5dcead6779c873b4af2c739bcb2b98d3a7653dfd975f02baa416e355cb53d6cd

Analysis

max time kernel
138s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

033b8d252fa0163b7bd187c481b90f4f.exe
Size

145KB
MD5

033b8d252fa0163b7bd187c481b90f4f
SHA1

b375ffd9fa5326dba0bc29ae5e3f2fba051b3441
SHA256

5dcead6779c873b4af2c739bcb2b98d3a7653dfd975f02baa416e355cb53d6cd
SHA512

ec6c38c1eb7c7b91c3bad7025818faf86cd0c54c1ca8d092414c6aaa17e3170a843309f95d3c2604dbd6faa46adb1b9723c3cb34279efa4f19b8510e578171cf
SSDEEP

3072:pmh7A475hxcslCXYSl+xklAbwf1nFzwSAJB8FgBY5nd/Mv:2Hftl8oxklB1n6xJmPMv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlicp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfdcbiol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohggm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opgloh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggjgofkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iqpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kqdodo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ainnhdbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdfnmhnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfdcbiol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfenga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnekcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfdlnab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhbbob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkbcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kahpgcch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnjqhcno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfdklllb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oklifdmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhmmieil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okcogc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnhfbjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlfniafa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgdphm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhbakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhbakk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidmcqeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgkegn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bilcol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhhdpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khfdlnab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfgahikm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anqfepaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddnah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqomdppm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgnleiid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhenpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjiloqjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmdekf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbgjmnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhalcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefgak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbhnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhfihp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kahpgcch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icminm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gajpmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odcojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmefiakh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqigee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olpjii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmfpgmil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgdphm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oklifdmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioicnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhhdpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moiheebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kadnfkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opjgidfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjefao32.exe

Executes dropped EXE 64 IoCs

pid	Process
4992	Iqpclh32.exe
4924	Kfdklllb.exe
4336	Khfdlnab.exe
1552	Lfgahikm.exe
2420	Mdkabmjf.exe
1020	Mdagbl32.exe
2484	Moiheebb.exe
1512	Nkjlqd32.exe
820	Oklifdmi.exe
3920	Okcogc32.exe
2736	Phlikg32.exe
5068	Pdeffgff.exe
3664	Agjhbbob.exe
396	Ainnhdbp.exe
848	Bejhhd32.exe
4216	Becknc32.exe
4972	Chfaenfb.exe
4120	Ebagdddp.exe
2760	Fgmllpng.exe
4084	Gjdknjep.exe
2236	Hpcmfchg.exe
3044	Icminm32.exe
2196	Ioicnn32.exe
4480	Jmffnq32.exe
1864	Kqdodo32.exe
1860	Kaihonhl.exe
2948	Kidmcqeg.exe
636	Kggjghkd.exe
1968	Ljhchc32.exe
1140	Lccdghmc.exe
3368	Mhhcne32.exe
824	Mjiloqjb.exe
4348	Mhmmieil.exe
4632	Nplkhf32.exe
4140	Opjgidfa.exe
4296	Pgkegn32.exe
1568	Ppdjpcng.exe
4832	Aqbfaa32.exe
556	Bilcol32.exe
2188	Ckfofe32.exe
1396	Ehhpge32.exe
2284	Flmonbbp.exe
1228	Fifhbf32.exe
5048	Gimoce32.exe
2680	Gajpmg32.exe
3300	Hcflch32.exe
2064	Ikejbjip.exe
4712	Jokiig32.exe
2688	Jhcmbm32.exe
1348	Jjefao32.exe
3600	Kblkap32.exe
2192	Kifcnjpi.exe
3204	Lckglc32.exe
2608	Lkflpe32.exe
2748	Lbgjmnno.exe
4300	Mmdekf32.exe
1012	Mbcjimda.exe
2876	Nmkkle32.exe
4124	Ndgpnogo.exe
2268	Odcojm32.exe
3052	Odhiemil.exe
1188	Ppoijn32.exe
4396	Pignccea.exe
3888	Pmefiakh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Opjgidfa.exe	Nplkhf32.exe
File created	C:\Windows\SysWOW64\Foadqnoo.dll	Aqbfaa32.exe
File created	C:\Windows\SysWOW64\Cjneikmp.dll	Pmefiakh.exe
File created	C:\Windows\SysWOW64\Egqhob32.dll	Djjemlhf.exe
File created	C:\Windows\SysWOW64\Apeiij32.dll	Eckfaj32.exe
File created	C:\Windows\SysWOW64\Mbcjimda.exe	Mmdekf32.exe
File opened for modification	C:\Windows\SysWOW64\Nmkkle32.exe	Mbcjimda.exe
File created	C:\Windows\SysWOW64\Ofnhfbjl.exe	Niohap32.exe
File created	C:\Windows\SysWOW64\Pfmdgq32.exe	Ppnbpg32.exe
File created	C:\Windows\SysWOW64\Ipilln32.dll	Fakfglhm.exe
File created	C:\Windows\SysWOW64\Jhfihp32.exe	Jondojna.exe
File created	C:\Windows\SysWOW64\Ehofco32.dll	Mdagbl32.exe
File opened for modification	C:\Windows\SysWOW64\Odcojm32.exe	Ndgpnogo.exe
File opened for modification	C:\Windows\SysWOW64\Kidmcqeg.exe	Kaihonhl.exe
File created	C:\Windows\SysWOW64\Ppdjpcng.exe	Pgkegn32.exe
File created	C:\Windows\SysWOW64\Loeebgbi.dll	Ofnhfbjl.exe
File created	C:\Windows\SysWOW64\Ofocia32.dll	Qbeaba32.exe
File created	C:\Windows\SysWOW64\Obnlpnbm.exe	Oghgbe32.exe
File opened for modification	C:\Windows\SysWOW64\Jmffnq32.exe	Ioicnn32.exe
File created	C:\Windows\SysWOW64\Jmlkpgia.exe	Jhocgqjj.exe
File opened for modification	C:\Windows\SysWOW64\Lgnleiid.exe	Lqdcio32.exe
File created	C:\Windows\SysWOW64\Nildajdg.exe	Mhihkjfj.exe
File opened for modification	C:\Windows\SysWOW64\Gjdknjep.exe	Fgmllpng.exe
File created	C:\Windows\SysWOW64\Pfkbkibi.dll	Fifhbf32.exe
File created	C:\Windows\SysWOW64\Gajpmg32.exe	Gimoce32.exe
File created	C:\Windows\SysWOW64\Ndgpnogo.exe	Nmkkle32.exe
File created	C:\Windows\SysWOW64\Ohbaonna.dll	Okcogc32.exe
File created	C:\Windows\SysWOW64\Dafkoa32.dll	Ioeicajh.exe
File opened for modification	C:\Windows\SysWOW64\Eonmkkmj.exe	Enlqdc32.exe
File created	C:\Windows\SysWOW64\Aoebjc32.dll	Mbpoop32.exe
File opened for modification	C:\Windows\SysWOW64\Mmdekf32.exe	Lbgjmnno.exe
File opened for modification	C:\Windows\SysWOW64\Dnekcd32.exe	Dlfniafa.exe
File opened for modification	C:\Windows\SysWOW64\Flmonbbp.exe	Ehhpge32.exe
File created	C:\Windows\SysWOW64\Ikejbjip.exe	Hcflch32.exe
File created	C:\Windows\SysWOW64\Fhalcm32.exe	Emikpeig.exe
File created	C:\Windows\SysWOW64\Plkdkcqg.dll	Khkbcopl.exe
File created	C:\Windows\SysWOW64\Bojohp32.exe	Aekdolkj.exe
File created	C:\Windows\SysWOW64\Llbgoe32.dll	Kknhjj32.exe
File opened for modification	C:\Windows\SysWOW64\Mhihkjfj.exe	Mbpoop32.exe
File created	C:\Windows\SysWOW64\Ghpblhco.dll	Odhiemil.exe
File opened for modification	C:\Windows\SysWOW64\Ioeicajh.exe	Incpdodg.exe
File created	C:\Windows\SysWOW64\Gcgndf32.exe	Gjmmfq32.exe
File created	C:\Windows\SysWOW64\Jgdphm32.exe	Jmlkpgia.exe
File opened for modification	C:\Windows\SysWOW64\Mbkfcabb.exe	Mhbakk32.exe
File created	C:\Windows\SysWOW64\Lbpmbipk.exe	Lmcejbbd.exe
File created	C:\Windows\SysWOW64\Blgmmd32.dll	Lckglc32.exe
File created	C:\Windows\SysWOW64\Fgencf32.exe	Fakfglhm.exe
File created	C:\Windows\SysWOW64\Kpfggang.exe	Khkbcopl.exe
File created	C:\Windows\SysWOW64\Ggliem32.dll	Hmlicp32.exe
File created	C:\Windows\SysWOW64\Jhocgqjj.exe	Ihagfb32.exe
File opened for modification	C:\Windows\SysWOW64\Mhmmieil.exe	Mjiloqjb.exe
File created	C:\Windows\SysWOW64\Odcojm32.exe	Ndgpnogo.exe
File created	C:\Windows\SysWOW64\Cdiloa32.dll	Odcojm32.exe
File opened for modification	C:\Windows\SysWOW64\Hmlicp32.exe	Hddejjdo.exe
File created	C:\Windows\SysWOW64\Dlcqlo32.dll	Blqlgdhi.exe
File opened for modification	C:\Windows\SysWOW64\Mdkabmjf.exe	Lfgahikm.exe
File created	C:\Windows\SysWOW64\Nojgmmgl.dll	Nplkhf32.exe
File created	C:\Windows\SysWOW64\Aajmenjo.dll	Dqomdppm.exe
File created	C:\Windows\SysWOW64\Lhiodm32.exe	Lqbgcp32.exe
File created	C:\Windows\SysWOW64\Dkcfca32.dll	Mhenpk32.exe
File created	C:\Windows\SysWOW64\Mdagbl32.exe	Mdkabmjf.exe
File created	C:\Windows\SysWOW64\Linojbdc.exe	Lnikmjdm.exe
File created	C:\Windows\SysWOW64\Nnolia32.dll	Lccdghmc.exe
File created	C:\Windows\SysWOW64\Odhiemil.exe	Odcojm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1140	2996	WerFault.exe	270

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpjlj32.dll"	Imabnofj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opgloh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apeiij32.dll"	Eckfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edfaonkb.dll"	Nbfeoohe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpcmfchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eakcie32.dll"	Ehhpge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jondojna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhihkjfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbeaba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnhgidka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fakfglhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkabmjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcfjiopj.dll"	Bdfnmhnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfdcbiol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacfdpmc.dll"	Lqbgcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioicnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlhomk32.dll"	Kifcnjpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fggkifmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmifcjif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opjgidfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjeei32.dll"	Gimoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhecfchk.dll"	Fgmllpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nahakl32.dll"	Kidmcqeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjefao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qbhnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdlpnie.dll"	Dnhgidka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Almifk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imabnofj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knkokl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iqpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kggjghkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgbfka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occlhfgg.dll"	Incpdodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phlikg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Econlc32.dll"	Ebagdddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjdknjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgjjgkh.dll"	Hddejjdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmlicp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnnodhei.dll"	Icminm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kidmcqeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnckjif.dll"	Pignccea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijdpd32.dll"	Becknc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkflpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmkkle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pignccea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnikmjdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeigilml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhlak32.dll"	Hhhdpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmbkm32.dll"	Flmonbbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiobpljq.dll"	Jokiig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdfnmhnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcbcc32.dll"	Gnmbao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kahpgcch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhiodm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	033b8d252fa0163b7bd187c481b90f4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidlgjgm.dll"	033b8d252fa0163b7bd187c481b90f4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehpnnpl.dll"	Jhdlbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfgahikm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmdekf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odcojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jefgak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oklifdmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajggjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dqigee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4992	1488	033b8d252fa0163b7bd187c481b90f4f.exe	91
PID 1488 wrote to memory of 4992	1488	033b8d252fa0163b7bd187c481b90f4f.exe	91
PID 1488 wrote to memory of 4992	1488	033b8d252fa0163b7bd187c481b90f4f.exe	91
PID 4992 wrote to memory of 4924	4992	Iqpclh32.exe	93
PID 4992 wrote to memory of 4924	4992	Iqpclh32.exe	93
PID 4992 wrote to memory of 4924	4992	Iqpclh32.exe	93
PID 4924 wrote to memory of 4336	4924	Kfdklllb.exe	95
PID 4924 wrote to memory of 4336	4924	Kfdklllb.exe	95
PID 4924 wrote to memory of 4336	4924	Kfdklllb.exe	95
PID 4336 wrote to memory of 1552	4336	Khfdlnab.exe	96
PID 4336 wrote to memory of 1552	4336	Khfdlnab.exe	96
PID 4336 wrote to memory of 1552	4336	Khfdlnab.exe	96
PID 1552 wrote to memory of 2420	1552	Lfgahikm.exe	97
PID 1552 wrote to memory of 2420	1552	Lfgahikm.exe	97
PID 1552 wrote to memory of 2420	1552	Lfgahikm.exe	97
PID 2420 wrote to memory of 1020	2420	Mdkabmjf.exe	99
PID 2420 wrote to memory of 1020	2420	Mdkabmjf.exe	99
PID 2420 wrote to memory of 1020	2420	Mdkabmjf.exe	99
PID 1020 wrote to memory of 2484	1020	Mdagbl32.exe	100
PID 1020 wrote to memory of 2484	1020	Mdagbl32.exe	100
PID 1020 wrote to memory of 2484	1020	Mdagbl32.exe	100
PID 2484 wrote to memory of 1512	2484	Moiheebb.exe	101
PID 2484 wrote to memory of 1512	2484	Moiheebb.exe	101
PID 2484 wrote to memory of 1512	2484	Moiheebb.exe	101
PID 1512 wrote to memory of 820	1512	Nkjlqd32.exe	102
PID 1512 wrote to memory of 820	1512	Nkjlqd32.exe	102
PID 1512 wrote to memory of 820	1512	Nkjlqd32.exe	102
PID 820 wrote to memory of 3920	820	Oklifdmi.exe	103
PID 820 wrote to memory of 3920	820	Oklifdmi.exe	103
PID 820 wrote to memory of 3920	820	Oklifdmi.exe	103
PID 3920 wrote to memory of 2736	3920	Okcogc32.exe	104
PID 3920 wrote to memory of 2736	3920	Okcogc32.exe	104
PID 3920 wrote to memory of 2736	3920	Okcogc32.exe	104
PID 2736 wrote to memory of 5068	2736	Phlikg32.exe	105
PID 2736 wrote to memory of 5068	2736	Phlikg32.exe	105
PID 2736 wrote to memory of 5068	2736	Phlikg32.exe	105
PID 5068 wrote to memory of 3664	5068	Pdeffgff.exe	106
PID 5068 wrote to memory of 3664	5068	Pdeffgff.exe	106
PID 5068 wrote to memory of 3664	5068	Pdeffgff.exe	106
PID 3664 wrote to memory of 396	3664	Agjhbbob.exe	107
PID 3664 wrote to memory of 396	3664	Agjhbbob.exe	107
PID 3664 wrote to memory of 396	3664	Agjhbbob.exe	107
PID 396 wrote to memory of 848	396	Ainnhdbp.exe	108
PID 396 wrote to memory of 848	396	Ainnhdbp.exe	108
PID 396 wrote to memory of 848	396	Ainnhdbp.exe	108
PID 848 wrote to memory of 4216	848	Bejhhd32.exe	109
PID 848 wrote to memory of 4216	848	Bejhhd32.exe	109
PID 848 wrote to memory of 4216	848	Bejhhd32.exe	109
PID 4216 wrote to memory of 4972	4216	Becknc32.exe	110
PID 4216 wrote to memory of 4972	4216	Becknc32.exe	110
PID 4216 wrote to memory of 4972	4216	Becknc32.exe	110
PID 4972 wrote to memory of 4120	4972	Chfaenfb.exe	111
PID 4972 wrote to memory of 4120	4972	Chfaenfb.exe	111
PID 4972 wrote to memory of 4120	4972	Chfaenfb.exe	111
PID 4120 wrote to memory of 2760	4120	Ebagdddp.exe	112
PID 4120 wrote to memory of 2760	4120	Ebagdddp.exe	112
PID 4120 wrote to memory of 2760	4120	Ebagdddp.exe	112
PID 2760 wrote to memory of 4084	2760	Fgmllpng.exe	113
PID 2760 wrote to memory of 4084	2760	Fgmllpng.exe	113
PID 2760 wrote to memory of 4084	2760	Fgmllpng.exe	113
PID 4084 wrote to memory of 2236	4084	Gjdknjep.exe	114
PID 4084 wrote to memory of 2236	4084	Gjdknjep.exe	114
PID 4084 wrote to memory of 2236	4084	Gjdknjep.exe	114
PID 2236 wrote to memory of 3044	2236	Hpcmfchg.exe	115

C:\Users\Admin\AppData\Local\Temp\033b8d252fa0163b7bd187c481b90f4f.exe
"C:\Users\Admin\AppData\Local\Temp\033b8d252fa0163b7bd187c481b90f4f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\Iqpclh32.exe
  C:\Windows\system32\Iqpclh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\Kfdklllb.exe
    C:\Windows\system32\Kfdklllb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\Khfdlnab.exe
      C:\Windows\system32\Khfdlnab.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\SysWOW64\Lfgahikm.exe
        
        C:\Windows\system32\Lfgahikm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Windows\SysWOW64\Mdkabmjf.exe
        
        C:\Windows\system32\Mdkabmjf.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Mdagbl32.exe
        
        C:\Windows\system32\Mdagbl32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Moiheebb.exe
        
        C:\Windows\system32\Moiheebb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Nkjlqd32.exe
        
        C:\Windows\system32\Nkjlqd32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Oklifdmi.exe
        
        C:\Windows\system32\Oklifdmi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Okcogc32.exe
        
        C:\Windows\system32\Okcogc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Phlikg32.exe
        
        C:\Windows\system32\Phlikg32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Pdeffgff.exe
        
        C:\Windows\system32\Pdeffgff.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Agjhbbob.exe
        
        C:\Windows\system32\Agjhbbob.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Ainnhdbp.exe
        
        C:\Windows\system32\Ainnhdbp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Bejhhd32.exe
        
        C:\Windows\system32\Bejhhd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Becknc32.exe
        
        C:\Windows\system32\Becknc32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Chfaenfb.exe
        
        C:\Windows\system32\Chfaenfb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Fgmllpng.exe
        
        C:\Windows\system32\Fgmllpng.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Gjdknjep.exe
        
        C:\Windows\system32\Gjdknjep.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Hpcmfchg.exe
        
        C:\Windows\system32\Hpcmfchg.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Icminm32.exe
        
        C:\Windows\system32\Icminm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Ioicnn32.exe
        
        C:\Windows\system32\Ioicnn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Jmffnq32.exe
        
        C:\Windows\system32\Jmffnq32.exe
        25⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Kqdodo32.exe
        
        C:\Windows\system32\Kqdodo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Kaihonhl.exe
        
        C:\Windows\system32\Kaihonhl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Kidmcqeg.exe
        
        C:\Windows\system32\Kidmcqeg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Kggjghkd.exe
        
        C:\Windows\system32\Kggjghkd.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Ljhchc32.exe
        
        C:\Windows\system32\Ljhchc32.exe
        30⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\Lccdghmc.exe
        
        C:\Windows\system32\Lccdghmc.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Mhhcne32.exe
        
        C:\Windows\system32\Mhhcne32.exe
        32⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Mjiloqjb.exe
        
        C:\Windows\system32\Mjiloqjb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:824
        
        C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Nplkhf32.exe
        
        C:\Windows\system32\Nplkhf32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Opjgidfa.exe
        
        C:\Windows\system32\Opjgidfa.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Pgkegn32.exe
        
        C:\Windows\system32\Pgkegn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ppdjpcng.exe
        
        C:\Windows\system32\Ppdjpcng.exe
        38⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Aqbfaa32.exe
        
        C:\Windows\system32\Aqbfaa32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Bilcol32.exe
        
        C:\Windows\system32\Bilcol32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Ckfofe32.exe
        
        C:\Windows\system32\Ckfofe32.exe
        41⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Ehhpge32.exe
        
        C:\Windows\system32\Ehhpge32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Flmonbbp.exe
        
        C:\Windows\system32\Flmonbbp.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Fifhbf32.exe
        
        C:\Windows\system32\Fifhbf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Gimoce32.exe
        
        C:\Windows\system32\Gimoce32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Gajpmg32.exe
        
        C:\Windows\system32\Gajpmg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Hcflch32.exe
        
        C:\Windows\system32\Hcflch32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ikejbjip.exe
        
        C:\Windows\system32\Ikejbjip.exe
        48⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Jokiig32.exe
        
        C:\Windows\system32\Jokiig32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Jhcmbm32.exe
        
        C:\Windows\system32\Jhcmbm32.exe
        50⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Jjefao32.exe
        
        C:\Windows\system32\Jjefao32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Kblkap32.exe
        
        C:\Windows\system32\Kblkap32.exe
        52⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Kifcnjpi.exe
        
        C:\Windows\system32\Kifcnjpi.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Lckglc32.exe
        
        C:\Windows\system32\Lckglc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Lbgjmnno.exe
        
        C:\Windows\system32\Lbgjmnno.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Mmdekf32.exe
        
        C:\Windows\system32\Mmdekf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Mbcjimda.exe
        
        C:\Windows\system32\Mbcjimda.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Nmkkle32.exe
        
        C:\Windows\system32\Nmkkle32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ndgpnogo.exe
        
        C:\Windows\system32\Ndgpnogo.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Odcojm32.exe
        
        C:\Windows\system32\Odcojm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Odhiemil.exe
        
        C:\Windows\system32\Odhiemil.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Ppoijn32.exe
        
        C:\Windows\system32\Ppoijn32.exe
        63⤵
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Pignccea.exe
        
        C:\Windows\system32\Pignccea.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Pmefiakh.exe
        
        C:\Windows\system32\Pmefiakh.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\Pcdlghgl.exe
        
        C:\Windows\system32\Pcdlghgl.exe
        66⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Anqfepaj.exe
        
        C:\Windows\system32\Anqfepaj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:692
        
        C:\Windows\SysWOW64\Ajggjq32.exe
        
        C:\Windows\system32\Ajggjq32.exe
        68⤵
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Almifk32.exe
        
        C:\Windows\system32\Almifk32.exe
        69⤵
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Bdfnmhnj.exe
        
        C:\Windows\system32\Bdfnmhnj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Bkbcpb32.exe
        
        C:\Windows\system32\Bkbcpb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3244
        
        C:\Windows\SysWOW64\Bqokhi32.exe
        
        C:\Windows\system32\Bqokhi32.exe
        72⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Cgbfka32.exe
        
        C:\Windows\system32\Cgbfka32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Djjemlhf.exe
        
        C:\Windows\system32\Djjemlhf.exe
        74⤵
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Dqigee32.exe
        
        C:\Windows\system32\Dqigee32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Endnohdp.exe
        
        C:\Windows\system32\Endnohdp.exe
        76⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Emikpeig.exe
        
        C:\Windows\system32\Emikpeig.exe
        77⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Fhalcm32.exe
        
        C:\Windows\system32\Fhalcm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1236
        
        C:\Windows\SysWOW64\Fejegaao.exe
        
        C:\Windows\system32\Fejegaao.exe
        79⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Gjndpg32.exe
        
        C:\Windows\system32\Gjndpg32.exe
        80⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Ghfnej32.exe
        
        C:\Windows\system32\Ghfnej32.exe
        81⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Hddejjdo.exe
        
        C:\Windows\system32\Hddejjdo.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Hmlicp32.exe
        
        C:\Windows\system32\Hmlicp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Imabnofj.exe
        
        C:\Windows\system32\Imabnofj.exe
        84⤵
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Idkkki32.exe
        
        C:\Windows\system32\Idkkki32.exe
        85⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Incpdodg.exe
        
        C:\Windows\system32\Incpdodg.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ioeicajh.exe
        
        C:\Windows\system32\Ioeicajh.exe
        87⤵
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Jddnah32.exe
        
        C:\Windows\system32\Jddnah32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:312
        
        C:\Windows\SysWOW64\Jknfnbmi.exe
        
        C:\Windows\system32\Jknfnbmi.exe
        89⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\Jefgak32.exe
        
        C:\Windows\system32\Jefgak32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Jdkdbgpd.exe
        
        C:\Windows\system32\Jdkdbgpd.exe
        91⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Kadnfkji.exe
        
        C:\Windows\system32\Kadnfkji.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Knkokl32.exe
        
        C:\Windows\system32\Knkokl32.exe
        93⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kfdcbiol.exe
        
        C:\Windows\system32\Kfdcbiol.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Lmcejbbd.exe
        
        C:\Windows\system32\Lmcejbbd.exe
        95⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Lbpmbipk.exe
        
        C:\Windows\system32\Lbpmbipk.exe
        96⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Lnikmjdm.exe
        
        C:\Windows\system32\Lnikmjdm.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Linojbdc.exe
        
        C:\Windows\system32\Linojbdc.exe
        98⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Lohggm32.exe
        
        C:\Windows\system32\Lohggm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Lfbpcgbl.exe
        
        C:\Windows\system32\Lfbpcgbl.exe
        100⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Niohap32.exe
        
        C:\Windows\system32\Niohap32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Ofnhfbjl.exe
        
        C:\Windows\system32\Ofnhfbjl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Opgloh32.exe
        
        C:\Windows\system32\Opgloh32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Olpjii32.exe
        
        C:\Windows\system32\Olpjii32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Pfenga32.exe
        
        C:\Windows\system32\Pfenga32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Ppnbpg32.exe
        
        C:\Windows\system32\Ppnbpg32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Pfmdgq32.exe
        
        C:\Windows\system32\Pfmdgq32.exe
        107⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Qbeaba32.exe
        
        C:\Windows\system32\Qbeaba32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Qipjokik.exe
        
        C:\Windows\system32\Qipjokik.exe
        109⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Qbhnga32.exe
        
        C:\Windows\system32\Qbhnga32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Aploae32.exe
        
        C:\Windows\system32\Aploae32.exe
        111⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Aeigilml.exe
        
        C:\Windows\system32\Aeigilml.exe
        112⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Aekdolkj.exe
        
        C:\Windows\system32\Aekdolkj.exe
        113⤵
        Drops file in System32 directory
        
        PID:112
        
        C:\Windows\SysWOW64\Bojohp32.exe
        
        C:\Windows\system32\Bojohp32.exe
        114⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Blnoad32.exe
        
        C:\Windows\system32\Blnoad32.exe
        115⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Blqlgdhi.exe
        
        C:\Windows\system32\Blqlgdhi.exe
        116⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Boaeioej.exe
        
        C:\Windows\system32\Boaeioej.exe
        117⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Cfiiggpg.exe
        
        C:\Windows\system32\Cfiiggpg.exe
        118⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Dqomdppm.exe
        
        C:\Windows\system32\Dqomdppm.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Dlfniafa.exe
        
        C:\Windows\system32\Dlfniafa.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Dnekcd32.exe
        
        C:\Windows\system32\Dnekcd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Dcbckk32.exe
        
        C:\Windows\system32\Dcbckk32.exe
        122⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Dnhgidka.exe
        
        C:\Windows\system32\Dnhgidka.exe
        123⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Enlqdc32.exe
        
        C:\Windows\system32\Enlqdc32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Eonmkkmj.exe
        
        C:\Windows\system32\Eonmkkmj.exe
        125⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Eckfaj32.exe
        
        C:\Windows\system32\Eckfaj32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Emdjjo32.exe
        
        C:\Windows\system32\Emdjjo32.exe
        127⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Fjldocde.exe
        
        C:\Windows\system32\Fjldocde.exe
        128⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Fakfglhm.exe
        
        C:\Windows\system32\Fakfglhm.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Fgencf32.exe
        
        C:\Windows\system32\Fgencf32.exe
        130⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Fmbflm32.exe
        
        C:\Windows\system32\Fmbflm32.exe
        131⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Fggkifmg.exe
        
        C:\Windows\system32\Fggkifmg.exe
        132⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Ggjgofkd.exe
        
        C:\Windows\system32\Ggjgofkd.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Gmfpgmil.exe
        
        C:\Windows\system32\Gmfpgmil.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Gjmmfq32.exe
        
        C:\Windows\system32\Gjmmfq32.exe
        135⤵
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Gcgndf32.exe
        
        C:\Windows\system32\Gcgndf32.exe
        136⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Gnmbao32.exe
        
        C:\Windows\system32\Gnmbao32.exe
        137⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Hmbpbk32.exe
        
        C:\Windows\system32\Hmbpbk32.exe
        138⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Hhhdpd32.exe
        
        C:\Windows\system32\Hhhdpd32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Hmifcjif.exe
        
        C:\Windows\system32\Hmifcjif.exe
        140⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Ihagfb32.exe
        
        C:\Windows\system32\Ihagfb32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Jhocgqjj.exe
        
        C:\Windows\system32\Jhocgqjj.exe
        142⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Jmlkpgia.exe
        
        C:\Windows\system32\Jmlkpgia.exe
        143⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Jgdphm32.exe
        
        C:\Windows\system32\Jgdphm32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:468
        
        C:\Windows\SysWOW64\Jhdlbp32.exe
        
        C:\Windows\system32\Jhdlbp32.exe
        145⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Jondojna.exe
        
        C:\Windows\system32\Jondojna.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Jhfihp32.exe
        
        C:\Windows\system32\Jhfihp32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Jncapf32.exe
        
        C:\Windows\system32\Jncapf32.exe
        148⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\Kdmjmqjf.exe
        
        C:\Windows\system32\Kdmjmqjf.exe
        149⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Kobnji32.exe
        
        C:\Windows\system32\Kobnji32.exe
        150⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Khkbcopl.exe
        
        C:\Windows\system32\Khkbcopl.exe
        151⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Kpfggang.exe
        
        C:\Windows\system32\Kpfggang.exe
        152⤵
        
        PID:820
        
        C:\Windows\SysWOW64\Kknhjj32.exe
        
        C:\Windows\system32\Kknhjj32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Kahpgcch.exe
        
        C:\Windows\system32\Kahpgcch.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Lajmmc32.exe
        
        C:\Windows\system32\Lajmmc32.exe
        155⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Lamjbc32.exe
        
        C:\Windows\system32\Lamjbc32.exe
        156⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Lqbgcp32.exe
        
        C:\Windows\system32\Lqbgcp32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Lhiodm32.exe
        
        C:\Windows\system32\Lhiodm32.exe
        158⤵
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Lqdcio32.exe
        
        C:\Windows\system32\Lqdcio32.exe
        159⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Lgnleiid.exe
        
        C:\Windows\system32\Lgnleiid.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1412
        
        C:\Windows\SysWOW64\Ladpcb32.exe
        
        C:\Windows\system32\Ladpcb32.exe
        161⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Mnjqhcno.exe
        
        C:\Windows\system32\Mnjqhcno.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Mhbakk32.exe
        
        C:\Windows\system32\Mhbakk32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Mbkfcabb.exe
        
        C:\Windows\system32\Mbkfcabb.exe
        164⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Mhenpk32.exe
        
        C:\Windows\system32\Mhenpk32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Mnaghb32.exe
        
        C:\Windows\system32\Mnaghb32.exe
        166⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Mbpoop32.exe
        
        C:\Windows\system32\Mbpoop32.exe
        167⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Mhihkjfj.exe
        
        C:\Windows\system32\Mhihkjfj.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Nildajdg.exe
        
        C:\Windows\system32\Nildajdg.exe
        169⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Nbfeoohe.exe
        
        C:\Windows\system32\Nbfeoohe.exe
        170⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Nojfic32.exe
        
        C:\Windows\system32\Nojfic32.exe
        171⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Oghgbe32.exe
        
        C:\Windows\system32\Oghgbe32.exe
        172⤵
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Obnlpnbm.exe
        
        C:\Windows\system32\Obnlpnbm.exe
        173⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\Okfpid32.exe
        
        C:\Windows\system32\Okfpid32.exe
        174⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 412
        175⤵
        Program crash
        
        PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2996 -ip 2996
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agjhbbob.exe

Filesize
145KB

MD5
7123eec7cd933e737b829fd5599d46ba

SHA1
08237ac5d80856af113022717702286902644462

SHA256
5ca88d3a054a4c0d8fa39ae52e1380a5362c71de7c011ad6d240eed650ed4bbc

SHA512
b5907962700775e4ac1b81c98ea494ed0e7eb05338e1082fc958c9ea9a8e25acf4222c2ff4b879ecb9357614f02492ac5d33d5029bec72c93a30bbf0a6e6a6aa

Download Submit
C:\Windows\SysWOW64\Ainnhdbp.exe

Filesize
145KB

MD5
13f8080aeb2bb401c97eb7db4090209d

SHA1
e69a217bf83ef892e34fa8f95e15df2561d4049c

SHA256
ad18c2bc46ff942e2e39929c669df9f115dc7c9928bdc86e8790897c6b777b81

SHA512
083915be9934cfc3b05de05ec94c2224a430eea18833058761cf6339b06f5e25d8869c7d0fbc32b2483a9ba12e00ad190f02cb8841a16860e20953cccd0ab1a2

Download Submit
C:\Windows\SysWOW64\Bdfnmhnj.exe

Filesize
145KB

MD5
5e37078150ce79c258c412a86432c3f8

SHA1
aa66b24455bd5dc017ebc395876d9cf5476afb70

SHA256
b1da0d0023076702bf3f278cfe383f5459c925cc4462c1bf067f4a0c8c33bfb2

SHA512
28728b8405918572ce42f6c583fc2a05681badd3bae52ff60a3f7bd93f1caa02414220482eaea55a27bfc3fd32c86b88dc4a599f68995c3efdf9a42438c4daed

Download Submit
C:\Windows\SysWOW64\Becknc32.exe

Filesize
145KB

MD5
cf52b20685d3867155962f78d3749f7e

SHA1
dc2c74ccdcd5bec402b228bf0e7013872a8c6727

SHA256
24e2a9920a15aad7e2dbee231e2a60ae50acf732c0050c7c16026c0373fa300f

SHA512
2005c7ec602af52b208cf835a3b88f340e9312c788d1389c5f797dd94314871b8e24576d6c1b9631166565f80b2079c2736d9d8c7c976b6f0ee835cf5f47a56a

Download Submit
C:\Windows\SysWOW64\Bejhhd32.exe

Filesize
145KB

MD5
a56e833696ac1d98c913528d4600cb00

SHA1
111a00ac477425111ef17a91868d5e4dcee72b63

SHA256
bf372e72fbb7ed931b840ddda69b0c5a02da30749f31e1fa51b679ba501644fe

SHA512
c44d18a1763547ad0c010f002729a2c521890b403b15582a5c6d3d5cf403026ac092b6db1610ca8ece96eccdbe740a50a7af75534272030e7d63244529a950b0

Download Submit
C:\Windows\SysWOW64\Chfaenfb.exe

Filesize
145KB

MD5
0cc147d47351d6c5c686686d90371a56

SHA1
fc2e5618d3374fb4def1319a50195c5b168a68b6

SHA256
a21353a57ac248bb3ee5811aafdb6cb0106ebf08512c63f8272a86aa3b6269a9

SHA512
e10500211259ec96a43532f7da82e528603a4e16eb6720c607b84b554192e17ab89a1701e63def57f01f95ba9a1fc16cd5ff4888daf45e94168b7274bab44368

Download Submit
C:\Windows\SysWOW64\Ebagdddp.exe

Filesize
145KB

MD5
f1b16478f264822602f908ad91d66944

SHA1
3c1e53fafa041a5e5d5a65e5afde18f9a37e09a3

SHA256
1635bd33d2cf4e9d437558b85fcb2d04a312239b05cf637698466b2cdcb81761

SHA512
5cbae56793953087236bbc391957c2d76ddd2520b7cc4829be6a4e6e7b0f1a458e394a5fedab5547b715407d87411bc4c072eb3de5af2a5db1257a017c39401a

Download Submit
C:\Windows\SysWOW64\Eckfaj32.exe

Filesize
145KB

MD5
02a8d253d9742742ce07abfcd4a81f48

SHA1
38489c3553b0c4eb958d7b843be86b12933a9e61

SHA256
1b7752cfda262ef9639b44d597508605945daa55f52403f72e7f16447037d9fe

SHA512
8557d4aa44b99800073f07636fc98d321b8e874b716fc253f2f079e65c515d5d9c6a544dfb8550eba76b9755ba19d654ba7477241e6eee69e418f1390cac1ca6

Download Submit
C:\Windows\SysWOW64\Ehhpge32.exe

Filesize
145KB

MD5
9d71ad70b0cf007a739dea7b54e1b9bd

SHA1
c53242709f2130c3eccb6fb8c4c8198267d9f9d7

SHA256
bc4332e75b3c3404ce6602c4412d5f3f128967beb14b1919edc0db8d5e1c61a6

SHA512
fa82dccab71da65216bda034e70118a8fe4fcffc4113c224f5e5c2371e51d1bdca0939c910152ed6178405db8013ec14630c0ce0864282ca18521718f72d5b75

Download Submit
C:\Windows\SysWOW64\Emikpeig.exe

Filesize
145KB

MD5
2f6c2f22414762d7755c09d768142f96

SHA1
c8d5badb14dee19170c9822ccf98a9725247d114

SHA256
f15c1bbe9e523305087f73ab8da9b0699fba3a6211d44450e659d72620dde673

SHA512
ae696a8ab9b9d8a1c27a79357b191104253f553b5dda32f83a2a852154d57ba38fb5e2150242b08a383946d55a9a1e7effc3c0355f34851e7b6511ab10764fd6

Download Submit
C:\Windows\SysWOW64\Fgmllpng.exe

Filesize
145KB

MD5
a711a8c6059b85e0cd510215f4313250

SHA1
b4ac1ff88b9d6a1d246b92393143058b2b72c4a6

SHA256
d9b06b72143a8aa4128a9477f6b847b52a1e5109ca01fecccacf9cc0c7c7669d

SHA512
24e2ddeb5109f6c3d789fd28647c732699540e6e729115ba9c2f4149a7664e8a85832edfb8d2ce6292dc61c0b5f76e25873b94684736f25333028aa9d5465d7c

Download Submit
C:\Windows\SysWOW64\Gajpmg32.exe

Filesize
145KB

MD5
126871fa2d2f2b7ae01e54a194221df8

SHA1
a4aa411b0af54655587eb8a22206eb1df8743077

SHA256
c799fbe45c8f2338a76540e4f695ac775fbeca8a172fb202bb8ddab11a99ebed

SHA512
8af4f237c68492f62c799fac7b2fa0238b9d9ab246eb6ab8ff0c8feef497f5c512a03b8cdb45566e5b058eb9825bbc620c47713b7df83d98450f5ec877d82a94

Download Submit
C:\Windows\SysWOW64\Ghfnej32.exe

Filesize
145KB

MD5
8d1eb6e4c1b941ed8b382f12c986d205

SHA1
2fcea9f6205f39c80d7cdb483167f4d3ebb6787f

SHA256
96b896e83a6fa0aad9be429158e8d319ca03ab1f3fc439937dafdf528b6e4b6d

SHA512
18cfe508ff356a8c52078ab738319a8f6ab85bb05d686510cd59e9b390ef63d502ff462327f1b0a7c91d473308383aac915a49a30c6c13d633f597b6b83c4fd7

Download Submit
C:\Windows\SysWOW64\Gjdknjep.exe

Filesize
145KB

MD5
f3b0479dd98ff5ba2ce9c3a22bf8340d

SHA1
e2e520497e9117892f1f284e8bcd27b669ffe884

SHA256
ba7901007aa70dd74a4cef8994e99aa351061a2154e7c5592e6982f29eb7b2e2

SHA512
a3a5eaffb3eb173e7d88de93fbd9e2ee32c9559d05e17381abe4840b76a32e1fca3f9074a3588f282c5f17303090655670dadb44887096da6e0f11608442b37e

Download Submit
C:\Windows\SysWOW64\Hmlicp32.exe

Filesize
145KB

MD5
b52a0772a188f4df3a8d745054ad0b6c

SHA1
6c87e58b668849dda5d4f5aaec856aa17646e0bd

SHA256
6cdd5a284e885c09a390c9e0cc199b047f42c1a2fe4174d21230c65bf63f7ba4

SHA512
019c9e522b360fc2f59f941a314c5a68021500ff1c2cc470dc444f0a81d0d3c184d1c3ab457b23099cc8b405e47018b93ebb6f7445f037c068b81bc6459f2f07

Download Submit
C:\Windows\SysWOW64\Hpcmfchg.exe

Filesize
145KB

MD5
9d1d22c998c25df160d65d182cd1d645

SHA1
c23433e95a6f8003d5a47ac85fb9ca6478aa09a9

SHA256
f5891ba49b9b829e59fbaa0ce983787702753826c27d026a96f785287afcdd52

SHA512
ba0c22572b4b826f07b009347833a2fdc481143183efab81291de26036cb2c795da680b42b40a3632e2e14b842ccb7e4f74b4dd22021d7abd43452dd3978218f

Download Submit
C:\Windows\SysWOW64\Icminm32.exe

Filesize
145KB

MD5
81802279c56609968e1f03a7a7a2234d

SHA1
442be295dbb8da6dca4a20e027a884ff0d42b773

SHA256
6bdc8d445149cbcbadb66f74a71e7b0e8701e188f41ea1dd3d8fd75dea9bf3b8

SHA512
850a736ad5a6b02e55367b67586d6de4da3022a913d9c657e66985c47175368841f2f0484f6a23596d27e47662ba5c28c1c791edccfb3f82db579da2a527ccd2

Download Submit
C:\Windows\SysWOW64\Ioicnn32.exe

Filesize
145KB

MD5
c335f74965ded83f1bbdd54de507ba7f

SHA1
f8cd76c2a00669d2cce1e7aa43d102d7bee4e81b

SHA256
a92481b298399a7fe7ec6f3b235ab3f109aa6be41c76fd365bb30fe46c6c6440

SHA512
3ee0dd5c9828f543d20e8ae8880181854effac67b5d591c701f3b269caa4dd56d19262b29325b0dcc06442b37a255ee6efff34d8259f3c25be489e4a14fc91b6

Download Submit
C:\Windows\SysWOW64\Iqpclh32.exe

Filesize
145KB

MD5
b5d4312ba4ec16aea8e706d8507654fd

SHA1
3c67e6d9334f11f38aa39bc36c062f8e96355a68

SHA256
c06d808ee1d60d6bc476260a2da4007201cdb52078ee5a1fd092de3209170d38

SHA512
4739c374397173ac211684eee1a9f09835cf04faf6c861665825a9762818c7177b6ec255d852b4472f5d94c117f9b6bf576a9f2b248a4edaa402f3125b15ccc6

Download Submit
C:\Windows\SysWOW64\Jknfnbmi.exe

Filesize
145KB

MD5
8a3a53f948b28270133da474bde137a1

SHA1
1aa104dadfc3994399ef6bd888e2962239d430e4

SHA256
e9b2266519c933e2b17c9195b5ddda854033c747fcaf55db7846dad14d6a3709

SHA512
bae81f7f5c7db6bd5e94fe968681369c4bbfa0d349eef2d455feded491f92b08ed3cefaae897251ef43a28568ebc602974b1e80b423eb016513d41abbf1f7505

Download Submit
C:\Windows\SysWOW64\Jmffnq32.exe

Filesize
145KB

MD5
54596dc951f468b212ba3048e3cbd7a1

SHA1
44ae3f068bf773178f11f0b45a92d848309caec8

SHA256
a90d9345e8c8ac772875e9ce4063af2a9b031dc57aeb17a20e99b821c9287ac4

SHA512
40d068b240107d9eb2b086c819285e8333f37e78eee5e2e49f41a4dab00f6c2e714a153f3db8fcf376a48f99860fc47837e1f288a9316e64b1063f560100b98d

Download Submit
C:\Windows\SysWOW64\Kaihonhl.exe

Filesize
145KB

MD5
463bf95799e0e9a26c294f70295942bf

SHA1
f0c55d998624f8ea532e066b9a2aa825e39228f1

SHA256
1507d0abc36aa230a41a5486025e9d0070433529513745fbef1fbaa4fa225500

SHA512
9ab84b44af30757cd4b3f09b4f08b39c5b9f7109a4d0829bde36e5d87274ed6dd9020a5df3f35f9c0472d33d42acdc12e531625e3463e85619e7703f9f848e83

Download Submit
C:\Windows\SysWOW64\Kfdklllb.exe

Filesize
145KB

MD5
02e178fd2c3bd368daff45375c8bf63e

SHA1
5a704c6ccc85ed23bc828104caf0056a7d7d4643

SHA256
6195473156abf885f29db1b24025c9841acc3ab953101f7e6a349d46d5177f34

SHA512
bc03b7c5d2d6b915ccc205b9f65c0b4d66f8bd4230b2477dfd3bb9fa7f0607d8119663bd7890c396f8a3a1dc66996b61de50a1b5f661cbe09e9a5a95412772c1

Download Submit
C:\Windows\SysWOW64\Kggjghkd.exe

Filesize
145KB

MD5
400af02222c7802546d8b0ef936c2586

SHA1
cba7f07c72aa2dfc1aef0c0114f29da64db61381

SHA256
b067aedcc064d0c9162d7b41392f74b925c9c982f478a411bffd474c013b4a7d

SHA512
c63e98bd3df36e102b07707d63cf634655eedc0b580242b9471495656fb6c9e2f0b622327e63ab033ec9f65545d65fe4a2bb67987ba47e377fe8022f1a0568d3

Download Submit
C:\Windows\SysWOW64\Khfdlnab.exe

Filesize
145KB

MD5
57c1a07f8b484378791279c0476c0ee9

SHA1
c4ab8c0b8a86f91689a2249191be68f3f083f1e5

SHA256
f37bcefbb76763dbbe8ad2c5f37729c9e1a74ed31136342bff2953f37809f0a8

SHA512
1fe1e5664d5db0b0b776b8380cf2c905c58c0bb825e6aef0a6c52ae4c965448ff3597beb83e9613ab8be2e66cc794d6929791267d5e7851a1a76460271fde9f8

Download Submit
C:\Windows\SysWOW64\Khkbcopl.exe

Filesize
145KB

MD5
ac8658a05bbbd220a73af2bdedc33dc4

SHA1
a1a9b588762def972003c0270f1627cc9242008b

SHA256
464112da3e1345436a2b30b3aaea1778ae45364b6c4a829103ee3d2e251b8be1

SHA512
32084f6675a428b894e1a38b7edbb0a661e4fa68ecdf7134ab7d6e9bb5e8a9d76b8362e3faa0c2f67bfa385a534108c8163c650361ef09f7295278445468d9f7

Download Submit
C:\Windows\SysWOW64\Kidmcqeg.exe

Filesize
145KB

MD5
f1453c94823f51a4f4e532ac58b8c85b

SHA1
ce4d9213954bedc1b1c672d127afe1874d8516fd

SHA256
48c3ed55eb22eb5a988404019d3ebef23a2124a7f69708c023e270313d91c9db

SHA512
8d3e0ba65b979caeb6bbfc1fb722c71248825366b345fa7d74ce429132fd6d0f961dc158fb059dd6134f39eb1e0bb0aa05636d07738a460b331b90617dd98d42

Download Submit
C:\Windows\SysWOW64\Kqdodo32.exe

Filesize
145KB

MD5
c0db444532b2863dcbd522b4dd6a13ad

SHA1
33730d216208f1e6c0de0880a42443bae8ad4048

SHA256
066f97d4fe1ff6f1b3dbec52a4dfb8613596248752942105995b8cc5c09c1532

SHA512
9e3e34c93161f5925d8e8011278072b2e0a205ab68bac43b2dbb62610c528e334f76a845861145ed9a318ceeac6aa2d3975ea83f47f455a2aff63261fe243a42

Download Submit
C:\Windows\SysWOW64\Lccdghmc.exe

Filesize
145KB

MD5
d64e26594e3441385821d770daa2c5ef

SHA1
3b056bcff9f9a43584b4f644f288917fa2ae0a34

SHA256
f489912b9a1e44eeda56102d6b92733a64f9a7268a28d949234cc791e00f604f

SHA512
a705f2cc7fe3afc2bc34da49d791e9a6b59ca00952660998c13cb8d97714639d42b5f70e9a0ed285026f8e0c9c600e3544ce7680d5f80c66968fc11a736345b5

Download Submit
C:\Windows\SysWOW64\Lfgahikm.exe

Filesize
145KB

MD5
a4da8c34e9b23b7310b3325c9ab519ec

SHA1
a397e9194bb9d5eb055335c7801257ac196bed51

SHA256
56804285202e73e81765854b0fd4494908a4e80ed00d55876b11ff8f5dff7d90

SHA512
214a158d30ea7805594844df97107676d03a57389a96b46ff0927512a62845f727e5d817ab64d9735ca98aef10c24665dc6ae32d03875e93d8c97d1169440eb6

Download Submit
C:\Windows\SysWOW64\Ljhchc32.exe

Filesize
145KB

MD5
51b1b3a93c09a9a1080d28a8a13120c9

SHA1
f78432a03f2cab50c18c456866bb1ae9c60c5ec9

SHA256
23ec80036d1ca00bf31680a10a75eb388cd5633e42713ac457d78c1f9af47966

SHA512
fcfa9ce496f263d1d3e21b045f24edb4c31e6e74a97e870ca86dfcb4ddb1f36ea95757f99c7700c047b79166191ef5a317191d5d6cf30fea0bee85e95a3b4b4e

Download Submit
C:\Windows\SysWOW64\Mdagbl32.exe

Filesize
145KB

MD5
8c4d7f961745e16fc3f8739755ffb5c9

SHA1
4c186278e11f7f9aa10e43aa54e29b7363bb3a1f

SHA256
e33fdacb914025859431827c9d5e9e805a5e0fae204446d999d415b6cb2e9afd

SHA512
e1f53ade7fe4fccfa9e98dca7a0f8ad4138c0d14b085b4eb8646648a49b52fb91a948b5fabd473d802a7f45adb7e940f36d8d583bacffdcd6120e58862f19564

Download Submit
C:\Windows\SysWOW64\Mdkabmjf.exe

Filesize
145KB

MD5
81de285eedf96217ef5ade5408a10523

SHA1
8aa66d3a24be05ed93d8166c28f5679dbb395e61

SHA256
19876b3a327109290a5830f6d0a9623f04ace1bc59cce0c2d85de8b48e55234b

SHA512
0652efa3fac8d10c869ed139d86e4bfd8130b3e7425080c11a0597a205c6907be1a596399ceadd8ad71e7e859060e878605b84a54d366efa4158a6a279f506e1

Download Submit
C:\Windows\SysWOW64\Mhhcne32.exe

Filesize
145KB

MD5
4306e005fab8e4302209ce991990b6a2

SHA1
6b02d383e4518df17b996fde1fbfbe2d9ddf571a

SHA256
e1fdaaedbceb49bdda6bb91bdee675780539d698bf1425b95f2c8f9014260ac0

SHA512
f2a25e4f386bc3447a2f2b6c76aa960a66d5362b4f629db8b3717787a7431cdaf5349f378ba245c908792eedb274bea6e2a78b2911351872c94064cdca494801

Download Submit
C:\Windows\SysWOW64\Mjiloqjb.exe

Filesize
145KB

MD5
decc4b4cfc4078dc740b77761eaddfd2

SHA1
48d28c32d4dd9b9f0570d4721ebd5a3807564830

SHA256
44bd18eca9d1d47c4845a114127ca18ebeb4ad0b411b5685f3286ab478b28040

SHA512
1b72ec62ae3e9a2a38708babcbd278f712a9594e07f88b94748ef57a6cbb052eceded4e57c6f6e4bbf8f1d6dc08dc16fea24404f34bc89bfc889dcd142a6c74b

Download Submit
C:\Windows\SysWOW64\Moiheebb.exe

Filesize
145KB

MD5
4e14a582fd8240f7852f2e6507e305f9

SHA1
514206ee9a0ff4308d9c877a4d99344c687ec351

SHA256
0ba57832cf9f61b2379b13d664379a4ee0bc07fb56744d985bcead568c04d7a9

SHA512
491d0601385057b1755d0c8ab4c82ad4d09097501541a8cb60e6dfbb0f19c2aeae2c1a6b990261111da3d0f35e9a425ed2dc4b599d9a1d335be16c541274424f

Download Submit
C:\Windows\SysWOW64\Namjlqjg.dll

Filesize
7KB

MD5
1da7f20cd56d3d37261546cdaff171b1

SHA1
d85c3c51e26f8427a3da593142ac5dbf5dfdaf2d

SHA256
68ddc66717b80741879f08d0987dc9e5e98785d38c8f8a765028ef8b2c715326

SHA512
964855d08f7ac2621c5d93e41a652c8c7500585d899afd78a7e73850a852ed470cd8db8161e3cfb99e6b28219d911d0ec5b323fdd0a13c3f5b1fa376f511ec71

Download Submit
C:\Windows\SysWOW64\Nkjlqd32.exe

Filesize
145KB

MD5
053cef2edeac438674dbcac309182f90

SHA1
bb11c4cd3e12a8eff6e873934de607284b42db35

SHA256
148d586e2f0438ee0831ab4be7071d644f040669e6f2d9745c93c9ec1c0b3bee

SHA512
ad228c5adbfee25fb14a1f3f6643b4e2146e66e6bae865ae2324cf955988dd3828adf9aca0064ed8d13f5f2ef105ba6b2b1b2c138c5cd21b439e56e228bdc22f

Download Submit
C:\Windows\SysWOW64\Odhiemil.exe

Filesize
145KB

MD5
96806fcaaf48060487b2b22c80beab6e

SHA1
fa2176eef8aaba9fc9caf2150e93a2024419249c

SHA256
e85d907c1084409791ac4154034839aac20c4650112ff46e9ab536b716eb7f42

SHA512
ea019d295eba44cfdc6dddd4809259c05e9afddfda770026e2fa23c6d90cfa7ffa970b28b9c7debcce637de00b8762ed79c0685b75f96c4c07d86549db3e965e

Download Submit
C:\Windows\SysWOW64\Okcogc32.exe

Filesize
145KB

MD5
eecac424681b348901d7cfc19c60e5db

SHA1
8862216a9fd609809858915d32907b8f16e56171

SHA256
d3e192ea1eaba466fd37a4450b931ed0c6c9faf9fb82b16703c5a07bc25631ab

SHA512
59b19c6bedb1e7522d38ce08f14794bb92c2124c4d38c7d962d7cf539e5205626403a6d91a6e747309b57bd489a40cb9e731ed0d03eac43c2d0310bd2935aadf

Download Submit
C:\Windows\SysWOW64\Oklifdmi.exe

Filesize
145KB

MD5
f50d1372d130cba1efe98452a202f302

SHA1
4addbe61fc8be05a7129aadca359c93ce1d35622

SHA256
b440d276b63e34498127440c7621a828d60bc2b47a049ac4bfbec021d0d3d3bd

SHA512
d8c96196a4d4f011b68b33fe833905744040eaee8ab4c215ffb63e170047a90adec83bb92cc6ee92f0d6da8a2487be5bc5ac6dad7e6900e95d93ed87d11544b2

Download Submit
C:\Windows\SysWOW64\Pdeffgff.exe

Filesize
145KB

MD5
216ea3552eb6cc22fba4885ba075456e

SHA1
49808f6faff0fe1467896a30c42aaae85f0aadd6

SHA256
a1b3cebfb1b17476c5be84828b8588df094a99bd0cf34adcceaf961e00888c7a

SHA512
b4b1930b1f493da8402b18904d1eff2a9b8e65030338c24bcd31c7a4c2bf03d05198be7201d475766b1074caa18ee645760f1343e6fa8488ca224c3df0d2b79d

Download Submit
C:\Windows\SysWOW64\Pfmdgq32.exe

Filesize
145KB

MD5
1447cb8415cffd9805aeeb7b492e6957

SHA1
25a6752f966306c0de4a3a99db3d4fdfe5131c6d

SHA256
01a44a9529656feeae4a7548e8e90634efff9f1fba4ea000fd8e3b1b983898a4

SHA512
66c22c63f29fd3a199c418f6cae30ca50a3284d3349a67fde7ab1e88f74237aeb8c313b0aaaed7276715a42a8915b92ab00f3facc66e132fe2625fcfbde6c441

Download Submit
C:\Windows\SysWOW64\Phlikg32.exe

Filesize
145KB

MD5
d400bd2878514732452998eb0ab11ff1

SHA1
8ebde8bd914bee65515f0d7d0e67358d6af1b710

SHA256
08794cc4714dc5ad605ad0c447f7a8708bbb48caf7f1e8d70969de808e229c41

SHA512
4d3123c7deb9f659788ef69a7efae4a16713a82cc21abc10224c9bb394eff40cbfab23bf7f8d2a8e1bec4121ed204c027cf2f3252012952a2e9b7e5f7dccd3fd

Download Submit
memory/396-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads