112	2716	Gfjiblcp.exe	Gcnjkpaj.exe
PID 2716 wrote to memory of 4112	2716	Gfjiblcp.exe	Gcnjkpaj.exe
PID 4112 wrote to memory of 4140	4112	Gcnjkpaj.exe	Hidejehg.exe

C:\Users\Admin\AppData\Local\Temp\b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5.exe
"C:\Users\Admin\AppData\Local\Temp\b0c4e9d5de5106cab9caf568d4908e1f6a2be004cacc26681f5a40dcdcf2b2b5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\Bhnhcodg.exe
C:\Windows\system32\Bhnhcodg.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\Bddihpjk.exe
C:\Windows\system32\Bddihpjk.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\Cedebc32.exe
C:\Windows\system32\Cedebc32.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\Coljkihn.exe
C:\Windows\system32\Coljkihn.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\Cefbhcpk.exe
C:\Windows\system32\Cefbhcpk.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\Cjcjpjnb.exe
C:\Windows\system32\Cjcjpjnb.exe
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\Ceiombmh.exe
C:\Windows\system32\Ceiombmh.exe
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\Coacfh32.exe
C:\Windows\system32\Coacfh32.exe
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\Clecplcb.exe
C:\Windows\system32\Clecplcb.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\Dooogfhi.exe
C:\Windows\system32\Dooogfhi.exe
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\Eoalmf32.exe
C:\Windows\system32\Eoalmf32.exe
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\Elelfj32.exe
C:\Windows\system32\Elelfj32.exe
13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\Fophnd32.exe
C:\Windows\system32\Fophnd32.exe
14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\Fdlqgkhn.exe
C:\Windows\system32\Fdlqgkhn.exe
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\Fapapogg.exe
C:\Windows\system32\Fapapogg.exe
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\Flfemhfm.exe
C:\Windows\system32\Flfemhfm.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\Gkbhoc32.exe
C:\Windows\system32\Gkbhoc32.exe
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\Gdjmhiln.exe
C:\Windows\system32\Gdjmhiln.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\Gopaea32.exe
C:\Windows\system32\Gopaea32.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\Gfjiblcp.exe
C:\Windows\system32\Gfjiblcp.exe
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\Gcnjkpaj.exe
C:\Windows\system32\Gcnjkpaj.exe
22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\Hidejehg.exe
C:\Windows\system32\Hidejehg.exe
23⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWOW64\Hfhfci32.exe
C:\Windows\system32\Hfhfci32.exe
24⤵
- Executes dropped EXE
PID:4168

C:\Windows\SysWOW64\Ioecgo32.exe
C:\Windows\system32\Ioecgo32.exe
25⤵
- Executes dropped EXE
PID:4196

C:\Windows\SysWOW64\Ifoldhqh.exe
C:\Windows\system32\Ifoldhqh.exe
26⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWOW64\Jmpjaa32.exe
C:\Windows\system32\Jmpjaa32.exe
27⤵
- Executes dropped EXE
PID:4268

C:\Windows\SysWOW64\Jbmbih32.exe
C:\Windows\system32\Jbmbih32.exe
28⤵
- Executes dropped EXE
PID:4296

C:\Windows\SysWOW64\Jigkfbga.exe
C:\Windows\system32\Jigkfbga.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4324

C:\Windows\SysWOW64\Jljqnm32.exe
C:\Windows\system32\Jljqnm32.exe
30⤵
- Executes dropped EXE
- Modifies registry class
PID:4352

C:\Windows\SysWOW64\Kedalb32.exe
C:\Windows\system32\Kedalb32.exe
31⤵
- Executes dropped EXE
PID:4380

C:\Windows\SysWOW64\Kbhbeg32.exe
C:\Windows\system32\Kbhbeg32.exe
32⤵
- Executes dropped EXE
PID:4444

C:\Windows\SysWOW64\Klagnl32.exe
C:\Windows\system32\Klagnl32.exe
33⤵
- Executes dropped EXE
PID:4476

C:\Windows\SysWOW64\Kbkokfdd.exe
C:\Windows\system32\Kbkokfdd.exe
34⤵
- Executes dropped EXE
- Modifies registry class
PID:4512

C:\Windows\SysWOW64\Kpoodkcn.exe
C:\Windows\system32\Kpoodkcn.exe
35⤵
- Executes dropped EXE
PID:4532

C:\Windows\SysWOW64\Klepil32.exe
C:\Windows\system32\Klepil32.exe
36⤵
- Executes dropped EXE
PID:4556

C:\Windows\SysWOW64\Lbphff32.exe
C:\Windows\system32\Lbphff32.exe
37⤵
- Executes dropped EXE
PID:4580

C:\Windows\SysWOW64\Ldoepigb.exe
C:\Windows\system32\Ldoepigb.exe
38⤵
- Executes dropped EXE
PID:4600

C:\Windows\SysWOW64\Lfmaldff.exe
C:\Windows\system32\Lfmaldff.exe
39⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWOW64\Lmlbdnim.exe
C:\Windows\system32\Lmlbdnim.exe
40⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\Lbikldhd.exe
C:\Windows\system32\Lbikldhd.exe
41⤵
- Executes dropped EXE
PID:4660

C:\Windows\SysWOW64\Legghp32.exe
C:\Windows\system32\Legghp32.exe
42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4680

C:\Windows\SysWOW64\Llapejne.exe
C:\Windows\system32\Llapejne.exe
43⤵
- Executes dropped EXE
PID:4700

C:\Windows\SysWOW64\Mdhgfgog.exe
C:\Windows\system32\Mdhgfgog.exe
44⤵
- Executes dropped EXE
PID:4720

C:\Windows\SysWOW64\Miepnnmo.exe
C:\Windows\system32\Miepnnmo.exe
45⤵
- Executes dropped EXE
PID:4740

C:\Windows\SysWOW64\Mpohkh32.exe
C:\Windows\system32\Mpohkh32.exe
46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4772

C:\Windows\SysWOW64\Mgiqhb32.exe
C:\Windows\system32\Mgiqhb32.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4796

C:\Windows\SysWOW64\Mijiin32.exe
C:\Windows\system32\Mijiin32.exe
48⤵
- Executes dropped EXE
PID:4824

C:\Windows\SysWOW64\Mpdafhqf.exe
C:\Windows\system32\Mpdafhqf.exe
49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4844

C:\Windows\SysWOW64\Mgnjcb32.exe
C:\Windows\system32\Mgnjcb32.exe
50⤵
- Executes dropped EXE
- Modifies registry class
PID:4864

C:\Windows\SysWOW64\Mmhbpl32.exe
C:\Windows\system32\Mmhbpl32.exe
51⤵
- Executes dropped EXE
PID:4884

C:\Windows\SysWOW64\Mpfnlg32.exe
C:\Windows\system32\Mpfnlg32.exe
52⤵
- Executes dropped EXE
- Modifies registry class
PID:4904

C:\Windows\SysWOW64\Mgpghafp.exe
C:\Windows\system32\Mgpghafp.exe
53⤵
- Executes dropped EXE
PID:4924

C:\Windows\SysWOW64\Miocdmed.exe
C:\Windows\system32\Miocdmed.exe
54⤵
- Executes dropped EXE
PID:4944

C:\Windows\SysWOW64\Nphkag32.exe
C:\Windows\system32\Nphkag32.exe
55⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWOW64\Neecjn32.exe
C:\Windows\system32\Neecjn32.exe
56⤵
- Executes dropped EXE
PID:4984

C:\Windows\SysWOW64\Nlolfh32.exe
C:\Windows\system32\Nlolfh32.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5004

C:\Windows\SysWOW64\Ncidcbib.exe
C:\Windows\system32\Ncidcbib.exe
58⤵
- Executes dropped EXE
PID:5024

C:\Windows\SysWOW64\Nehponie.exe
C:\Windows\system32\Nehponie.exe
59⤵
- Executes dropped EXE
PID:5044

C:\Windows\SysWOW64\Nmohpkih.exe
C:\Windows\system32\Nmohpkih.exe
60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5064

C:\Windows\SysWOW64\Ndiqme32.exe
C:\Windows\system32\Ndiqme32.exe
61⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWOW64\Nggmiq32.exe
C:\Windows\system32\Nggmiq32.exe
62⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWOW64\Nldeagnp.exe
C:\Windows\system32\Nldeagnp.exe
63⤵
- Executes dropped EXE
- Modifies registry class
PID:3920

C:\Windows\SysWOW64\Ncnnna32.exe
C:\Windows\system32\Ncnnna32.exe
64⤵
- Executes dropped EXE
PID:8

C:\Windows\SysWOW64\Neljjm32.exe
C:\Windows\system32\Neljjm32.exe
65⤵
- Executes dropped EXE
PID:2804

C:\Windows\SysWOW64\Npbngf32.exe
C:\Windows\system32\Npbngf32.exe
66⤵
PID:4124

C:\Windows\SysWOW64\Ncpjca32.exe
C:\Windows\system32\Ncpjca32.exe
67⤵
- Drops file in System32 directory
PID:4156

C:\Windows\SysWOW64\Neofpm32.exe
C:\Windows\system32\Neofpm32.exe
68⤵
- Drops file in System32 directory
PID:4212

C:\Windows\SysWOW64\Nnfnaj32.exe
C:\Windows\system32\Nnfnaj32.exe
69⤵
PID:4256

C:\Windows\SysWOW64\Opdkmebc.exe
C:\Windows\system32\Opdkmebc.exe
70⤵
- Drops file in System32 directory
PID:4216

C:\Windows\SysWOW64\Ocbgiaag.exe
C:\Windows\system32\Ocbgiaag.exe
71⤵
- Drops file in System32 directory
PID:4284

C:\Windows\SysWOW64\Oeacelqk.exe
C:\Windows\system32\Oeacelqk.exe
72⤵
- Modifies registry class
PID:4360

C:\Windows\SysWOW64\Onhkfjam.exe
C:\Windows\system32\Onhkfjam.exe
73⤵
PID:4400

C:\Windows\SysWOW64\Opfgbepa.exe
C:\Windows\system32\Opfgbepa.exe
74⤵
PID:4540

C:\Windows\SysWOW64\Ocecoqod.exe
C:\Windows\system32\Ocecoqod.exe
75⤵
PID:4440

C:\Windows\SysWOW64\Ogcleoek.exe
C:\Windows\system32\Ogcleoek.exe
76⤵
PID:4608

C:\Windows\SysWOW64\Ojahajeo.exe
C:\Windows\system32\Ojahajeo.exe
77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4492

C:\Windows\SysWOW64\Opkand32.exe
C:\Windows\system32\Opkand32.exe
78⤵
- Modifies registry class
PID:4628

C:\Windows\SysWOW64\Ocjmjp32.exe
C:\Windows\system32\Ocjmjp32.exe
79⤵
PID:4708

C:\Windows\SysWOW64\Ojcefjbl.exe
C:\Windows\system32\Ojcefjbl.exe
80⤵
PID:4568

C:\Windows\SysWOW64\Opnncd32.exe
C:\Windows\system32\Opnncd32.exe
81⤵
- Modifies registry class
PID:4852

C:\Windows\SysWOW64\Ojfblj32.exe
C:\Windows\system32\Ojfblj32.exe
82⤵
PID:4932

C:\Windows\SysWOW64\Pqpjidhf.exe
C:\Windows\system32\Pqpjidhf.exe
83⤵
PID:5012

C:\Windows\SysWOW64\Pcnfeogj.exe
C:\Windows\system32\Pcnfeogj.exe
84⤵
- Drops file in System32 directory
PID:5092

C:\Windows\SysWOW64\Pjhoai32.exe
C:\Windows\system32\Pjhoai32.exe
85⤵
PID:2460

C:\Windows\SysWOW64\Pqbgncfc.exe
C:\Windows\system32\Pqbgncfc.exe
86⤵
PID:5136

C:\Windows\SysWOW64\Pdncob32.exe
C:\Windows\system32\Pdncob32.exe
87⤵
- Modifies registry class
PID:5152

C:\Windows\SysWOW64\Pgloknnp.exe
C:\Windows\system32\Pgloknnp.exe
88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5168

C:\Windows\SysWOW64\Pjkkgimd.exe
C:\Windows\system32\Pjkkgimd.exe
89⤵
PID:5184

C:\Windows\SysWOW64\Plihcdlh.exe
C:\Windows\system32\Plihcdlh.exe
90⤵
- Modifies registry class
PID:5200

C:\Windows\SysWOW64\Pdppdblj.exe
C:\Windows\system32\Pdppdblj.exe
91⤵
- Modifies registry class
PID:5216

C:\Windows\SysWOW64\Pgolqmkn.exe
C:\Windows\system32\Pgolqmkn.exe
92⤵
PID:5232

C:\Windows\SysWOW64\Pjmhmika.exe
C:\Windows\system32\Pjmhmika.exe
93⤵
- Drops file in System32 directory
PID:5248

C:\Windows\SysWOW64\Pnhdmg32.exe
C:\Windows\system32\Pnhdmg32.exe
94⤵
- Drops file in System32 directory
PID:5264

C:\Windows\SysWOW64\Pdbljajg.exe
C:\Windows\system32\Pdbljajg.exe
95⤵
PID:5280

C:\Windows\SysWOW64\Pcemen32.exe
C:\Windows\system32\Pcemen32.exe
96⤵
PID:5296

C:\Windows\SysWOW64\Pfdibj32.exe
C:\Windows\system32\Pfdibj32.exe
97⤵
PID:5312

C:\Windows\SysWOW64\Pnkacgah.exe
C:\Windows\system32\Pnkacgah.exe
98⤵
- Modifies registry class
PID:5328

C:\Windows\SysWOW64\Pqimobpk.exe
C:\Windows\system32\Pqimobpk.exe
99⤵
PID:5344

C:\Windows\SysWOW64\Pgcelm32.exe
C:\Windows\system32\Pgcelm32.exe
100⤵
PID:5360

C:\Windows\SysWOW64\Pjaahh32.exe
C:\Windows\system32\Pjaahh32.exe
101⤵
PID:5376

C:\Windows\SysWOW64\Qmpndc32.exe
C:\Windows\system32\Qmpndc32.exe
102⤵
PID:5392

C:\Windows\SysWOW64\Qdgfea32.exe
C:\Windows\system32\Qdgfea32.exe
103⤵
PID:5412

C:\Windows\SysWOW64\Qfhbmilp.exe
C:\Windows\system32\Qfhbmilp.exe
104⤵
PID:5424

C:\Windows\SysWOW64\Qnpjnf32.exe
C:\Windows\system32\Qnpjnf32.exe
105⤵
PID:5444

C:\Windows\SysWOW64\Qqnfjb32.exe
C:\Windows\system32\Qqnfjb32.exe
106⤵
PID:5460

C:\Windows\SysWOW64\Qclbfm32.exe
C:\Windows\system32\Qclbfm32.exe
107⤵
PID:5476

C:\Windows\SysWOW64\Qfkobi32.exe
C:\Windows\system32\Qfkobi32.exe
108⤵
PID:5492

C:\Windows\SysWOW64\Anbgcf32.exe
C:\Windows\system32\Anbgcf32.exe
109⤵
- Drops file in System32 directory
PID:5508

C:\Windows\SysWOW64\Aqpcpa32.exe
C:\Windows\system32\Aqpcpa32.exe
110⤵
PID:5524

C:\Windows\SysWOW64\Acoolm32.exe
C:\Windows\system32\Acoolm32.exe
111⤵
- Modifies registry class
PID:5540

C:\Windows\SysWOW64\Afmlhh32.exe
C:\Windows\system32\Afmlhh32.exe
112⤵
PID:5556

C:\Windows\SysWOW64\Andcif32.exe
C:\Windows\system32\Andcif32.exe
113⤵
- Drops file in System32 directory
PID:5572

C:\Windows\SysWOW64\Adnlfp32.exe
C:\Windows\system32\Adnlfp32.exe
114⤵
- Modifies registry class
PID:5588

C:\Windows\SysWOW64\Agmhbk32.exe
C:\Windows\system32\Agmhbk32.exe
115⤵
- Modifies registry class
PID:5612

C:\Windows\SysWOW64\Ajkdng32.exe
C:\Windows\system32\Ajkdng32.exe
116⤵
- Drops file in System32 directory
PID:5648

C:\Windows\SysWOW64\Amiqjb32.exe
C:\Windows\system32\Amiqjb32.exe
117⤵
PID:5672

C:\Windows\SysWOW64\Adqikp32.exe
C:\Windows\system32\Adqikp32.exe
118⤵
PID:5716

C:\Windows\SysWOW64\Afbechde.exe
C:\Windows\system32\Afbechde.exe
119⤵
- Drops file in System32 directory
PID:5736

C:\Windows\SysWOW64\Animdedh.exe
C:\Windows\system32\Animdedh.exe
120⤵
- Modifies registry class
PID:5752

C:\Windows\SysWOW64\Aqgipq32.exe
C:\Windows\system32\Aqgipq32.exe
121⤵
PID:5768

C:\Windows\SysWOW64\Acfeml32.exe
C:\Windows\system32\Acfeml32.exe
122⤵
PID:5784

C:\Windows\SysWOW64\Afdbig32.exe
C:\Windows\system32\Afdbig32.exe
123⤵
- Drops file in System32 directory
PID:5800

C:\Windows\SysWOW64\Aqjffp32.exe
C:\Windows\system32\Aqjffp32.exe
124⤵
PID:5816

C:\Windows\SysWOW64\Achbbl32.exe
C:\Windows\system32\Achbbl32.exe
125⤵
- Modifies registry class
PID:5832

C:\Windows\SysWOW64\Agcnbjif.exe
C:\Windows\system32\Agcnbjif.exe
126⤵
PID:5848

C:\Windows\SysWOW64\Bjbjofhi.exe
C:\Windows\system32\Bjbjofhi.exe
127⤵
- Drops file in System32 directory
- Modifies registry class
PID:5868

C:\Windows\SysWOW64\Bqlbkp32.exe
C:\Windows\system32\Bqlbkp32.exe
128⤵
- Drops file in System32 directory
PID:5884

C:\Windows\SysWOW64\Bgfkhj32.exe
C:\Windows\system32\Bgfkhj32.exe
129⤵
PID:5900

C:\Windows\SysWOW64\Baqlfola.exe
C:\Windows\system32\Baqlfola.exe
130⤵
PID:5916

C:\Windows\SysWOW64\Bfndof32.exe
C:\Windows\system32\Bfndof32.exe
131⤵
- Modifies registry class
PID:5932

C:\Windows\SysWOW64\Bmgmlpae.exe
C:\Windows\system32\Bmgmlpae.exe
132⤵
- Drops file in System32 directory
PID:5952

C:\Windows\SysWOW64\Bcaehj32.exe
C:\Windows\system32\Bcaehj32.exe
133⤵
PID:5968

C:\Windows\SysWOW64\Bngiec32.exe
C:\Windows\system32\Bngiec32.exe
134⤵
PID:5984

C:\Windows\SysWOW64\Beaabmpd.exe
C:\Windows\system32\Beaabmpd.exe
135⤵
- Modifies registry class
PID:6000

C:\Windows\SysWOW64\Cjnjjd32.exe
C:\Windows\system32\Cjnjjd32.exe
136⤵
PID:6016

C:\Windows\SysWOW64\Cecnhm32.exe
C:\Windows\system32\Cecnhm32.exe
137⤵
- Drops file in System32 directory
- Modifies registry class
PID:6032

C:\Windows\SysWOW64\Cfdkpedp.exe
C:\Windows\system32\Cfdkpedp.exe
138⤵
PID:6048

C:\Windows\SysWOW64\Cajomncf.exe
C:\Windows\system32\Cajomncf.exe
139⤵
PID:6064

C:\Windows\SysWOW64\Cfggeebn.exe
C:\Windows\system32\Cfggeebn.exe
140⤵
PID:6080

C:\Windows\SysWOW64\Cmapboij.exe
C:\Windows\system32\Cmapboij.exe
141⤵
PID:6096

C:\Windows\SysWOW64\Cckhoi32.exe
C:\Windows\system32\Cckhoi32.exe
142⤵
PID:6112

C:\Windows\SysWOW64\Cjepkchd.exe
C:\Windows\system32\Cjepkchd.exe
143⤵
- Modifies registry class
PID:6128

C:\Windows\SysWOW64\Caohhm32.exe
C:\Windows\system32\Caohhm32.exe
144⤵
PID:4820

C:\Windows\SysWOW64\Chiqdggn.exe
C:\Windows\system32\Chiqdggn.exe
145⤵
- Drops file in System32 directory
PID:6148

C:\Windows\SysWOW64\Cnciaanj.exe
C:\Windows\system32\Cnciaanj.exe
146⤵
PID:6164

C:\Windows\SysWOW64\Cemanl32.exe
C:\Windows\system32\Cemanl32.exe
147⤵
PID:6180

C:\Windows\SysWOW64\Dfnnfdle.exe
C:\Windows\system32\Dfnnfdle.exe
148⤵
PID:6196

C:\Windows\SysWOW64\Dmhfbn32.exe
C:\Windows\system32\Dmhfbn32.exe
149⤵
PID:6212

C:\Windows\SysWOW64\Ddbnohjo.exe
C:\Windows\system32\Ddbnohjo.exe
150⤵
PID:6228

C:\Windows\SysWOW64\Dngblaje.exe
C:\Windows\system32\Dngblaje.exe
151⤵
- Drops file in System32 directory
- Modifies registry class
PID:6244

C:\Windows\SysWOW64\Dddkeh32.exe
C:\Windows\system32\Dddkeh32.exe
152⤵
PID:6260

C:\Windows\SysWOW64\Djncabpi.exe
C:\Windows\system32\Djncabpi.exe
153⤵
PID:6276

C:\Windows\SysWOW64\Dahknl32.exe
C:\Windows\system32\Dahknl32.exe
154⤵
PID:6292

C:\Windows\SysWOW64\Dhbckfoc.exe
C:\Windows\system32\Dhbckfoc.exe
155⤵
- Drops file in System32 directory
PID:6308

C:\Windows\SysWOW64\Djqpgang.exe
C:\Windows\system32\Djqpgang.exe
156⤵
PID:6324

C:\Windows\SysWOW64\Dajhclec.exe
C:\Windows\system32\Dajhclec.exe
157⤵
- Drops file in System32 directory
- Modifies registry class
PID:6340

C:\Windows\SysWOW64\Ddidpgdg.exe
C:\Windows\system32\Ddidpgdg.exe
158⤵
PID:6356

C:\Windows\SysWOW64\Djclma32.exe
C:\Windows\system32\Djclma32.exe
159⤵
PID:6380

C:\Windows\SysWOW64\Damdikca.exe
C:\Windows\system32\Damdikca.exe
160⤵
- Drops file in System32 directory
PID:6400

C:\Windows\SysWOW64\Edkaegbd.exe
C:\Windows\system32\Edkaegbd.exe
161⤵
PID:6416

C:\Windows\SysWOW64\Eoaebpbj.exe
C:\Windows\system32\Eoaebpbj.exe
162⤵
- Modifies registry class
PID:6432

C:\Windows\SysWOW64\Eekmojjg.exe
C:\Windows\system32\Eekmojjg.exe
163⤵
PID:6448

C:\Windows\SysWOW64\Efljgb32.exe
C:\Windows\system32\Efljgb32.exe
164⤵
PID:6464

C:\Windows\SysWOW64\Emfbdlgb.exe
C:\Windows\system32\Emfbdlgb.exe
165⤵
PID:6480

C:\Windows\SysWOW64\Ehkfaegh.exe
C:\Windows\system32\Ehkfaegh.exe
166⤵
- Drops file in System32 directory
- Modifies registry class
PID:6496

C:\Windows\SysWOW64\Eoeono32.exe
C:\Windows\system32\Eoeono32.exe
167⤵
- Modifies registry class
PID:6512

C:\Windows\SysWOW64\Eepgjieb.exe
C:\Windows\system32\Eepgjieb.exe
168⤵
PID:6528

C:\Windows\SysWOW64\Eklobp32.exe
C:\Windows\system32\Eklobp32.exe
169⤵
- Drops file in System32 directory
PID:6544

C:\Windows\SysWOW64\Emkkok32.exe
C:\Windows\system32\Emkkok32.exe
170⤵
- Modifies registry class
PID:6560

C:\Windows\SysWOW64\Fgemmq32.exe
C:\Windows\system32\Fgemmq32.exe
171⤵
- Modifies registry class
PID:6576

C:\Windows\SysWOW64\Fmoejkoh.exe
C:\Windows\system32\Fmoejkoh.exe
172⤵
PID:6596

C:\Windows\SysWOW64\Fefmkhoj.exe
C:\Windows\system32\Fefmkhoj.exe
173⤵
PID:6612

C:\Windows\SysWOW64\Fkcecona.exe
C:\Windows\system32\Fkcecona.exe
174⤵
PID:6628

C:\Windows\SysWOW64\Famnpi32.exe
C:\Windows\system32\Famnpi32.exe
175⤵
PID:6644

C:\Windows\SysWOW64\Fdljld32.exe
C:\Windows\system32\Fdljld32.exe
176⤵
- Modifies registry class
PID:6660

C:\Windows\SysWOW64\Fkebio32.exe
C:\Windows\system32\Fkebio32.exe
177⤵
- Drops file in System32 directory
PID:6676

C:\Windows\SysWOW64\Fapjehck.exe
C:\Windows\system32\Fapjehck.exe
178⤵
PID:6692

C:\Windows\SysWOW64\Fhibbb32.exe
C:\Windows\system32\Fhibbb32.exe
179⤵
PID:6708

C:\Windows\SysWOW64\Fockombe.exe
C:\Windows\system32\Fockombe.exe
180⤵
PID:6724

C:\Windows\SysWOW64\Fenclg32.exe
C:\Windows\system32\Fenclg32.exe
181⤵
PID:6740

C:\Windows\SysWOW64\Fgopcoop.exe
C:\Windows\system32\Fgopcoop.exe
182⤵
PID:6756

C:\Windows\SysWOW64\Fnihpigm.exe
C:\Windows\system32\Fnihpigm.exe
183⤵
- Drops file in System32 directory
PID:6772

C:\Windows\SysWOW64\Gdbpmc32.exe
C:\Windows\system32\Gdbpmc32.exe
184⤵
- Drops file in System32 directory
PID:6788

C:\Windows\SysWOW64\Gohdjl32.exe
C:\Windows\system32\Gohdjl32.exe
185⤵
- Drops file in System32 directory
PID:6804

C:\Windows\SysWOW64\Geblgfem.exe
C:\Windows\system32\Geblgfem.exe
186⤵
PID:6820

C:\Windows\SysWOW64\Gkoeomcd.exe
C:\Windows\system32\Gkoeomcd.exe
187⤵
- Modifies registry class
PID:6836

C:\Windows\SysWOW64\Gkaadm32.exe
C:\Windows\system32\Gkaadm32.exe
188⤵
- Drops file in System32 directory
PID:6852

C:\Windows\SysWOW64\Gakjagin.exe
C:\Windows\system32\Gakjagin.exe
189⤵
PID:6868

C:\Windows\SysWOW64\Gdjfnbhb.exe
C:\Windows\system32\Gdjfnbhb.exe
190⤵
- Drops file in System32 directory
PID:6884

C:\Windows\SysWOW64\Gkcnjl32.exe
C:\Windows\system32\Gkcnjl32.exe
191⤵
PID:6900

C:\Windows\SysWOW64\Ganfgf32.exe
C:\Windows\system32\Ganfgf32.exe
192⤵
PID:6916

C:\Windows\SysWOW64\Gdlccb32.exe
C:\Windows\system32\Gdlccb32.exe
193⤵
- Drops file in System32 directory
PID:6932

C:\Windows\SysWOW64\Ggjoom32.exe
C:\Windows\system32\Ggjoom32.exe
194⤵
PID:6948

C:\Windows\SysWOW64\Hndglgmp.exe
C:\Windows\system32\Hndglgmp.exe
195⤵
- Drops file in System32 directory
PID:6964

C:\Windows\SysWOW64\Hdnpia32.exe
C:\Windows\system32\Hdnpia32.exe
196⤵
- Drops file in System32 directory
PID:6980

C:\Windows\SysWOW64\Hgmlem32.exe
C:\Windows\system32\Hgmlem32.exe
197⤵
PID:6996

C:\Windows\SysWOW64\Habpbf32.exe
C:\Windows\system32\Habpbf32.exe
198⤵
PID:7012

C:\Windows\SysWOW64\Hgohjman.exe
C:\Windows\system32\Hgohjman.exe
199⤵
- Modifies registry class
PID:7028

C:\Windows\SysWOW64\Hniqgg32.exe
C:\Windows\system32\Hniqgg32.exe
200⤵
PID:7044

C:\Windows\SysWOW64\Hhoedp32.exe
C:\Windows\system32\Hhoedp32.exe
201⤵
PID:7060

C:\Windows\SysWOW64\Hkmaqk32.exe
C:\Windows\system32\Hkmaqk32.exe
202⤵
PID:7076

C:\Windows\SysWOW64\Hdeeiqnd.exe
C:\Windows\system32\Hdeeiqnd.exe
203⤵
PID:7092

C:\Windows\SysWOW64\Hkonfkea.exe
C:\Windows\system32\Hkonfkea.exe
204⤵
PID:7108

C:\Windows\SysWOW64\Hfebcceg.exe
C:\Windows\system32\Hfebcceg.exe
205⤵
PID:7124

C:\Windows\SysWOW64\Hgfokl32.exe
C:\Windows\system32\Hgfokl32.exe
206⤵
- Drops file in System32 directory
- Modifies registry class
PID:7140

C:\Windows\SysWOW64\Inpghfbb.exe
C:\Windows\system32\Inpghfbb.exe
207⤵
- Drops file in System32 directory
PID:7156

C:\Windows\SysWOW64\Idjodp32.exe
C:\Windows\system32\Idjodp32.exe
208⤵
PID:3504

C:\Windows\SysWOW64\Iopcaiie.exe
C:\Windows\system32\Iopcaiie.exe
209⤵
- Drops file in System32 directory
PID:3704

C:\Windows\SysWOW64\Ibnpndii.exe
C:\Windows\system32\Ibnpndii.exe
210⤵
PID:1724

C:\Windows\SysWOW64\Ihhhjn32.exe
C:\Windows\system32\Ihhhjn32.exe
211⤵
PID:588

C:\Windows\SysWOW64\Ikfdgj32.exe
C:\Windows\system32\Ikfdgj32.exe
212⤵
- Drops file in System32 directory
PID:736

C:\Windows\SysWOW64\Iobpghgb.exe
C:\Windows\system32\Iobpghgb.exe
213⤵
PID:784

C:\Windows\SysWOW64\Ibplcdff.exe
C:\Windows\system32\Ibplcdff.exe
214⤵
PID:7180

C:\Windows\SysWOW64\Ikiqlimg.exe
C:\Windows\system32\Ikiqlimg.exe
215⤵
PID:7196

C:\Windows\SysWOW64\Ingmhelj.exe
C:\Windows\system32\Ingmhelj.exe
216⤵
PID:7212

C:\Windows\SysWOW64\Ifneibmm.exe
C:\Windows\system32\Ifneibmm.exe
217⤵
PID:7228

C:\Windows\SysWOW64\Ihmaenlp.exe
C:\Windows\system32\Ihmaenlp.exe
218⤵
- Modifies registry class
PID:7244

C:\Windows\SysWOW64\Ikkmaikd.exe
C:\Windows\system32\Ikkmaikd.exe
219⤵
PID:7260

C:\Windows\SysWOW64\Inijndjh.exe
C:\Windows\system32\Inijndjh.exe
220⤵
- Drops file in System32 directory
- Modifies registry class
PID:7276

C:\Windows\SysWOW64\Ifqaobkj.exe
C:\Windows\system32\Ifqaobkj.exe
221⤵
PID:7292

C:\Windows\SysWOW64\Iionkmjn.exe
C:\Windows\system32\Iionkmjn.exe
222⤵
PID:7308

C:\Windows\SysWOW64\Ikmjgiia.exe
C:\Windows\system32\Ikmjgiia.exe
223⤵
- Drops file in System32 directory
PID:7332

C:\Windows\SysWOW64\Jnlfcd32.exe
C:\Windows\system32\Jnlfcd32.exe
224⤵
PID:7372

C:\Windows\SysWOW64\Jfcnda32.exe
C:\Windows\system32\Jfcnda32.exe
225⤵
PID:7388

C:\Windows\SysWOW64\Jiakqm32.exe
C:\Windows\system32\Jiakqm32.exe
226⤵
- Drops file in System32 directory
- Modifies registry class
PID:7400

C:\Windows\SysWOW64\Jkpgmh32.exe
C:\Windows\system32\Jkpgmh32.exe
227⤵
PID:7420

C:\Windows\SysWOW64\Jokcmgoh.exe
C:\Windows\system32\Jokcmgoh.exe
228⤵
- Modifies registry class
PID:7436

C:\Windows\SysWOW64\Jfekja32.exe
C:\Windows\system32\Jfekja32.exe
229⤵
PID:7452

C:\Windows\SysWOW64\Jonpcgme.exe
C:\Windows\system32\Jonpcgme.exe
230⤵
PID:7468

C:\Windows\SysWOW64\Jfjdeqbo.exe
C:\Windows\system32\Jfjdeqbo.exe
231⤵
- Drops file in System32 directory
PID:7484

C:\Windows\SysWOW64\Jihqalbc.exe
C:\Windows\system32\Jihqalbc.exe
232⤵
PID:7500

C:\Windows\SysWOW64\Jobinf32.exe
C:\Windows\system32\Jobinf32.exe
233⤵
PID:7516

C:\Windows\SysWOW64\Jbaejahc.exe
C:\Windows\system32\Jbaejahc.exe
234⤵
- Drops file in System32 directory
PID:7532

C:\Windows\SysWOW64\Jikmgl32.exe
C:\Windows\system32\Jikmgl32.exe
235⤵
PID:7548

C:\Windows\SysWOW64\Kngfob32.exe
C:\Windows\system32\Kngfob32.exe
236⤵
- Drops file in System32 directory
PID:7564

C:\Windows\SysWOW64\Keanlmed.exe
C:\Windows\system32\Keanlmed.exe
237⤵
PID:7580

C:\Windows\SysWOW64\Kpgbieej.exe
C:\Windows\system32\Kpgbieej.exe
238⤵
- Drops file in System32 directory
- Modifies registry class
PID:7596

C:\Windows\SysWOW64\Kbeoeadn.exe
C:\Windows\system32\Kbeoeadn.exe
239⤵
PID:7612

C:\Windows\SysWOW64\Kkncnfko.exe
C:\Windows\system32\Kkncnfko.exe
240⤵
PID:7628

C:\Windows\SysWOW64\Kbhkkq32.exe
C:\Windows\system32\Kbhkkq32.exe
241⤵
- Drops file in System32 directory
- Modifies registry class
PID:7644

C:\Windows\SysWOW64\Kefggl32.exe
C:\Windows\system32\Kefggl32.exe
242⤵
- Modifies registry class
PID:7660

C:\Windows\SysWOW64\Kgddcg32.exe
C:\Windows\system32\Kgddcg32.exe
243⤵
PID:7676

C:\Windows\SysWOW64\Kbjhqp32.exe
C:\Windows\system32\Kbjhqp32.exe
244⤵
PID:7692

C:\Windows\SysWOW64\Kggqigop.exe
C:\Windows\system32\Kggqigop.exe
245⤵
PID:7708

C:\Windows\SysWOW64\Kbmefpnf.exe
C:\Windows\system32\Kbmefpnf.exe
246⤵
PID:7724

C:\Windows\SysWOW64\Kifmbj32.exe
C:\Windows\system32\Kifmbj32.exe
247⤵
- Modifies registry class
PID:7740

C:\Windows\SysWOW64\Lpqeodmp.exe
C:\Windows\system32\Lpqeodmp.exe
248⤵
PID:7756

C:\Windows\SysWOW64\Lfjmln32.exe
C:\Windows\system32\Lfjmln32.exe
249⤵
PID:7772

C:\Windows\SysWOW64\Lhljdf32.exe
C:\Windows\system32\Lhljdf32.exe
250⤵
- Modifies registry class
PID:7788

C:\Windows\SysWOW64\Lpcbed32.exe
C:\Windows\system32\Lpcbed32.exe
251⤵
- Modifies registry class
PID:7804

C:\Windows\SysWOW64\Lfmjanbj.exe
C:\Windows\system32\Lfmjanbj.exe
252⤵
PID:7820

C:\Windows\SysWOW64\Lhnfif32.exe
C:\Windows\system32\Lhnfif32.exe
253⤵
- Drops file in System32 directory
PID:7836

C:\Windows\SysWOW64\Lpeojc32.exe
C:\Windows\system32\Lpeojc32.exe
254⤵
- Drops file in System32 directory
PID:7852

C:\Windows\SysWOW64\Lbckfo32.exe
C:\Windows\system32\Lbckfo32.exe
255⤵
PID:7868

C:\Windows\SysWOW64\Lebgcj32.exe
C:\Windows\system32\Lebgcj32.exe
256⤵
- Drops file in System32 directory
- Modifies registry class
PID:7884

C:\Windows\SysWOW64\Lnjllp32.exe
C:\Windows\system32\Lnjllp32.exe
257⤵
PID:7900

C:\Windows\SysWOW64\Lfacmm32.exe
C:\Windows\system32\Lfacmm32.exe
258⤵
- Modifies registry class
PID:7916

C:\Windows\SysWOW64\Lippii32.exe
C:\Windows\system32\Lippii32.exe
259⤵
PID:7932

C:\Windows\SysWOW64\Lhbpdedc.exe
C:\Windows\system32\Lhbpdedc.exe
260⤵
PID:7948

C:\Windows\SysWOW64\Lpjhecee.exe
C:\Windows\system32\Lpjhecee.exe
261⤵
PID:7964

C:\Windows\SysWOW64\Lbhdandi.exe
C:\Windows\system32\Lbhdandi.exe
262⤵
PID:7980

C:\Windows\SysWOW64\Mhemjebp.exe
C:\Windows\system32\Mhemjebp.exe
263⤵
- Drops file in System32 directory
- Modifies registry class
PID:7996

C:\Windows\SysWOW64\Mooegojm.exe
C:\Windows\system32\Mooegojm.exe
264⤵
- Drops file in System32 directory
- Modifies registry class
PID:8012

C:\Windows\SysWOW64\Mffmhmjo.exe
C:\Windows\system32\Mffmhmjo.exe
265⤵
PID:8028

C:\Windows\SysWOW64\Mhgipe32.exe
C:\Windows\system32\Mhgipe32.exe
266⤵
PID:8044

C:\Windows\SysWOW64\Moaalohj.exe
C:\Windows\system32\Moaalohj.exe
267⤵
PID:8060

C:\Windows\SysWOW64\Mekjii32.exe
C:\Windows\system32\Mekjii32.exe
268⤵
- Modifies registry class
PID:8076

C:\Windows\SysWOW64\Mlebfcfd.exe
C:\Windows\system32\Mlebfcfd.exe
269⤵
- Drops file in System32 directory
PID:8092

C:\Windows\SysWOW64\Mbojbmna.exe
C:\Windows\system32\Mbojbmna.exe
270⤵
- Modifies registry class
PID:8108

C:\Windows\SysWOW64\Menfoimd.exe
C:\Windows\system32\Menfoimd.exe
271⤵
PID:8124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8124 -s 392
272⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8176

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bddihpjk.exe
MD5
a099e8c0cae1e3872cd7334a0d4643ff

SHA1
39c45b46fdacbf2121d2d77f07aaf171d161a450

SHA256
6738c819ddf1ec11884ed1754929bc931bdfdacc0ee82fcd72d0d4938541dd32

SHA512
89fb0b50aed24fc5302e2623233c8f9652b002f552d015578e7ad5c086070ed28f08f3beb7d79da4929823de8da74b0fb1224f841013502f01db5efae6f303f6

Download Submit
C:\Windows\SysWOW64\Bddihpjk.exe
MD5
a099e8c0cae1e3872cd7334a0d4643ff

SHA1
39c45b46fdacbf2121d2d77f07aaf171d161a450

SHA256
6738c819ddf1ec11884ed1754929bc931bdfdacc0ee82fcd72d0d4938541dd32

SHA512
89fb0b50aed24fc5302e2623233c8f9652b002f552d015578e7ad5c086070ed28f08f3beb7d79da4929823de8da74b0fb1224f841013502f01db5efae6f303f6

Download Submit
C:\Windows\SysWOW64\Bhnhcodg.exe
MD5
412bf0bf66dcc1bdb05f257b5c52874f

SHA1
50e37e8bec5c902f015cc8ef46e40aa04ae7cb03

SHA256
4380655e0b723d3d5c2fc147064e3560d1e5b507bdbd0acf76d3e1d749a06b4b

SHA512
a7a31f2668005edaef054a1408b326b03d45eddd399de479d5fd4067e9ab94de543206713656b0e3d6e17ecc9782ade306522ab0176cb34cae10f983962df483

Download Submit
C:\Windows\SysWOW64\Bhnhcodg.exe
MD5
412bf0bf66dcc1bdb05f257b5c52874f

SHA1
50e37e8bec5c902f015cc8ef46e40aa04ae7cb03

SHA256
4380655e0b723d3d5c2fc147064e3560d1e5b507bdbd0acf76d3e1d749a06b4b

SHA512
a7a31f2668005edaef054a1408b326b03d45eddd399de479d5fd4067e9ab94de543206713656b0e3d6e17ecc9782ade306522ab0176cb34cae10f983962df483

Download Submit
C:\Windows\SysWOW64\Cedebc32.exe
MD5
8a286d6670ed1d570981d1ddd2d524b9

SHA1
55d3653f8a6c532d86b22d8237c5097c5d1aed74

SHA256
52cdda7a976f9fd9786b0cf26bd795218b5ce260387d52ad63b5d0fe4fbb4989

SHA512
a13d07dec4ea41a35f92d7e303e1746923a9314e9e37ddd78eff59ad69e120c8f7f8e1c7d0fda3bf80bf509aedd387b287a7dc44bf4c2f9aa54f6e4d59e0f526

Download Submit
C:\Windows\SysWOW64\Cedebc32.exe
MD5
8a286d6670ed1d570981d1ddd2d524b9

SHA1
55d3653f8a6c532d86b22d8237c5097c5d1aed74

SHA256
52cdda7a976f9fd9786b0cf26bd795218b5ce260387d52ad63b5d0fe4fbb4989

SHA512
a13d07dec4ea41a35f92d7e303e1746923a9314e9e37ddd78eff59ad69e120c8f7f8e1c7d0fda3bf80bf509aedd387b287a7dc44bf4c2f9aa54f6e4d59e0f526

Download Submit
C:\Windows\SysWOW64\Cefbhcpk.exe
MD5
c58cb7c61e875ecd892223bd6a79a4ba

SHA1
929fbe23c62854b66be282a27f39b85d54c4632a

SHA256
68472fc9eca1bad9508c8ca1d26a6f1e1c1996961a87247480a4e02486018aec

SHA512
7c5ef3949840636c7f6291db584bb82108a7473cf9b098febb1fddcdb227ea1ffe8e7e8c542dbeaa19d897bc9d75669f75ce30e2ad4ccd072efe790ab14347b3

Download Submit
C:\Windows\SysWOW64\Cefbhcpk.exe
MD5
c58cb7c61e875ecd892223bd6a79a4ba

SHA1
929fbe23c62854b66be282a27f39b85d54c4632a

SHA256
68472fc9eca1bad9508c8ca1d26a6f1e1c1996961a87247480a4e02486018aec

SHA512
7c5ef3949840636c7f6291db584bb82108a7473cf9b098febb1fddcdb227ea1ffe8e7e8c542dbeaa19d897bc9d75669f75ce30e2ad4ccd072efe790ab14347b3

Download Submit
C:\Windows\SysWOW64\Ceiombmh.exe
MD5
e336e031a0b349081d096f34eab6b57f

SHA1
84206fc5862ba0086350905ba75bca25741af9e1

SHA256
050222ad8d8d0b7e9949f19f3c6e4083af03fd0a673af3ba8b5ebb63fe06a541

SHA512
37f4a666e007878f047fb8809a4cfc58962bf0bd7c4f60b7bdbbb6c502c22fdde7bfdc85c739c0edb046f384d834c3afcf52d24c80a98123216ef816132197ac

Download Submit
C:\Windows\SysWOW64\Ceiombmh.exe
MD5
e336e031a0b349081d096f34eab6b57f

SHA1
84206fc5862ba0086350905ba75bca25741af9e1

SHA256
050222ad8d8d0b7e9949f19f3c6e4083af03fd0a673af3ba8b5ebb63fe06a541

SHA512
37f4a666e007878f047fb8809a4cfc58962bf0bd7c4f60b7bdbbb6c502c22fdde7bfdc85c739c0edb046f384d834c3afcf52d24c80a98123216ef816132197ac

Download Submit
C:\Windows\SysWOW64\Cjcjpjnb.exe
MD5
b5e9b0ed8a41e2deff0ef0b97f983dbb

SHA1
c325160356dfb9868e95939f5791d8c2a9a3bbb7

SHA256
64b38c36926a758d94f8860f766afb49dca1e10a3683ad9f81a03e58f640f8a5

SHA512
8217b0a927379d33b19efa3355f202f96ba59aaa84271efd3ed7315d8808754e872f3496d33ca41acfcac06894dffc7cde39d06f7fd33ba3b808ced4f4ff604f

Download Submit
C:\Windows\SysWOW64\Cjcjpjnb.exe
MD5
b5e9b0ed8a41e2deff0ef0b97f983dbb

SHA1
c325160356dfb9868e95939f5791d8c2a9a3bbb7

SHA256
64b38c36926a758d94f8860f766afb49dca1e10a3683ad9f81a03e58f640f8a5

SHA512
8217b0a927379d33b19efa3355f202f96ba59aaa84271efd3ed7315d8808754e872f3496d33ca41acfcac06894dffc7cde39d06f7fd33ba3b808ced4f4ff604f

Download Submit
C:\Windows\SysWOW64\Clecplcb.exe
MD5
345b717552eca8a91c8d1f2ff5e003e7

SHA1
720bd8cc53561b267374e0b271471d608e199b67

SHA256
28c8207a75068b98992a1be9c3884294be7d0fe9895dcd5ea2501ac82125fe0d

SHA512
d11532eba73c4d603b69da6c1c176a66dcba21607299bc19d9b498622af2b752d4442d74539e8e8221bcbb3c509dfcd4d8eb9186464a069914923290aed9ba4c

Download Submit
C:\Windows\SysWOW64\Clecplcb.exe
MD5
345b717552eca8a91c8d1f2ff5e003e7

SHA1
720bd8cc53561b267374e0b271471d608e199b67

SHA256
28c8207a75068b98992a1be9c3884294be7d0fe9895dcd5ea2501ac82125fe0d

SHA512
d11532eba73c4d603b69da6c1c176a66dcba21607299bc19d9b498622af2b752d4442d74539e8e8221bcbb3c509dfcd4d8eb9186464a069914923290aed9ba4c

Download Submit
C:\Windows\SysWOW64\Coacfh32.exe
MD5
3ed8d29f670a2815f03f82b3b4e45d17

SHA1
7954a1aa861d02d0486532b01654123506c20e0e

SHA256
c6beeca43593c0b9524a9b2cce2e6c071c372b350f8f870bc7907979cbd43c57

SHA512
8dad5dcb564744abae194efd6ee1239ca0cf0260a14a9b829cc6066c7386dbeb4ff2d807b9bd42921b870bf31565d10b3de20ceefde3bc33e7d3e0a3b6bb3849

Download Submit
C:\Windows\SysWOW64\Coacfh32.exe
MD5
3ed8d29f670a2815f03f82b3b4e45d17

SHA1
7954a1aa861d02d0486532b01654123506c20e0e

SHA256
c6beeca43593c0b9524a9b2cce2e6c071c372b350f8f870bc7907979cbd43c57

SHA512
8dad5dcb564744abae194efd6ee1239ca0cf0260a14a9b829cc6066c7386dbeb4ff2d807b9bd42921b870bf31565d10b3de20ceefde3bc33e7d3e0a3b6bb3849

Download Submit
C:\Windows\SysWOW64\Coljkihn.exe
MD5
8b3f79321b031ed3bd95a7a0567a2681

SHA1
085ac0dd2071f1d66b7b486a00baa128dcbcb0fd

SHA256
27e267d8a23199b021dbb39e58cf781a94dcda117ab5dcd320763637a1f37939

SHA512
63905fe0850af6e9c4647990e5efe042e584bb89a51668621c60191d7238e75debeeff1f5ef48d92593798712f1785307202cdbeb632e8d89ce0d2210e9d54e9

Download Submit
C:\Windows\SysWOW64\Coljkihn.exe
MD5
8b3f79321b031ed3bd95a7a0567a2681

SHA1
085ac0dd2071f1d66b7b486a00baa128dcbcb0fd

SHA256
27e267d8a23199b021dbb39e58cf781a94dcda117ab5dcd320763637a1f37939

SHA512
63905fe0850af6e9c4647990e5efe042e584bb89a51668621c60191d7238e75debeeff1f5ef48d92593798712f1785307202cdbeb632e8d89ce0d2210e9d54e9

Download Submit
C:\Windows\SysWOW64\Dooogfhi.exe
MD5
413086d162055fc1199d0188fc01c1d8

SHA1
f912b30ad624fca1a9a75fe457c64a2ecb0acfc2

SHA256
2e565402bb5312cc39214e751564d9e62f3e96c8fff6c1e32b7b59135732ce7a

SHA512
a004641b22fecdb65926b57d558ac1b442e24e2286a91a0dc21f4eab0a2196b23dbe618f12041b574f888ef30400534251b7c75367ef60c8fab19c4aad786096

Download Submit
C:\Windows\SysWOW64\Dooogfhi.exe
MD5
413086d162055fc1199d0188fc01c1d8

SHA1
f912b30ad624fca1a9a75fe457c64a2ecb0acfc2

SHA256
2e565402bb5312cc39214e751564d9e62f3e96c8fff6c1e32b7b59135732ce7a

SHA512
a004641b22fecdb65926b57d558ac1b442e24e2286a91a0dc21f4eab0a2196b23dbe618f12041b574f888ef30400534251b7c75367ef60c8fab19c4aad786096

Download Submit
C:\Windows\SysWOW64\Elelfj32.exe
MD5
d8b78a8085cc4c8caebe126d6632e67e

SHA1
ec217b75bf509b615fc9343cb9bf2c31098abf81

SHA256
e2a25d864658355febc347a91056079b30ef89fcfc9dc17b0e535d206a8c626f

SHA512
41eb344014f8cfe239fb648d25c27f96f4ece7f9f4780e65cc39a20362907f149ed6788c525f34341a0c5837a7ccd57a9dc9c15ce44d8096c6165b0793b84911

Download Submit
C:\Windows\SysWOW64\Elelfj32.exe
MD5
d8b78a8085cc4c8caebe126d6632e67e

SHA1
ec217b75bf509b615fc9343cb9bf2c31098abf81

SHA256
e2a25d864658355febc347a91056079b30ef89fcfc9dc17b0e535d206a8c626f

SHA512
41eb344014f8cfe239fb648d25c27f96f4ece7f9f4780e65cc39a20362907f149ed6788c525f34341a0c5837a7ccd57a9dc9c15ce44d8096c6165b0793b84911

Download Submit
C:\Windows\SysWOW64\Eoalmf32.exe
MD5
deed63d4749cb3f1ed18c7175e0cc17d

SHA1
de350acd23edb0d0cd74c795fa52822cf90182d3

SHA256
1290f73d5be6fedc19e6f1cde2433aab3e49faa6c254c70396f946cd980af064

SHA512
801fa9f6076ecb8b22ee0ebe95749533b8beadce11803eef773c619cfd0b3c53edbb37c539910f7331c5a1301ed46dd8aeb2ec51390b38152236975874c7a039

Download Submit
C:\Windows\SysWOW64\Eoalmf32.exe
MD5
deed63d4749cb3f1ed18c7175e0cc17d

SHA1
de350acd23edb0d0cd74c795fa52822cf90182d3

SHA256
1290f73d5be6fedc19e6f1cde2433aab3e49faa6c254c70396f946cd980af064

SHA512
801fa9f6076ecb8b22ee0ebe95749533b8beadce11803eef773c619cfd0b3c53edbb37c539910f7331c5a1301ed46dd8aeb2ec51390b38152236975874c7a039

Download Submit
C:\Windows\SysWOW64\Fapapogg.exe
MD5
b3fab02b979a5f649241b8e99e3140f1

SHA1
ef04b6b6f20176ba492892dbc2e6a2ff71c301fc

SHA256
09bdb2fc187f4a81f1816e8bb6d97804bee3a95207608934c0563cf19a5da3e8

SHA512
0437ba35ba7d59cabb824887a577a9c426a186347fedd47f98b1d6fdcec1cc1526b944bce10aac5d94b3edf67930a1eb72fc6e24c3f2b60267c8caee93b2ebab

Download Submit
C:\Windows\SysWOW64\Fapapogg.exe
MD5
b3fab02b979a5f649241b8e99e3140f1

SHA1
ef04b6b6f20176ba492892dbc2e6a2ff71c301fc

SHA256
09bdb2fc187f4a81f1816e8bb6d97804bee3a95207608934c0563cf19a5da3e8

SHA512
0437ba35ba7d59cabb824887a577a9c426a186347fedd47f98b1d6fdcec1cc1526b944bce10aac5d94b3edf67930a1eb72fc6e24c3f2b60267c8caee93b2ebab

Download Submit
C:\Windows\SysWOW64\Fdlqgkhn.exe
MD5
e8dd24ae0bbcc118d25a489bf8741841

SHA1
7ea3798936fdf8510b98299949e449f7a19ae568

SHA256
3e34804c6952607217773cd3ccd5f27eeabddc7d7382e3b15f7c5c81af9f2bc0

SHA512
19739942a60158c851a39c82d70e91f3d22bc87f9b8d3923fbd192c4b7d171309446cbc26d0f5c1b0e7886bb3a0fa4f174b1e9bf89b48f2b5d9b355b49f6c7c4

Download Submit
C:\Windows\SysWOW64\Fdlqgkhn.exe
MD5
e8dd24ae0bbcc118d25a489bf8741841

SHA1
7ea3798936fdf8510b98299949e449f7a19ae568

SHA256
3e34804c6952607217773cd3ccd5f27eeabddc7d7382e3b15f7c5c81af9f2bc0

SHA512
19739942a60158c851a39c82d70e91f3d22bc87f9b8d3923fbd192c4b7d171309446cbc26d0f5c1b0e7886bb3a0fa4f174b1e9bf89b48f2b5d9b355b49f6c7c4

Download Submit
C:\Windows\SysWOW64\Flfemhfm.exe
MD5
2aa5b252e0e7bda562fb0f7100a58ae0

SHA1
581a5c77848c976e99e991301c58b32d5d4d35b6

SHA256
8cae1f4ebdd13b301d819ee4e2cb57dd71248cd3c143401c08ae69ac7243fcd8

SHA512
7dbfac2c4edc2e7f9082b9f7f093c7ea7ac06106657d52a2535ad5052020026486f708d13cdcc78ef469e30d8d014266163b67802f64306a50612549fbb6ae4e

Download Submit
C:\Windows\SysWOW64\Flfemhfm.exe
MD5
2aa5b252e0e7bda562fb0f7100a58ae0

SHA1
581a5c77848c976e99e991301c58b32d5d4d35b6

SHA256
8cae1f4ebdd13b301d819ee4e2cb57dd71248cd3c143401c08ae69ac7243fcd8

SHA512
7dbfac2c4edc2e7f9082b9f7f093c7ea7ac06106657d52a2535ad5052020026486f708d13cdcc78ef469e30d8d014266163b67802f64306a50612549fbb6ae4e

Download Submit
C:\Windows\SysWOW64\Fophnd32.exe
MD5
16ab1487808b923ad526138ee04b8e36

SHA1
eef0c5b33b19d6a7611b9fbeff49bf61d91f9e22

SHA256
3d2b7c4c561be33d5aa852f6c155df6e2207379af729e7e6f935329379fb26f0

SHA512
1cf37fcc95e2de8d906aaebc7132e9ab8d385f1baf558e4bb6f929a69611c0c2bd5434bc93348839c69a861c15138d9705562284968ff085acbefda84e7d3574

Download Submit
C:\Windows\SysWOW64\Fophnd32.exe
MD5
16ab1487808b923ad526138ee04b8e36

SHA1
eef0c5b33b19d6a7611b9fbeff49bf61d91f9e22

SHA256
3d2b7c4c561be33d5aa852f6c155df6e2207379af729e7e6f935329379fb26f0

SHA512
1cf37fcc95e2de8d906aaebc7132e9ab8d385f1baf558e4bb6f929a69611c0c2bd5434bc93348839c69a861c15138d9705562284968ff085acbefda84e7d3574

Download Submit
C:\Windows\SysWOW64\Gcnjkpaj.exe
MD5
d0d069a02ccbb7ac6abc776d0681f50a

SHA1
08203b227ab6f3f3930628cb035c4426ff552ca7

SHA256
94be5c307cefe51ecb9fa97cbd2ad68c0ab723b2ec3f733549e59362eb2d5e82

SHA512
8c6ae74178244d672cde7ebbd19bf4c838e8097dd22592eafde038ce401515e1333ced05ac10950133ee5d3bd5571bb81326a10c3d0278b914b70f15a3dc43c2

Download Submit
C:\Windows\SysWOW64\Gcnjkpaj.exe
MD5
d0d069a02ccbb7ac6abc776d0681f50a

SHA1
08203b227ab6f3f3930628cb035c4426ff552ca7

SHA256
94be5c307cefe51ecb9fa97cbd2ad68c0ab723b2ec3f733549e59362eb2d5e82

SHA512
8c6ae74178244d672cde7ebbd19bf4c838e8097dd22592eafde038ce401515e1333ced05ac10950133ee5d3bd5571bb81326a10c3d0278b914b70f15a3dc43c2

Download Submit
C:\Windows\SysWOW64\Gdjmhiln.exe
MD5
2a8b51f6fb0d4a52ac9de752a05b4699

SHA1
0d6dd3218dd4356a4e7c2336f413f9f9571e633e

SHA256
c1cb5c7691dd8cc29a4d904ef107653f341a7ef8c54c08b081f63d861e944388

SHA512
b1e22ced617fb124c73d8779f7cab6eb90db5b904970d5a902d90f341993cc1133873b03acd583eed5a674f87850d0a0986b1c7c3fd3a322d9a302cbe3a6878c

Download Submit
C:\Windows\SysWOW64\Gdjmhiln.exe
MD5
2a8b51f6fb0d4a52ac9de752a05b4699

SHA1
0d6dd3218dd4356a4e7c2336f413f9f9571e633e

SHA256
c1cb5c7691dd8cc29a4d904ef107653f341a7ef8c54c08b081f63d861e944388

SHA512
b1e22ced617fb124c73d8779f7cab6eb90db5b904970d5a902d90f341993cc1133873b03acd583eed5a674f87850d0a0986b1c7c3fd3a322d9a302cbe3a6878c

Download Submit
C:\Windows\SysWOW64\Gfjiblcp.exe
MD5
4fc91464c1bcf1ab8a210ab0d80c5c74

SHA1
a39d9fc094ec0df8e49d578a3f35d614a448ab69

SHA256
482f4b9cce70a18b42ea71c7928b2d4cee4ed13452b1f414da4caba29ef57995

SHA512
b73911b9ff165260f1621624cc89a60b3dae70ae2e2d99d335fe9e79e8608550b51ab254f8c5611dc728ef1f1574fbbbd26783d2d7d98ced67a6cd896256ddd6

Download Submit
C:\Windows\SysWOW64\Gfjiblcp.exe
MD5
4fc91464c1bcf1ab8a210ab0d80c5c74

SHA1
a39d9fc094ec0df8e49d578a3f35d614a448ab69

SHA256
482f4b9cce70a18b42ea71c7928b2d4cee4ed13452b1f414da4caba29ef57995

SHA512
b73911b9ff165260f1621624cc89a60b3dae70ae2e2d99d335fe9e79e8608550b51ab254f8c5611dc728ef1f1574fbbbd26783d2d7d98ced67a6cd896256ddd6

Download Submit
C:\Windows\SysWOW64\Gkbhoc32.exe
MD5
e60976c19093cd02009d95fe3d25e99f

SHA1
7972b07e3cb9f1e73edc7aee6ded47f39c9d0f7a

SHA256
92ab3731d5da3178e86e7e873d4f6174d8bfe5a0d497ec3c15e5d2d20a7da2cb

SHA512
82321cbd4812669a015686ccd25ce03928374fe0bd4479fcb50843c10d75c9280f91781446afa20cf94771f59056d3880b1104982a6bb21e202082a063e924cf

Download Submit
C:\Windows\SysWOW64\Gkbhoc32.exe
MD5
e60976c19093cd02009d95fe3d25e99f

SHA1
7972b07e3cb9f1e73edc7aee6ded47f39c9d0f7a

SHA256
92ab3731d5da3178e86e7e873d4f6174d8bfe5a0d497ec3c15e5d2d20a7da2cb

SHA512
82321cbd4812669a015686ccd25ce03928374fe0bd4479fcb50843c10d75c9280f91781446afa20cf94771f59056d3880b1104982a6bb21e202082a063e924cf

Download Submit
C:\Windows\SysWOW64\Gopaea32.exe
MD5
876a7d131bd0f19e8776451ad21f4587

SHA1
9ce3d669b960c59c79f57c55a075f8a913e4d262

SHA256
fea344c60afa9d86be312100cd40425a226a7440143f3971c6dfa45fa9f1ab02

SHA512
e26afffd4428d2fb558e24e185970c7fe1e97831c0fae19a7f9dc1d4f3366edbb8510200cf23831806bec9ab2df6acf19d8056eb4009bbfcced5e1520b666d7c

Download Submit
C:\Windows\SysWOW64\Gopaea32.exe
MD5
876a7d131bd0f19e8776451ad21f4587

SHA1
9ce3d669b960c59c79f57c55a075f8a913e4d262

SHA256
fea344c60afa9d86be312100cd40425a226a7440143f3971c6dfa45fa9f1ab02

SHA512
e26afffd4428d2fb558e24e185970c7fe1e97831c0fae19a7f9dc1d4f3366edbb8510200cf23831806bec9ab2df6acf19d8056eb4009bbfcced5e1520b666d7c

Download Submit
C:\Windows\SysWOW64\Hfhfci32.exe
MD5
e0ed2a5a23e1dd4a97f339eab502c675

SHA1
d76f983e0d5cf36b2f237a942db62b3359240ef6

SHA256
d304e02c7876a10f84ca0e1244d010ce40db9c5e6da9b796c21699d1d37b0a89

SHA512
0e5cebba8de96dadd76f355b11d3d3bb9d90e412eb64dc313689e9dd8c38a3e7ef1bac322148ec951eef168bf3b20f815e87fb2908b36a0d24a897ae7d8d2a68

Download Submit
C:\Windows\SysWOW64\Hfhfci32.exe
MD5
e0ed2a5a23e1dd4a97f339eab502c675

SHA1
d76f983e0d5cf36b2f237a942db62b3359240ef6

SHA256
d304e02c7876a10f84ca0e1244d010ce40db9c5e6da9b796c21699d1d37b0a89

SHA512
0e5cebba8de96dadd76f355b11d3d3bb9d90e412eb64dc313689e9dd8c38a3e7ef1bac322148ec951eef168bf3b20f815e87fb2908b36a0d24a897ae7d8d2a68

Download Submit
C:\Windows\SysWOW64\Hidejehg.exe
MD5
0fb943327e8515d2c8e30c5a9f60c31c

SHA1
a4ae430a0c531c453430fcc39ce4284478a70896

SHA256
417dcfcaca89d76acc457bb66d6a1929bdd64e62e15ba0a61ce377e859d4e878

SHA512
10ec728b687c7513d791bc5fa02098d0d606cdda2baf21dce6044677b2b4bba7c43e9448712b5b7e4ba1d242701c1504a34611d41090c80201097a97cb530f40

Download Submit
C:\Windows\SysWOW64\Hidejehg.exe
MD5
0fb943327e8515d2c8e30c5a9f60c31c

SHA1
a4ae430a0c531c453430fcc39ce4284478a70896

SHA256
417dcfcaca89d76acc457bb66d6a1929bdd64e62e15ba0a61ce377e859d4e878

SHA512
10ec728b687c7513d791bc5fa02098d0d606cdda2baf21dce6044677b2b4bba7c43e9448712b5b7e4ba1d242701c1504a34611d41090c80201097a97cb530f40

Download Submit
C:\Windows\SysWOW64\Ifoldhqh.exe
MD5
cc0b737bdc6cfad803a89634c341b61b

SHA1
888338965d9b1272da3b5e6d33981a0cafce0945

SHA256
61fdaf8caf23f24007f48625d32a672d168233ff249d1a7ec3a93151c1ffa6b0

SHA512
ad88a7c042e06c7066be189708e5da0ce4564391e805585527a7475fbcccc491c516c8e62a75d6f9903cc6e3169809117fae33b4659cb6cdf531c7eba7f2d788

Download Submit
C:\Windows\SysWOW64\Ifoldhqh.exe
MD5
cc0b737bdc6cfad803a89634c341b61b

SHA1
888338965d9b1272da3b5e6d33981a0cafce0945

SHA256
61fdaf8caf23f24007f48625d32a672d168233ff249d1a7ec3a93151c1ffa6b0

SHA512
ad88a7c042e06c7066be189708e5da0ce4564391e805585527a7475fbcccc491c516c8e62a75d6f9903cc6e3169809117fae33b4659cb6cdf531c7eba7f2d788

Download Submit
C:\Windows\SysWOW64\Ioecgo32.exe
MD5
04f99caa15468aa2546aa5d181528792

SHA1
fe294c3ef258b7d243d7cde18d01df3a475895d8

SHA256
176aff0f515f306d8c2463c6f12fdded850a775e2e5a455b5448a4caeca5f925

SHA512
eebc4c168637fe3b1ba3dad1af4d8d344f1aaffe5632c47c0686f4e04c3c60ad90624c50a7392ad42a3b2a37593fe7924b1bfc2bed9cddfc4b83a3489a91b361

Download Submit
C:\Windows\SysWOW64\Ioecgo32.exe
MD5
04f99caa15468aa2546aa5d181528792

SHA1
fe294c3ef258b7d243d7cde18d01df3a475895d8

SHA256
176aff0f515f306d8c2463c6f12fdded850a775e2e5a455b5448a4caeca5f925

SHA512
eebc4c168637fe3b1ba3dad1af4d8d344f1aaffe5632c47c0686f4e04c3c60ad90624c50a7392ad42a3b2a37593fe7924b1bfc2bed9cddfc4b83a3489a91b361

Download Submit
C:\Windows\SysWOW64\Jbmbih32.exe
MD5
21c1a0b66b28b4e9b060e46452bbbe8a

SHA1
2db24e10f5bc481675d5884e26aaf454eefd82c2

SHA256
f9612de75340b064ae8460e0618f9152489a6c3ed1625ab1b20b9119c7cdc6a0

SHA512
9ab11e2e954ed25c8ca1c13960c5bb7ae9c8691162adc9df505264da026c96a5486572cae65f04b818b72abfc1274078e5c7c31b5ed5e5bbf808532b8845ce6b

Download Submit
C:\Windows\SysWOW64\Jbmbih32.exe
MD5
21c1a0b66b28b4e9b060e46452bbbe8a

SHA1
2db24e10f5bc481675d5884e26aaf454eefd82c2

SHA256
f9612de75340b064ae8460e0618f9152489a6c3ed1625ab1b20b9119c7cdc6a0

SHA512
9ab11e2e954ed25c8ca1c13960c5bb7ae9c8691162adc9df505264da026c96a5486572cae65f04b818b72abfc1274078e5c7c31b5ed5e5bbf808532b8845ce6b

Download Submit
C:\Windows\SysWOW64\Jigkfbga.exe
MD5
697ababc987f6ca8f9f34678ecf358ff

SHA1
de2b89b39b963edffc0a52a5aac92b0e9bbe12fb

SHA256
5b93e17771df3b879265b9769c2bd2f8d4afabf4a023ffaf86b326b77b02d400

SHA512
23023856dfda822ffb04dc84403294209cf6f1d338d221a451d6dafd8ecddbf5ec0fb7e7484563a3db9cb15c3a4079ac098ba915c97ee93fad668860d968ecc2

Download Submit
C:\Windows\SysWOW64\Jigkfbga.exe
MD5
697ababc987f6ca8f9f34678ecf358ff

SHA1
de2b89b39b963edffc0a52a5aac92b0e9bbe12fb

SHA256
5b93e17771df3b879265b9769c2bd2f8d4afabf4a023ffaf86b326b77b02d400

SHA512
23023856dfda822ffb04dc84403294209cf6f1d338d221a451d6dafd8ecddbf5ec0fb7e7484563a3db9cb15c3a4079ac098ba915c97ee93fad668860d968ecc2

Download Submit
C:\Windows\SysWOW64\Jljqnm32.exe
MD5
23521682de3457bba821d60b4fa2446b

SHA1
6f8f238e3257816cc074432c2eea0f289545db6f

SHA256
df694870e4dd00a8195a44ab98794526de1d624c0a0e889bea56640c36fd6a3d

SHA512
323d0a30fe972b335ccf7f9bf9dff59cec98ef3b17c74a78712136d414ced15c5c867b69c3b9489fdf80ae4ee558db9035e6ee2f3b132fd92f42273da9af1f53

Download Submit
C:\Windows\SysWOW64\Jljqnm32.exe
MD5
23521682de3457bba821d60b4fa2446b

SHA1
6f8f238e3257816cc074432c2eea0f289545db6f

SHA256
df694870e4dd00a8195a44ab98794526de1d624c0a0e889bea56640c36fd6a3d

SHA512
323d0a30fe972b335ccf7f9bf9dff59cec98ef3b17c74a78712136d414ced15c5c867b69c3b9489fdf80ae4ee558db9035e6ee2f3b132fd92f42273da9af1f53

Download Submit
C:\Windows\SysWOW64\Jmpjaa32.exe
MD5
b800be3304881a1c4c3d95ee6879a988

SHA1
34dbb76371131a823fe89ac98dd1f3e3e024cc4d

SHA256
56549b9a98e4dabf61cd250f638085353c97f6cacd1bcd0ec86e4a4a19e1a739

SHA512
308e748422709e398cac361ad2cc45b09f32a1f10e52b16c8958545b500d0310bee05f5a4126d6cda2617eabe861fec2463441f71d791fd811495a9f1cc85afb

Download Submit
C:\Windows\SysWOW64\Jmpjaa32.exe
MD5
b800be3304881a1c4c3d95ee6879a988

SHA1
34dbb76371131a823fe89ac98dd1f3e3e024cc4d

SHA256
56549b9a98e4dabf61cd250f638085353c97f6cacd1bcd0ec86e4a4a19e1a739

SHA512
308e748422709e398cac361ad2cc45b09f32a1f10e52b16c8958545b500d0310bee05f5a4126d6cda2617eabe861fec2463441f71d791fd811495a9f1cc85afb

Download Submit
C:\Windows\SysWOW64\Kbhbeg32.exe
MD5
18a42bafee1f49fa6d1de024399a1cf2

SHA1
c2b8dc16f1d8c3ac188a4304e92e9e0624bcabf6

SHA256
b916a29e0ac1d8d91c423b2160a6f1e1d85b5e9bb2686c083de03c11bc08cd88

SHA512
c366cfd8b4cf2632687e3abba8b885dcaabf3e10370fdfc83b602fdda6cb08ea17980d4e7ae79ba830b9a5d0fc0c85be1f295fd4adae0bf2211c8ab34e621ba8

Download Submit
C:\Windows\SysWOW64\Kbhbeg32.exe
MD5
18a42bafee1f49fa6d1de024399a1cf2

SHA1
c2b8dc16f1d8c3ac188a4304e92e9e0624bcabf6

SHA256
b916a29e0ac1d8d91c423b2160a6f1e1d85b5e9bb2686c083de03c11bc08cd88

SHA512
c366cfd8b4cf2632687e3abba8b885dcaabf3e10370fdfc83b602fdda6cb08ea17980d4e7ae79ba830b9a5d0fc0c85be1f295fd4adae0bf2211c8ab34e621ba8

Download Submit
C:\Windows\SysWOW64\Kedalb32.exe
MD5
493b22cbf3c188a843d2053d373d9860

SHA1
79371d8e9610bb0272ddcadf5c025749c85b6fec

SHA256
86fe564d436cf41c525a64e7a577aa9d7dd0a1f2cc96fb69d8d5db64666c0d8e

SHA512
ac5a8a1402a07eeed009d2e05add242bfc26c14952d6291059c86653cc0d8c9f3e4e36a779e6e17a02d7c3d18e508fc650e94f356dae90f0eb64a2ac95f2cb6c

Download Submit
C:\Windows\SysWOW64\Kedalb32.exe
MD5
493b22cbf3c188a843d2053d373d9860

SHA1
79371d8e9610bb0272ddcadf5c025749c85b6fec

SHA256
86fe564d436cf41c525a64e7a577aa9d7dd0a1f2cc96fb69d8d5db64666c0d8e

SHA512
ac5a8a1402a07eeed009d2e05add242bfc26c14952d6291059c86653cc0d8c9f3e4e36a779e6e17a02d7c3d18e508fc650e94f356dae90f0eb64a2ac95f2cb6c

Download Submit
C:\Windows\SysWOW64\Klagnl32.exe
MD5
4107572b312240bac7f7ca86021e249d

SHA1
3dec3bc3a68b0e851d32dbd64844f035253d93db

SHA256
41b42333642c7d9817d9cab46029242dba1f3db2dca501a76b64f5f523a6628f

SHA512
d7a03112b7d83d438f55c56aac95dc5a23e73d01ccc70b64d6a70ccaa127410a02f2c6ce489c1d0795c31e16be3f8cbbb1bf8e6aa56f34d6282998e934b65506

Download Submit
C:\Windows\SysWOW64\Klagnl32.exe
MD5
4107572b312240bac7f7ca86021e249d

SHA1
3dec3bc3a68b0e851d32dbd64844f035253d93db

SHA256
41b42333642c7d9817d9cab46029242dba1f3db2dca501a76b64f5f523a6628f

SHA512
d7a03112b7d83d438f55c56aac95dc5a23e73d01ccc70b64d6a70ccaa127410a02f2c6ce489c1d0795c31e16be3f8cbbb1bf8e6aa56f34d6282998e934b65506

Download Submit
memory/8-240-0x0000000000000000-mapping.dmp

Download
memory/400-114-0x0000000000000000-mapping.dmp

Download
memory/1012-165-0x0000000000000000-mapping.dmp

Download
memory/1200-147-0x0000000000000000-mapping.dmp

Download
memory/1248-156-0x0000000000000000-mapping.dmp

Download
memory/1332-117-0x0000000000000000-mapping.dmp

Download
memory/1360-153-0x0000000000000000-mapping.dmp

Download
memory/1576-120-0x0000000000000000-mapping.dmp

Download
memory/1792-162-0x0000000000000000-mapping.dmp

Download
memory/1928-123-0x0000000000000000-mapping.dmp

Download
memory/2080-159-0x0000000000000000-mapping.dmp

Download
memory/2124-150-0x0000000000000000-mapping.dmp

Download
memory/2164-126-0x0000000000000000-mapping.dmp

Download
memory/2388-129-0x0000000000000000-mapping.dmp

Download
memory/2648-132-0x0000000000000000-mapping.dmp

Download
memory/2708-135-0x0000000000000000-mapping.dmp

Download
memory/2716-171-0x0000000000000000-mapping.dmp

Download
memory/2804-241-0x0000000000000000-mapping.dmp

Download
memory/2840-141-0x0000000000000000-mapping.dmp

Download
memory/3512-138-0x0000000000000000-mapping.dmp

Download
memory/3748-144-0x0000000000000000-mapping.dmp

Download
memory/3920-239-0x0000000000000000-mapping.dmp

Download
memory/3984-168-0x0000000000000000-mapping.dmp

Download
memory/4112-174-0x0000000000000000-mapping.dmp

Download
memory/4140-177-0x0000000000000000-mapping.dmp

Download
memory/4168-180-0x0000000000000000-mapping.dmp

Download
memory/4196-183-0x0000000000000000-mapping.dmp

Download
memory/4236-186-0x0000000000000000-mapping.dmp

Download
memory/4268-189-0x0000000000000000-mapping.dmp

Download
memory/4296-192-0x0000000000000000-mapping.dmp

Download
memory/4324-195-0x0000000000000000-mapping.dmp

Download
memory/4352-198-0x0000000000000000-mapping.dmp

Download
memory/4380-201-0x0000000000000000-mapping.dmp

Download
memory/4444-204-0x0000000000000000-mapping.dmp

Download
memory/4476-207-0x0000000000000000-mapping.dmp

Download
memory/4512-210-0x0000000000000000-mapping.dmp

Download
memory/4532-211-0x0000000000000000-mapping.dmp

Download
memory/4556-212-0x0000000000000000-mapping.dmp

Download
memory/4580-213-0x0000000000000000-mapping.dmp

Download
memory/4600-214-0x0000000000000000-mapping.dmp

Download
memory/4620-215-0x0000000000000000-mapping.dmp

Download
memory/4640-216-0x0000000000000000-mapping.dmp

Download
memory/4660-217-0x0000000000000000-mapping.dmp

Download
memory/4680-218-0x0000000000000000-mapping.dmp

Download
memory/4700-219-0x0000000000000000-mapping.dmp

Download
memory/4720-220-0x0000000000000000-mapping.dmp

Download
memory/4740-221-0x0000000000000000-mapping.dmp

Download
memory/4772-222-0x0000000000000000-mapping.dmp

Download
memory/4796-223-0x0000000000000000-mapping.dmp

Download
memory/4824-224-0x0000000000000000-mapping.dmp

Download
memory/4844-225-0x0000000000000000-mapping.dmp

Download
memory/4864-226-0x0000000000000000-mapping.dmp

Download
memory/4884-227-0x0000000000000000-mapping.dmp

Download
memory/4904-228-0x0000000000000000-mapping.dmp

Download
memory/4924-229-0x0000000000000000-mapping.dmp

Download
memory/4944-230-0x0000000000000000-mapping.dmp

Download
memory/4964-231-0x0000000000000000-mapping.dmp

Download
memory/4984-232-0x0000000000000000-mapping.dmp

Download
memory/5004-233-0x0000000000000000-mapping.dmp

Download
memory/5024-234-0x0000000000000000-mapping.dmp

Download
memory/5044-235-0x0000000000000000-mapping.dmp

Download
memory/5064-236-0x0000000000000000-mapping.dmp

Download
memory/5084-237-0x0000000000000000-mapping.dmp

Download
memory/5104-238-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads