81172c1bac45cac2646c112933f61b16b92354b969de1fd8f46ede105d311969

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

286911d0702c04b6d866dfc13381b9e6.exe
Size

55KB
MD5

286911d0702c04b6d866dfc13381b9e6
SHA1

025d7e0b9c8e5b4b1012fd785f5547cc384e8d8a
SHA256

81172c1bac45cac2646c112933f61b16b92354b969de1fd8f46ede105d311969
SHA512

38d08f02ad9ca2512cefe3c344bf09cad8d32a7ca3365dd3eb928a8008a013aa73c09ddb615093c06a7ea55054dea857aa7ac9139c3708dd49a94cc08c930202
SSDEEP

1536:cJcS73IpX1bDHOxnd8GFlxVEZWVRyvvlG:cJcSkjLOxRFPVEZgQvlG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbaileio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmgninie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddnfop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdmcanc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ichllgfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiihdlpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnkjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igakgfpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnomjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obmnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghqnjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbiommg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmgfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcckcbgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcibc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgcpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghqnjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnfop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nameek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdeqfhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkoicb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfjhgdck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdlhjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onfoin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcqcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipgbjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmdjkhdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napbjjom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjmaaddo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimjmbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipjoplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiffkkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfjhgdck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdlhjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmlcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbmcbbki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmdjkhdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nipdkieg.exe

Executes dropped EXE 64 IoCs

pid	Process
2512	Enakbp32.exe
2744	Egllae32.exe
2604	Eccmffjf.exe
3020	Enhacojl.exe
2860	Ecejkf32.exe
2284	Eqijej32.exe
1616	Effcma32.exe
3056	Fmpkjkma.exe
2788	Fbmcbbki.exe
1776	Figlolbf.exe
2820	Flehkhai.exe
676	Fiihdlpc.exe
1200	Fpcqaf32.exe
1668	Fepiimfg.exe
1252	Fjmaaddo.exe
2200	Fcefji32.exe
1752	Fnkjhb32.exe
1224	Faigdn32.exe
836	Gdgcpi32.exe
968	Gnmgmbhb.exe
1780	Gpncej32.exe
2792	Gfhladfn.exe
2232	Gmbdnn32.exe
2424	Gfjhgdck.exe
884	Glgaok32.exe
1740	Gbaileio.exe
2160	Gmgninie.exe
2436	Gohjaf32.exe
2884	Gfobbc32.exe
2868	Ghqnjk32.exe
2904	Hojgfemq.exe
2652	Hakphqja.exe
2648	Hhehek32.exe
2260	Hmbpmapf.exe
2500	Hdlhjl32.exe
2772	Hkfagfop.exe
568	Hmdmcanc.exe
992	Hpbiommg.exe
2992	Hhjapjmi.exe
1544	Hkhnle32.exe
1892	Hmfjha32.exe
2208	Hpefdl32.exe
1812	Iccbqh32.exe
2492	Iimjmbae.exe
2468	Ipgbjl32.exe
2152	Igakgfpn.exe
1636	Iipgcaob.exe
1488	Ipjoplgo.exe
2816	Ichllgfb.exe
2496	Ddnfop32.exe
1652	Gncldi32.exe
2528	Loefnpnn.exe
764	Mnomjl32.exe
1744	Mmdjkhdh.exe
2888	Mjhjdm32.exe
1984	Mmgfqh32.exe
2704	Mbcoio32.exe
1144	Mmicfh32.exe
2908	Mcckcbgp.exe
1756	Nipdkieg.exe
2204	Nnmlcp32.exe
2008	Nfdddm32.exe
2288	Nefdpjkl.exe
2988	Nnoiio32.exe

Loads dropped DLL 64 IoCs

pid	Process
1352	286911d0702c04b6d866dfc13381b9e6.exe
1352	286911d0702c04b6d866dfc13381b9e6.exe
2512	Enakbp32.exe
2512	Enakbp32.exe
2744	Egllae32.exe
2744	Egllae32.exe
2604	Eccmffjf.exe
2604	Eccmffjf.exe
3020	Enhacojl.exe
3020	Enhacojl.exe
2860	Ecejkf32.exe
2860	Ecejkf32.exe
2284	Eqijej32.exe
2284	Eqijej32.exe
1616	Effcma32.exe
1616	Effcma32.exe
3056	Fmpkjkma.exe
3056	Fmpkjkma.exe
2788	Fbmcbbki.exe
2788	Fbmcbbki.exe
1776	Figlolbf.exe
1776	Figlolbf.exe
2820	Flehkhai.exe
2820	Flehkhai.exe
676	Fiihdlpc.exe
676	Fiihdlpc.exe
1200	Fpcqaf32.exe
1200	Fpcqaf32.exe
1668	Fepiimfg.exe
1668	Fepiimfg.exe
1252	Fjmaaddo.exe
1252	Fjmaaddo.exe
2200	Fcefji32.exe
2200	Fcefji32.exe
1752	Fnkjhb32.exe
1752	Fnkjhb32.exe
1224	Faigdn32.exe
1224	Faigdn32.exe
836	Gdgcpi32.exe
836	Gdgcpi32.exe
968	Gnmgmbhb.exe
968	Gnmgmbhb.exe
1780	Gpncej32.exe
1780	Gpncej32.exe
2792	Gfhladfn.exe
2792	Gfhladfn.exe
2232	Gmbdnn32.exe
2232	Gmbdnn32.exe
2424	Gfjhgdck.exe
2424	Gfjhgdck.exe
884	Glgaok32.exe
884	Glgaok32.exe
1740	Gbaileio.exe
1740	Gbaileio.exe
2160	Gmgninie.exe
2160	Gmgninie.exe
2436	Gohjaf32.exe
2436	Gohjaf32.exe
2884	Gfobbc32.exe
2884	Gfobbc32.exe
2868	Ghqnjk32.exe
2868	Ghqnjk32.exe
2904	Hojgfemq.exe
2904	Hojgfemq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Hpefdl32.exe	Hmfjha32.exe
File created	C:\Windows\SysWOW64\Mcckcbgp.exe	Mmicfh32.exe
File created	C:\Windows\SysWOW64\Obecdjcn.dll	Oemgplgo.exe
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Fcefji32.exe	Fjmaaddo.exe
File created	C:\Windows\SysWOW64\Qagnqken.dll	Hdlhjl32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Gmbdnn32.exe	Gfhladfn.exe
File created	C:\Windows\SysWOW64\Nhgnaehm.exe	Nameek32.exe
File opened for modification	C:\Windows\SysWOW64\Oabkom32.exe	Oococb32.exe
File created	C:\Windows\SysWOW64\Phlclgfc.exe	Oemgplgo.exe
File created	C:\Windows\SysWOW64\Gpncej32.exe	Gnmgmbhb.exe
File created	C:\Windows\SysWOW64\Nldjnfaf.dll	Iccbqh32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Bgfgbaoo.dll	Fiihdlpc.exe
File opened for modification	C:\Windows\SysWOW64\Njhfcp32.exe	Nlefhcnc.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Jpefpo32.dll	Qpbglhjq.exe
File opened for modification	C:\Windows\SysWOW64\Mjhjdm32.exe	Mmdjkhdh.exe
File opened for modification	C:\Windows\SysWOW64\Qpbglhjq.exe	Qndkpmkm.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Allefimb.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Ahgofi32.exe
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	Ahgofi32.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Onfoin32.exe	Nfoghakb.exe
File opened for modification	C:\Windows\SysWOW64\Gfobbc32.exe	Gohjaf32.exe
File created	C:\Windows\SysWOW64\Ddnfop32.exe	Ichllgfb.exe
File created	C:\Windows\SysWOW64\Pbagipfi.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Nfdddm32.exe	Nnmlcp32.exe
File created	C:\Windows\SysWOW64\Ofcqcp32.exe	Opihgfop.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Olbfagca.exe	Oeindm32.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Pbagipfi.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Pkoicb32.exe	Pdeqfhjd.exe
File created	C:\Windows\SysWOW64\Nhcmgmam.dll	Napbjjom.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Egllae32.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Oagcgibo.dll	Gfjhgdck.exe
File opened for modification	C:\Windows\SysWOW64\Hkhnle32.exe	Hhjapjmi.exe
File created	C:\Windows\SysWOW64\Mpjmjp32.dll	Igakgfpn.exe
File opened for modification	C:\Windows\SysWOW64\Nfdddm32.exe	Nnmlcp32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Kcbabf32.dll	Enakbp32.exe
File opened for modification	C:\Windows\SysWOW64\Hkfagfop.exe	Hdlhjl32.exe
File created	C:\Windows\SysWOW64\Fihicd32.dll	Gnmgmbhb.exe
File opened for modification	C:\Windows\SysWOW64\Ipgbjl32.exe	Iimjmbae.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Eqijej32.exe
File created	C:\Windows\SysWOW64\Fjmaaddo.exe	Fepiimfg.exe
File created	C:\Windows\SysWOW64\Klmkof32.dll	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Ckmcef32.dll	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Qpbglhjq.exe
File opened for modification	C:\Windows\SysWOW64\Nfoghakb.exe	Ndqkleln.exe
File opened for modification	C:\Windows\SysWOW64\Pohhna32.exe	Pkmlmbcd.exe
File created	C:\Windows\SysWOW64\Igakgfpn.exe	Ipgbjl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
568	2160	WerFault.exe	37

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmgninie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjnfaf.dll"	Iccbqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdbjp32.dll"	Nameek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nameek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibijie32.dll"	Figlolbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicjoa32.dll"	Nipdkieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjhjhkh.dll"	Gfhladfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hakphqja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhbhf32.dll"	Hpbiommg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipjoplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdlhjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfjha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhnql32.dll"	Hpefdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igakgfpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfdddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	286911d0702c04b6d866dfc13381b9e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbmcbbki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igakgfpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ichllgfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhgnaehm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdgghho.dll"	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimofi32.dll"	Glgaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokjlf32.dll"	Hkhnle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iipgcaob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnomjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pepcelel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olebgfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjmaaddo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iipgcaob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oococb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nameek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnoiio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfoghakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nipdkieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfebhg32.dll"	Nlcibc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfjha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll"	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjapjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblihc32.dll"	Hmfjha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmlcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdepo32.dll"	Gpncej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hakphqja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpeiada.dll"	Gncldi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2512	1352	286911d0702c04b6d866dfc13381b9e6.exe	28
PID 1352 wrote to memory of 2512	1352	286911d0702c04b6d866dfc13381b9e6.exe	28
PID 1352 wrote to memory of 2512	1352	286911d0702c04b6d866dfc13381b9e6.exe	28
PID 1352 wrote to memory of 2512	1352	286911d0702c04b6d866dfc13381b9e6.exe	28
PID 2512 wrote to memory of 2744	2512	Enakbp32.exe	29
PID 2512 wrote to memory of 2744	2512	Enakbp32.exe	29
PID 2512 wrote to memory of 2744	2512	Enakbp32.exe	29
PID 2512 wrote to memory of 2744	2512	Enakbp32.exe	29
PID 2744 wrote to memory of 2604	2744	Egllae32.exe	30
PID 2744 wrote to memory of 2604	2744	Egllae32.exe	30
PID 2744 wrote to memory of 2604	2744	Egllae32.exe	30
PID 2744 wrote to memory of 2604	2744	Egllae32.exe	30
PID 2604 wrote to memory of 3020	2604	Eccmffjf.exe	31
PID 2604 wrote to memory of 3020	2604	Eccmffjf.exe	31
PID 2604 wrote to memory of 3020	2604	Eccmffjf.exe	31
PID 2604 wrote to memory of 3020	2604	Eccmffjf.exe	31
PID 3020 wrote to memory of 2860	3020	Enhacojl.exe	75
PID 3020 wrote to memory of 2860	3020	Enhacojl.exe	75
PID 3020 wrote to memory of 2860	3020	Enhacojl.exe	75
PID 3020 wrote to memory of 2860	3020	Enhacojl.exe	75
PID 2860 wrote to memory of 2284	2860	Ecejkf32.exe	74
PID 2860 wrote to memory of 2284	2860	Ecejkf32.exe	74
PID 2860 wrote to memory of 2284	2860	Ecejkf32.exe	74
PID 2860 wrote to memory of 2284	2860	Ecejkf32.exe	74
PID 2284 wrote to memory of 1616	2284	Eqijej32.exe	73
PID 2284 wrote to memory of 1616	2284	Eqijej32.exe	73
PID 2284 wrote to memory of 1616	2284	Eqijej32.exe	73
PID 2284 wrote to memory of 1616	2284	Eqijej32.exe	73
PID 1616 wrote to memory of 3056	1616	Effcma32.exe	32
PID 1616 wrote to memory of 3056	1616	Effcma32.exe	32
PID 1616 wrote to memory of 3056	1616	Effcma32.exe	32
PID 1616 wrote to memory of 3056	1616	Effcma32.exe	32
PID 3056 wrote to memory of 2788	3056	Fmpkjkma.exe	72
PID 3056 wrote to memory of 2788	3056	Fmpkjkma.exe	72
PID 3056 wrote to memory of 2788	3056	Fmpkjkma.exe	72
PID 3056 wrote to memory of 2788	3056	Fmpkjkma.exe	72
PID 2788 wrote to memory of 1776	2788	Fbmcbbki.exe	71
PID 2788 wrote to memory of 1776	2788	Fbmcbbki.exe	71
PID 2788 wrote to memory of 1776	2788	Fbmcbbki.exe	71
PID 2788 wrote to memory of 1776	2788	Fbmcbbki.exe	71
PID 1776 wrote to memory of 2820	1776	Figlolbf.exe	33
PID 1776 wrote to memory of 2820	1776	Figlolbf.exe	33
PID 1776 wrote to memory of 2820	1776	Figlolbf.exe	33
PID 1776 wrote to memory of 2820	1776	Figlolbf.exe	33
PID 2820 wrote to memory of 676	2820	Flehkhai.exe	70
PID 2820 wrote to memory of 676	2820	Flehkhai.exe	70
PID 2820 wrote to memory of 676	2820	Flehkhai.exe	70
PID 2820 wrote to memory of 676	2820	Flehkhai.exe	70
PID 676 wrote to memory of 1200	676	Fiihdlpc.exe	69
PID 676 wrote to memory of 1200	676	Fiihdlpc.exe	69
PID 676 wrote to memory of 1200	676	Fiihdlpc.exe	69
PID 676 wrote to memory of 1200	676	Fiihdlpc.exe	69
PID 1200 wrote to memory of 1668	1200	Fpcqaf32.exe	68
PID 1200 wrote to memory of 1668	1200	Fpcqaf32.exe	68
PID 1200 wrote to memory of 1668	1200	Fpcqaf32.exe	68
PID 1200 wrote to memory of 1668	1200	Fpcqaf32.exe	68
PID 1668 wrote to memory of 1252	1668	Fepiimfg.exe	34
PID 1668 wrote to memory of 1252	1668	Fepiimfg.exe	34
PID 1668 wrote to memory of 1252	1668	Fepiimfg.exe	34
PID 1668 wrote to memory of 1252	1668	Fepiimfg.exe	34
PID 1252 wrote to memory of 2200	1252	Fjmaaddo.exe	67
PID 1252 wrote to memory of 2200	1252	Fjmaaddo.exe	67
PID 1252 wrote to memory of 2200	1252	Fjmaaddo.exe	67
PID 1252 wrote to memory of 2200	1252	Fjmaaddo.exe	67

C:\Users\Admin\AppData\Local\Temp\286911d0702c04b6d866dfc13381b9e6.exe
"C:\Users\Admin\AppData\Local\Temp\286911d0702c04b6d866dfc13381b9e6.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\Enakbp32.exe
  C:\Windows\system32\Enakbp32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\Egllae32.exe
    C:\Windows\system32\Egllae32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\Eccmffjf.exe
      C:\Windows\system32\Eccmffjf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\Ecejkf32.exe
        
        C:\Windows\system32\Ecejkf32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860

C:\Windows\SysWOW64\Fmpkjkma.exe
C:\Windows\system32\Fmpkjkma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\Fbmcbbki.exe
  C:\Windows\system32\Fbmcbbki.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2788

C:\Windows\SysWOW64\Flehkhai.exe
C:\Windows\system32\Flehkhai.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\Fiihdlpc.exe
  C:\Windows\system32\Fiihdlpc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:676

C:\Windows\SysWOW64\Fjmaaddo.exe
C:\Windows\system32\Fjmaaddo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\Fcefji32.exe
  C:\Windows\system32\Fcefji32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2200

C:\Windows\SysWOW64\Gdgcpi32.exe
C:\Windows\system32\Gdgcpi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:836
- C:\Windows\SysWOW64\Gnmgmbhb.exe
  C:\Windows\system32\Gnmgmbhb.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:968

C:\Windows\SysWOW64\Gbaileio.exe
C:\Windows\system32\Gbaileio.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1740
- C:\Windows\SysWOW64\Gmgninie.exe
  C:\Windows\system32\Gmgninie.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2160
- - C:\Windows\SysWOW64\Gohjaf32.exe
    C:\Windows\system32\Gohjaf32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 144
    3⤵
    - Program crash
    PID:568

C:\Windows\SysWOW64\Ghqnjk32.exe
C:\Windows\system32\Ghqnjk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2868
- C:\Windows\SysWOW64\Hojgfemq.exe
  C:\Windows\system32\Hojgfemq.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2904
- - C:\Windows\SysWOW64\Hakphqja.exe
    C:\Windows\system32\Hakphqja.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2652
  - - C:\Windows\SysWOW64\Hhehek32.exe
      C:\Windows\system32\Hhehek32.exe
      4⤵
      Executes dropped EXE
      PID:2648
    - - C:\Windows\SysWOW64\Hmbpmapf.exe
        
        C:\Windows\system32\Hmbpmapf.exe
        5⤵
        Executes dropped EXE
        
        PID:2260
- C:\Windows\SysWOW64\Pdgmlhha.exe
  C:\Windows\system32\Pdgmlhha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:2260
- - C:\Windows\SysWOW64\Phcilf32.exe
    C:\Windows\system32\Phcilf32.exe
    3⤵
    PID:908
  - - C:\Windows\SysWOW64\Pidfdofi.exe
      C:\Windows\system32\Pidfdofi.exe
      4⤵
      PID:2992

C:\Windows\SysWOW64\Hdlhjl32.exe
C:\Windows\system32\Hdlhjl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2500
- C:\Windows\SysWOW64\Hkfagfop.exe
  C:\Windows\system32\Hkfagfop.exe
  2⤵
  - Executes dropped EXE
  PID:2772

C:\Windows\SysWOW64\Hmdmcanc.exe
C:\Windows\system32\Hmdmcanc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:568
- C:\Windows\SysWOW64\Hpbiommg.exe
  C:\Windows\system32\Hpbiommg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:992
- - C:\Windows\SysWOW64\Abpcooea.exe
    C:\Windows\system32\Abpcooea.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:896
  - - C:\Windows\SysWOW64\Bhjlli32.exe
      C:\Windows\system32\Bhjlli32.exe
      4⤵
      Modifies registry class
      PID:844

C:\Windows\SysWOW64\Hhjapjmi.exe
C:\Windows\system32\Hhjapjmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2992
- C:\Windows\SysWOW64\Hkhnle32.exe
  C:\Windows\system32\Hkhnle32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1544
- C:\Windows\SysWOW64\Paknelgk.exe
  C:\Windows\system32\Paknelgk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:1512
- - C:\Windows\SysWOW64\Ppnnai32.exe
    C:\Windows\system32\Ppnnai32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Modifies registry class
    PID:2188

C:\Windows\SysWOW64\Hpefdl32.exe
C:\Windows\system32\Hpefdl32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2208
- C:\Windows\SysWOW64\Iccbqh32.exe
  C:\Windows\system32\Iccbqh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1812
- - C:\Windows\SysWOW64\Iimjmbae.exe
    C:\Windows\system32\Iimjmbae.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2492

C:\Windows\SysWOW64\Igakgfpn.exe
C:\Windows\system32\Igakgfpn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2152
- C:\Windows\SysWOW64\Iipgcaob.exe
  C:\Windows\system32\Iipgcaob.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1636
- - C:\Windows\SysWOW64\Ipjoplgo.exe
    C:\Windows\system32\Ipjoplgo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:1488
  - - C:\Windows\SysWOW64\Ichllgfb.exe
      C:\Windows\system32\Ichllgfb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:2816
    - - C:\Windows\SysWOW64\Ddnfop32.exe
        
        C:\Windows\system32\Ddnfop32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2496
      - C:\Windows\SysWOW64\Gncldi32.exe
        
        C:\Windows\system32\Gncldi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Loefnpnn.exe
        
        C:\Windows\system32\Loefnpnn.exe
        7⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Mnomjl32.exe
        
        C:\Windows\system32\Mnomjl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Mmdjkhdh.exe
        
        C:\Windows\system32\Mmdjkhdh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\Mjhjdm32.exe
        
        C:\Windows\system32\Mjhjdm32.exe
        10⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Mmgfqh32.exe
        
        C:\Windows\system32\Mmgfqh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Mbcoio32.exe
        
        C:\Windows\system32\Mbcoio32.exe
        12⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\Mmicfh32.exe
        
        C:\Windows\system32\Mmicfh32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Mcckcbgp.exe
        
        C:\Windows\system32\Mcckcbgp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Nipdkieg.exe
        
        C:\Windows\system32\Nipdkieg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Nnmlcp32.exe
        
        C:\Windows\system32\Nnmlcp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Nfdddm32.exe
        
        C:\Windows\system32\Nfdddm32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Nefdpjkl.exe
        
        C:\Windows\system32\Nefdpjkl.exe
        18⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Nnoiio32.exe
        
        C:\Windows\system32\Nnoiio32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Nameek32.exe
        
        C:\Windows\system32\Nameek32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Nhgnaehm.exe
        
        C:\Windows\system32\Nhgnaehm.exe
        21⤵
        Modifies registry class
        
        PID:1888

C:\Windows\SysWOW64\Ipgbjl32.exe
C:\Windows\system32\Ipgbjl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2468

C:\Windows\SysWOW64\Hmfjha32.exe
C:\Windows\system32\Hmfjha32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1892

C:\Windows\SysWOW64\Gfobbc32.exe
C:\Windows\system32\Gfobbc32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884

C:\Windows\SysWOW64\Glgaok32.exe
C:\Windows\system32\Glgaok32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:884

C:\Windows\SysWOW64\Gfjhgdck.exe
C:\Windows\system32\Gfjhgdck.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424

C:\Windows\SysWOW64\Gmbdnn32.exe
C:\Windows\system32\Gmbdnn32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232

C:\Windows\SysWOW64\Gfhladfn.exe
C:\Windows\system32\Gfhladfn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2792

C:\Windows\SysWOW64\Gpncej32.exe
C:\Windows\system32\Gpncej32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1780
- C:\Windows\SysWOW64\Dpapaj32.exe
  C:\Windows\system32\Dpapaj32.exe
  2⤵
  PID:2160

C:\Windows\SysWOW64\Faigdn32.exe
C:\Windows\system32\Faigdn32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224
- C:\Windows\SysWOW64\Nfoghakb.exe
  C:\Windows\system32\Nfoghakb.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:1588

C:\Windows\SysWOW64\Fnkjhb32.exe
C:\Windows\system32\Fnkjhb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1752
- C:\Windows\SysWOW64\Ndqkleln.exe
  C:\Windows\system32\Ndqkleln.exe
  2⤵
  - Drops file in System32 directory
  PID:1224

C:\Windows\SysWOW64\Fepiimfg.exe
C:\Windows\system32\Fepiimfg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\Fpcqaf32.exe
C:\Windows\system32\Fpcqaf32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\Figlolbf.exe
C:\Windows\system32\Figlolbf.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\Effcma32.exe
C:\Windows\system32\Effcma32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\Eqijej32.exe
C:\Windows\system32\Eqijej32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\Oadkej32.exe
C:\Windows\system32\Oadkej32.exe
1⤵
PID:2084
- C:\Windows\SysWOW64\Opglafab.exe
  C:\Windows\system32\Opglafab.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:2132

C:\Windows\SysWOW64\Ofadnq32.exe
C:\Windows\system32\Ofadnq32.exe
1⤵
PID:1548
- C:\Windows\SysWOW64\Opihgfop.exe
  C:\Windows\system32\Opihgfop.exe
  2⤵
  - Drops file in System32 directory
  PID:2328

C:\Windows\SysWOW64\Ofcqcp32.exe
C:\Windows\system32\Ofcqcp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208
- C:\Windows\SysWOW64\Omnipjni.exe
  C:\Windows\system32\Omnipjni.exe
  2⤵
  PID:856

C:\Windows\SysWOW64\Oiffkkbk.exe
C:\Windows\system32\Oiffkkbk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940
- C:\Windows\SysWOW64\Olebgfao.exe
  C:\Windows\system32\Olebgfao.exe
  2⤵
  - Modifies registry class
  PID:2628

C:\Windows\SysWOW64\Pkmlmbcd.exe
C:\Windows\system32\Pkmlmbcd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:528
- C:\Windows\SysWOW64\Pohhna32.exe
  C:\Windows\system32\Pohhna32.exe
  2⤵
  - Modifies registry class
  PID:988

C:\Windows\SysWOW64\Pdeqfhjd.exe
C:\Windows\system32\Pdeqfhjd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1008
- C:\Windows\SysWOW64\Pkoicb32.exe
  C:\Windows\system32\Pkoicb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:2868

C:\Windows\SysWOW64\Qndkpmkm.exe
C:\Windows\system32\Qndkpmkm.exe
1⤵
- Drops file in System32 directory
PID:2612
- C:\Windows\SysWOW64\Qpbglhjq.exe
  C:\Windows\system32\Qpbglhjq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:600

C:\Windows\SysWOW64\Alihaioe.exe
C:\Windows\system32\Alihaioe.exe
1⤵
PID:1928
- C:\Windows\SysWOW64\Ajmijmnn.exe
  C:\Windows\system32\Ajmijmnn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:2396

C:\Windows\SysWOW64\Aaimopli.exe
C:\Windows\system32\Aaimopli.exe
1⤵
PID:1216
- C:\Windows\SysWOW64\Aomnhd32.exe
  C:\Windows\system32\Aomnhd32.exe
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\Alqnah32.exe
    C:\Windows\system32\Alqnah32.exe
    3⤵
    PID:2056

C:\Windows\SysWOW64\Ahgofi32.exe
C:\Windows\system32\Ahgofi32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:596
- C:\Windows\SysWOW64\Aoagccfn.exe
  C:\Windows\system32\Aoagccfn.exe
  2⤵
  - Drops file in System32 directory
  PID:992

C:\Windows\SysWOW64\Bgoime32.exe
C:\Windows\system32\Bgoime32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:2856
- C:\Windows\SysWOW64\Bniajoic.exe
  C:\Windows\system32\Bniajoic.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:2300
- - C:\Windows\SysWOW64\Bceibfgj.exe
    C:\Windows\system32\Bceibfgj.exe
    3⤵
    PID:2812

C:\Windows\SysWOW64\Bmnnkl32.exe
C:\Windows\system32\Bmnnkl32.exe
1⤵
PID:2600
- C:\Windows\SysWOW64\Bchfhfeh.exe
  C:\Windows\system32\Bchfhfeh.exe
  2⤵
  - Drops file in System32 directory
  PID:2804

C:\Windows\SysWOW64\Bfdenafn.exe
C:\Windows\system32\Bfdenafn.exe
1⤵
PID:2936

C:\Windows\SysWOW64\Bbmcibjp.exe
C:\Windows\system32\Bbmcibjp.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1712
- C:\Windows\SysWOW64\Bmbgfkje.exe
  C:\Windows\system32\Bmbgfkje.exe
  2⤵
  PID:936

C:\Windows\SysWOW64\Ckjamgmk.exe
C:\Windows\system32\Ckjamgmk.exe
1⤵
PID:2072
- C:\Windows\SysWOW64\Cnimiblo.exe
  C:\Windows\system32\Cnimiblo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:3028

C:\Windows\SysWOW64\Cgaaah32.exe
C:\Windows\system32\Cgaaah32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2740
- C:\Windows\SysWOW64\Cnkjnb32.exe
  C:\Windows\system32\Cnkjnb32.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:2700
- - C:\Windows\SysWOW64\Caifjn32.exe
    C:\Windows\system32\Caifjn32.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:916

C:\Windows\SysWOW64\Cmpgpond.exe
C:\Windows\system32\Cmpgpond.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:632
- C:\Windows\SysWOW64\Cegoqlof.exe
  C:\Windows\system32\Cegoqlof.exe
  2⤵
  PID:2012

C:\Windows\SysWOW64\Djdgic32.exe
C:\Windows\system32\Djdgic32.exe
1⤵
- Modifies registry class
PID:2052
- C:\Windows\SysWOW64\Dmbcen32.exe
  C:\Windows\system32\Dmbcen32.exe
  2⤵
  - Drops file in System32 directory
  PID:1780

C:\Windows\SysWOW64\Cnmfdb32.exe
C:\Windows\system32\Cnmfdb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756

C:\Windows\SysWOW64\Cgcnghpl.exe
C:\Windows\system32\Cgcnghpl.exe
1⤵
- Drops file in System32 directory
PID:664

C:\Windows\SysWOW64\Cebeem32.exe
C:\Windows\system32\Cebeem32.exe
1⤵
PID:2532

C:\Windows\SysWOW64\Cileqlmg.exe
C:\Windows\system32\Cileqlmg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2776

C:\Windows\SysWOW64\Cnfqccna.exe
C:\Windows\system32\Cnfqccna.exe
1⤵
- Modifies registry class
PID:2292

C:\Windows\SysWOW64\Ciihklpj.exe
C:\Windows\system32\Ciihklpj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1064

C:\Windows\SysWOW64\Bdqlajbb.exe
C:\Windows\system32\Bdqlajbb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824

C:\Windows\SysWOW64\Bqeqqk32.exe
C:\Windows\system32\Bqeqqk32.exe
1⤵
PID:2752

C:\Windows\SysWOW64\Bjkhdacm.exe
C:\Windows\system32\Bjkhdacm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1796

C:\Windows\SysWOW64\Abmgjo32.exe
C:\Windows\system32\Abmgjo32.exe
1⤵
PID:616

C:\Windows\SysWOW64\Allefimb.exe
C:\Windows\system32\Allefimb.exe
1⤵
- Drops file in System32 directory
PID:2456

C:\Windows\SysWOW64\Qgmpibam.exe
C:\Windows\system32\Qgmpibam.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:2584

C:\Windows\SysWOW64\Qkfocaki.exe
C:\Windows\system32\Qkfocaki.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320

C:\Windows\SysWOW64\Qdlggg32.exe
C:\Windows\system32\Qdlggg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764

C:\Windows\SysWOW64\Pnbojmmp.exe
C:\Windows\system32\Pnbojmmp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012

C:\Windows\SysWOW64\Pkcbnanl.exe
C:\Windows\system32\Pkcbnanl.exe
1⤵
PID:308

C:\Windows\SysWOW64\Pcljmdmj.exe
C:\Windows\system32\Pcljmdmj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180

C:\Windows\SysWOW64\Pafdjmkq.exe
C:\Windows\system32\Pafdjmkq.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708

C:\Windows\SysWOW64\Pepcelel.exe
C:\Windows\system32\Pepcelel.exe
1⤵
- Modifies registry class
PID:2276

C:\Windows\SysWOW64\Pbagipfi.exe
C:\Windows\system32\Pbagipfi.exe
1⤵
PID:1536

C:\Windows\SysWOW64\Pofkha32.exe
C:\Windows\system32\Pofkha32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2916

C:\Windows\SysWOW64\Phlclgfc.exe
C:\Windows\system32\Phlclgfc.exe
1⤵
PID:2620

C:\Windows\SysWOW64\Oemgplgo.exe
C:\Windows\system32\Oemgplgo.exe
1⤵
- Drops file in System32 directory
PID:2156

C:\Windows\SysWOW64\Oabkom32.exe
C:\Windows\system32\Oabkom32.exe
1⤵
PID:2920

C:\Windows\SysWOW64\Oococb32.exe
C:\Windows\system32\Oococb32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:2304

C:\Windows\SysWOW64\Obmnna32.exe
C:\Windows\system32\Obmnna32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044

C:\Windows\SysWOW64\Olbfagca.exe
C:\Windows\system32\Olbfagca.exe
1⤵
PID:2096

C:\Windows\SysWOW64\Oeindm32.exe
C:\Windows\system32\Oeindm32.exe
1⤵
- Drops file in System32 directory
PID:1576

C:\Windows\SysWOW64\Odgamdef.exe
C:\Windows\system32\Odgamdef.exe
1⤵
PID:2476

C:\Windows\SysWOW64\Oplelf32.exe
C:\Windows\system32\Oplelf32.exe
1⤵
PID:1992

C:\Windows\SysWOW64\Onfoin32.exe
C:\Windows\system32\Onfoin32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:964

C:\Windows\SysWOW64\Nabopjmj.exe
C:\Windows\system32\Nabopjmj.exe
1⤵
PID:1752

C:\Windows\SysWOW64\Njhfcp32.exe
C:\Windows\system32\Njhfcp32.exe
1⤵
PID:1124

C:\Windows\SysWOW64\Nlefhcnc.exe
C:\Windows\system32\Nlefhcnc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1112

C:\Windows\SysWOW64\Napbjjom.exe
C:\Windows\system32\Napbjjom.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2968

C:\Windows\SysWOW64\Nnafnopi.exe
C:\Windows\system32\Nnafnopi.exe
1⤵
PID:1456

C:\Windows\SysWOW64\Nlcibc32.exe
C:\Windows\system32\Nlcibc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddnfop32.exe

Filesize
55KB

MD5
abd1d2a74cdb898ede7a83205ee48995

SHA1
28e9da11138f35553d235ff4677c7ccff01f507a

SHA256
9adf206c9a77ce8cdd665d4fd4e8072d8808d327f661b9711d86d7dc75742f88

SHA512
2f8aa466853f0bcab24ebd5142cb8e82729b269009d5ec1f5acff7520a3513ef758b53d08307e7d14ff02adddcb4d67baf1db0bb54b2f7ea7f35b2f33036a604

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
55KB

MD5
8385fc4b579f49ce0471609305089852

SHA1
9d612a96522e4f6a2f7540cc61512e8f21141eed

SHA256
80ee156928abd297e9061082da0f5f6b118db54f4815c64516ddbac22305d817

SHA512
1cd19e663e41fa517ebe41dc15b8f7a5712ebe538f70f2df751f15b44d71875093154fa588009938f7f4f3dfd1fb623e3346d2655e8ff563983a48f8729145c4

Download Submit
C:\Windows\SysWOW64\Faigdn32.exe

Filesize
55KB

MD5
540acf4fda945c1e8f4838dfaa1fe835

SHA1
41a79b3e2b40c79bce63d684d1eaee85c77e391d

SHA256
ff9071bf53178deeb08887f1dd0f52a6497100aa43bd0505e60cb6096906abb8

SHA512
8ad22d14b5a3b31b5cf5f03d8ea9137add7845aa238f71d2b64e4528c655b3bde609dfe2d17a973ce2f0fa2d5287c46d8cd97dadbf42458f855c7023e7abdb20

Download Submit
C:\Windows\SysWOW64\Fbmcbbki.exe

Filesize
55KB

MD5
6a98c4b97a37ecb7e6c7cafb9d275853

SHA1
0b3e1c2de8a3f67543bb89174a1b9c74b8caabcf

SHA256
3c1cc160569b1f3db855045c112fc0e0a6b0229c4e3ac46edfe993e65e50ce5d

SHA512
f3bce2f57ac219e206e974aed709b86f953558b669c09440d77c78b666f2184fa14e00e25780d8137aaf53b7ebf841222693849531569c836371facc1b7674d8

Download Submit
C:\Windows\SysWOW64\Fcefji32.exe

Filesize
55KB

MD5
9cee44bf3f0d61b369c1a16734283ae1

SHA1
84bf26b9fb9d9c54086f6f09feb7af0d9716d9ca

SHA256
a5f7d2821017c653d8fa242c1c2d71e73e1bcae6377375789f9467885939322d

SHA512
60d6c87a52e5eadf17430d02a45127797611f800630372dfeb7f6ebce66414420941666916c58ff8cae28b60accf5adbb5c64fa5acaf38788e1bcee4b4636b22

Download Submit
C:\Windows\SysWOW64\Fepiimfg.exe

Filesize
55KB

MD5
e03c73a2304b7f9b75b42e3dd6d03d12

SHA1
514d11a6257f689800441bf6172adb2018495ce1

SHA256
9bc10203c30a60adaaccbfdfe93dd62b5a2544a681c91ee52ee037d2fecc4dbe

SHA512
321120fca3afee4f96de93bf6982499713abc1fbbf9cf20fbb59e0f41ad48f5f54b0ffc6d1d1ca3f9b2486abbe9cccf98d678a3ffa86d17cda5104bd70d801d3

Download Submit
C:\Windows\SysWOW64\Figlolbf.exe

Filesize
55KB

MD5
10fb2b51b58bea7f5be34442725ec4d1

SHA1
27eec5ee2ccaae36b89aaca61ae02bf6a8fc250e

SHA256
d6fe289dd6129d76b4017b04edd22331a126f40e4ca68f53ec60e4c8a337eb09

SHA512
53e244b1813bdf71499dada09fd779fefa6c47295cbe3070873aef6b576d7b0aab91f36bef35f5074c719d2e6465b346a9b8b7226e67f93f90bca27a294d77b1

Download Submit
C:\Windows\SysWOW64\Fiihdlpc.exe

Filesize
55KB

MD5
82e00b069a68ca29851693755a5f8cb4

SHA1
2e5f7989f99d720475c3f17c00f4b93d1b7a5d1e

SHA256
d58d2e49e5cec53aed0add6c3ebd2a433ac8cd9fc21534dbc311eb6178577d69

SHA512
9755982f569df8e0694ff3a782fe92ad4212bf51bf8490d2f6deb2b07bc4b483a9ceabfec367e07c8f593c6983db5f91e5db6ae008980a0f92735b4465d704c7

Download Submit
C:\Windows\SysWOW64\Fjmaaddo.exe

Filesize
55KB

MD5
1c35a684cf74c6f5f0cf73a03c13e229

SHA1
47a43d5f26159aee4c6067e7e502ae5e33d62199

SHA256
e4b55e7b4a5a5c5fee9e93538c32ab8f4434663cb35913bb6776f813cd315a58

SHA512
8086be88cb629ed49c1b93a5a194318982296b7d02707f446136d6b8be06e264b96dad1378af08f4cba796d62377a67b53159432946b69bce395c29118fbae2d

Download Submit
C:\Windows\SysWOW64\Flehkhai.exe

Filesize
55KB

MD5
24d136b2f7ee7475f4cdf1ee5ef78790

SHA1
583cea70c7f11c84a735e9accee97d226fd94eca

SHA256
12b6ce70132c22c90b808702c783627eecba0d6fc16c6ad81c29aab0197eb3e4

SHA512
08d865eec53807dccbecac13c82aba0fb08784943a91efc75c73cfb09ad239d0792f552526c062f36dcd9bc6141201711fef51002a0753deab0b8c9047089a52

Download Submit
C:\Windows\SysWOW64\Fnkjhb32.exe

Filesize
55KB

MD5
1413c1c62b317c0761ae54d23308a63d

SHA1
27a8b0c9c972dbebd0726b68734b090119ff0e3d

SHA256
7d8dd7cb6575fcf200aacd6b2d7aad6509f6af4d0b71b5c14770bec447dc6632

SHA512
66b2d64cffe82f9597c260c0d55853bd54089c7913a5b80f8e829c3b568386d4b89afa3ea36964fef889cfe29585ecdc3315b524e942e425eb900feb4785eb1b

Download Submit
C:\Windows\SysWOW64\Fpcqaf32.exe

Filesize
55KB

MD5
8ea9a46cb79e335993b52cc1487b94e8

SHA1
a5f6c641fc093b487debf4d70832ddf54f63ca80

SHA256
3d58fdb0e3639dcbc3588f3e9fe7dddde4c0cf86e0b86e838a93d58423ffc478

SHA512
881aac302058407ef6e45de812cda46f2e6c3fdbf7abcd55254224cecc8d046b23549155b02a1de76d9079e792e952b556abc36021bcc8b498f182769611a785

Download Submit
C:\Windows\SysWOW64\Gfhladfn.exe

Filesize
55KB

MD5
9cb22642ee28af0d8e4d94a3460d17dd

SHA1
bfb70272189a2dc41b608ff26fd2e1a3e2312e1e

SHA256
f205f100c8960ef4334d325dba78c2b3e7c9a629de9b64ce6a4de35d3c95ee86

SHA512
fde8eb89a55a2d40aede62598b98e2e71aace5c3c5874bdbc2007dbc46deace6540fd0a0387b65356418674fa01d999a3e88dc5a7532f6cb932ae2d59e53fae6

Download Submit
C:\Windows\SysWOW64\Gncldi32.exe

Filesize
55KB

MD5
3c810bbed8803e7bfca6b33ab5e29fd8

SHA1
103e335099f1da39dc8d3a9573568ab3b657d947

SHA256
90f6e47864a9e939edaa16001f74814515cc9abbb869a71f2ac961c62bf5070c

SHA512
5b32b3cf56f171923306b32e1195df5b3c376fc56a316eadd8fe93e9ddeab5da7fc3c66581f071c991d46852bbfba7cb74db5fd31d831692addf9c2c71d33e04

Download Submit
C:\Windows\SysWOW64\Ichllgfb.exe

Filesize
55KB

MD5
d08195f5a0878b3b64dc295ea9b79d33

SHA1
baa437eba5c0023ac32fd4399870d87cb620e836

SHA256
2cd5936bb221d5666919c10e3879a21073cfca04eca055404c64ec1ea342c0f7

SHA512
a1f8f9e6ac15428bdbcd005a650019989b8bf47d0e52200502a9ec9ae1e4955ea91e09a05840fdb5ad5d7ab6b789aafcaf1669153e24ee588bc6a14d50e7ff02

Download Submit
C:\Windows\SysWOW64\Loefnpnn.exe

Filesize
55KB

MD5
2f8ba008914e973feb36de81cf2f4d9d

SHA1
c411ebbbbce6354c82d5787eca56f8e1c2127733

SHA256
15b8ae6ee4dbfc391b5da6822ac8854f60ae71180efd5923a00a7c66d6ae8426

SHA512
caec32f0a43d62aba9f55e57678da2e7c3eb7393bf1a7232fab9f738cd91ab08b9cf4a9be2b069fe5e522935db0371d00fe30aed6b6c5873d6fe8c8060336531

Download Submit
C:\Windows\SysWOW64\Mbcoio32.exe

Filesize
55KB

MD5
96e5b1b260368ae8ca7999d1d4a5c03a

SHA1
a55bda5acd01193e572a068072d3da3dbe53ae49

SHA256
4933f7a35684ae444e8155ae1e9dc5e6fafe3f252fa25ed35cdd024e3ba4b426

SHA512
f4698798e68988f03070251967a251ac086a99c0c4a277630b3003dda5e9a372b39e1209c09ebd22423bce10b1f41eeb5550779106f56c144a95b96ddae0cf77

Download Submit
C:\Windows\SysWOW64\Mcckcbgp.exe

Filesize
55KB

MD5
1b13ed65de3effa6be76eba9413d6d57

SHA1
287c80ed17b197ec23cb6704669d5981f75a69b6

SHA256
f9ab2f1213cff5b7b8011a180cf5ce9b07d13c0f903a9d438cf8ee6d30de5f5e

SHA512
ca055a36d720a8f212f3c3033cb677bc4724f605b03bf6459479ab5fa79962c07be135dc8c2c8868bce5e8f5dbe73bbde3ae983d57146d06864597f77b1d98a6

Download Submit
C:\Windows\SysWOW64\Mjhjdm32.exe

Filesize
55KB

MD5
aca7d634d546644e2cc62c65b0fff7ab

SHA1
8486e4678b4b21aef515bd897e210bdc42495dbf

SHA256
ff4ec573789a83c8a8e699eebe2d1292edb773f1d52ddf36e4f1198222918e46

SHA512
55ba742fc6dcc01d693f745903050d905e589e3748a7ebb1db2ab58ae4bf5d6d8dc12039459d8e3ac36cc18f847e4c5cb768f866862a8ebbe01695b3982f7444

Download Submit
C:\Windows\SysWOW64\Mmdjkhdh.exe

Filesize
55KB

MD5
396e5a1c0963f5566c7bae1e55e9a860

SHA1
8c6c9c72ac9416c9e2fcfebf51e736511f7a015b

SHA256
159f5ddbd745cc207b1b390f48ffc4532e044c6520cb7e360c8d21fa590c313b

SHA512
94129124753c168b023b9d8c9ae58f9d01b44a0cfe8ea11c4d68207c0b09ee485dc92d88b089a4855233038be10fa7c1b07119bd7625269fdec7da0b23f62a60

Download Submit
C:\Windows\SysWOW64\Mmgfqh32.exe

Filesize
55KB

MD5
754a97afbb9a36373ffbaefb56b8a811

SHA1
dcb2e6fd04be3595cfcbf9ae390390b1270a2f49

SHA256
6ede0dd24326f8f6e03df3f3280ed13b47650e849d3b13a35e1b55258d79260d

SHA512
ee5bf656bdd5cb2be78541be7546362b237969cac5ae30184e9c496e77cbd773b310ddcc84f373ed21325d615bb013606edb44a1f2134430f71266a3d187026b

Download Submit
C:\Windows\SysWOW64\Mmicfh32.exe

Filesize
55KB

MD5
4522b2f683aef3b702a47fd87aba53d5

SHA1
0b50344793fbc268a1f708684575e98d2f4ac1f4

SHA256
66ce77a94f82b6aa7aa268412db8084bab00a50ffa135fa480a0df152ef065f2

SHA512
eb89bcb01c45b2077bcd67af413f272da49f721f87c9672451d9b7b6a2b56f364caa19292ea0ff7353093b337add93fec0d5bcc8c852e15ff92a934dda2b3e08

Download Submit
C:\Windows\SysWOW64\Mnomjl32.exe

Filesize
55KB

MD5
2783c1dbd7f3b2a61f18bf9a45a743e9

SHA1
9dc6c734edd92041d1f3d5935da2071ac3938e1b

SHA256
2a9fc682f960e5664940054de19e074da5e1c30a9800a5d6a35e7874394eb9aa

SHA512
fdefe9f1721ed9b55bdc3689094ccd7409a27ccf5abe8b7c5333d5642ebf1fccca59da78eb7ced694f59754e3269a2ecb4545a8caefd52e3bc5dc9a5c4d8733f

Download Submit
C:\Windows\SysWOW64\Nameek32.exe

Filesize
55KB

MD5
e8176276df7ecf526d773e86702955e5

SHA1
9bd8be9fc2fa6446c6a7f23fc82d29de6b93be0a

SHA256
043c5fad06c4e45d647312e8bb200ad203de9a221280792844ef1280a496ca6d

SHA512
f04e0ee82adbba6e67c1e223c0e59b03338917d879a347f128e313657516cd7afe2a4cc13b1051f53205e2ab08552edeccb3857b4632c22dac2a956025113fce

Download Submit
C:\Windows\SysWOW64\Ndqkleln.exe

Filesize
55KB

MD5
a535527e09d8ece6a5f189377937e8f6

SHA1
b9af0ab8102e59a63ed2433bdb1ad52bb00336d0

SHA256
945e35c78d98aaf3ebb8605de53635278d0aea128ce8fa7224b35b71734645ea

SHA512
a29b5a439f469eebcf5b6f39bd0d50ad2f5bd22ab1763e0e89732146d26ebf835ee408441ab2be8074de5a776cacf224ce09146ecd0a1b4c8b618c3e6526837c

Download Submit
C:\Windows\SysWOW64\Nefdpjkl.exe

Filesize
55KB

MD5
bd0de5a12f3b35713f377b5da7d6a27f

SHA1
03785c45f6d70ac0f74b8a9133352e96a438c28e

SHA256
393bfc6fe2c2de1fa9b6f2a0f51ebb1e79c5ad43e259aacbfa77044d2fafcbc6

SHA512
1b9bb82f3022f60d9d2acef8b3fa25211b0f76f2501e57b8bf3e48de1455f7da5fa98afb53a24520126c230dc2c1338e55f12dc2ac470831e88591cf5e418156

Download Submit
C:\Windows\SysWOW64\Nfdddm32.exe

Filesize
55KB

MD5
e66c373450234448902b1223f62009d4

SHA1
0df7d3e0c138bd34e39fd11712fd17fad70bed27

SHA256
d0e08cbfc3d1f34ef24078405c69c578d08b9b41207e6304ba65e760a35afec2

SHA512
217935764f429314c7c421b2de04cf397d75218a38e55da4b566aa85ae028311b4ffd57c5968d70eb9b68de1a4da304ca036665f77bca75203ab6da67fed9c9e

Download Submit
C:\Windows\SysWOW64\Nfoghakb.exe

Filesize
55KB

MD5
14b89fff4da1595fc296f076f0376195

SHA1
db5d93cd2af81cc94075f89c8b708a92a3c80f77

SHA256
ffe642bb5c523f5713c0138c5a43ae9b4dad7e4c5a02ac3f3ca90ed1426fd626

SHA512
8a26eedd6fb8291f7d03704d809722d2377e56344d2372c6ab84020b1466bebad1a5eeb6af2e560c6ba575ba4cc3f203630261544130b939a885d25bfef73d43

Download Submit
C:\Windows\SysWOW64\Nhgnaehm.exe

Filesize
55KB

MD5
3bbcf2ae8d6837cf4e1f6d6da1eedd3b

SHA1
d818c7702db8a6a9b06cbd0be452cb6e1e53ee2e

SHA256
631d0660a82cbd48f6dbd11e4003d55d10c8f16aa30f89568635e40d36b5f659

SHA512
9c8e9cfb9c2365a27ef5b4bb4f585c14abfb6ff75de52b0a525eeb5ac92316e3b4011f302866ca17628bd5240aa96c96e5f4c783425ba50237dbb1bd36c78c1d

Download Submit
C:\Windows\SysWOW64\Nipdkieg.exe

Filesize
55KB

MD5
73ed631a70b74b9489534c65cd2e7b69

SHA1
6e5e89450d895c84055128c0d0d786c9a174e17b

SHA256
df6634e8d02e21806f9d5a04bc7b7e31388074f9e72b150eb4c53322200d6f6f

SHA512
8d2f1eb6bd47f0901409276ec6a3c562aefcbbdcbde861395eae2eb252cd6db97a65e79da95615732c313325f054a066820bdc6a0f0ca465d8e690c579d7b683

Download Submit
C:\Windows\SysWOW64\Njhfcp32.exe

Filesize
55KB

MD5
9bae04fc6bcf58e088d9c8097b6cb08d

SHA1
d8cfc0cb9ad10f93bdbeb022499ddff50daba072

SHA256
5e92c9cbaf715a62352e02a1dc95e055135f240d9c6f68e010ea84746ba3363f

SHA512
aea1c01f556fca57ea904c98202afa5b457af862d9d462b81ae9ca7c646d773b21f592f10d21500c0d34be88ec90ec479616546ba8cbcc2755ea7934a92d4c03

Download Submit
C:\Windows\SysWOW64\Nlcibc32.exe

Filesize
55KB

MD5
bfe8dabc5728eba7cdb6172fb261ff5c

SHA1
3fa063ec04e2e0af58d4975c9175769184c8f9b3

SHA256
8f3744f4c24783a22245f0f16afa2ee66da7742dd5895aec3ddedb9c27598415

SHA512
0c1e7a233a21ad0f28ee4689ac53311bff61cbb33ddcf26ad83fdd43d0d16b7b8f6ad9ab97acdb69559155b01175fc79e1f353cb366f650d5e3fb25899011948

Download Submit
C:\Windows\SysWOW64\Nnmlcp32.exe

Filesize
55KB

MD5
9bdebc589604a1364f41258d2a21ad6b

SHA1
be33983d7d5f6efbcaa719e88e399345d52db773

SHA256
a382ccdd20a06e6413f097726ef918c2129f8513b85c02a1150096873899190d

SHA512
6cffdb5b04625dde56185a9a80052ca8b172df1aca30093ac7de68d34019025e3e0676fc32b96a95fbb0810caff97e9de30fb971a174e263486c012ccd4dc357

Download Submit
C:\Windows\SysWOW64\Nnoiio32.exe

Filesize
55KB

MD5
8fe16b29350caa70290bdaf800eabafb

SHA1
2302e5630fa33370ce1bf5e6c67f21dc2c5e50da

SHA256
bd665a40db7a57426f63263a8f7edae8aeac8e257adce4151c23564b1113abcb

SHA512
43c28ffa5744b83a8f4973260b772043fa2ea9a1a80ea65c1af81148e3205e9393117f12b127d75949a3db3ab80062d0517af5dda59f767637821708f7b68200

Download Submit
C:\Windows\SysWOW64\Oabkom32.exe

Filesize
55KB

MD5
341a55e10916e1c794ecc695aa989e37

SHA1
55dedea0a57b6ff1f24aa3de318bb00aa8eb4dab

SHA256
91911f321e81256742609dadfaf78c1a769a01b9b30d408d581fc7bbc839b722

SHA512
7c018e65a35fccabe6c754ce735b60ceef42e47996a647bacdf7697f0baeecf94d94df8057459293fda6ec5d52b483be3e6f0f09ae8c35bcbae352e2c0884fdf

Download Submit
C:\Windows\SysWOW64\Odgamdef.exe

Filesize
55KB

MD5
07beab9ae8b04fe25b46caee0458cd7c

SHA1
c76de77f349a0b9a07d7e70de13b0859dd5062da

SHA256
b21977440fb04ef9462ee9a5df17a58ce7dc507ee20a62a271de9efded486377

SHA512
73e9c9fba75ed487ea0f8bf64bdc4e5182ab6acde2cbd27f4f4a2dc882235e57b0fc95ebcacd81950c07ece080534f2ebd9552e7dc815f65701d8d00ff25ef75

Download Submit
C:\Windows\SysWOW64\Ofadnq32.exe

Filesize
55KB

MD5
b274115631a55f5b587a31f12260101f

SHA1
2116711b16a2f7e69a973f9d415a93f77436b484

SHA256
b403f20fa6994d12c142a2479137c27d5a7a87dde0d9d0793177ecd4763cb932

SHA512
b4185f89e562322e540e9f3cbebaeeda165bbbefad1b04252ab808633a83e5180a5e0fa381295863a7e03e2e1cdc1c5c245d609c42c6ab1825cd365d84993974

Download Submit
C:\Windows\SysWOW64\Ofcqcp32.exe

Filesize
55KB

MD5
50934739c189d021726e87517b371cb1

SHA1
afdf8f0ed7405fb5b6c4209ad20b2e6e5bf65051

SHA256
1bcd47024d72ce33fef066a446d3e0f66f88b290f560c611aad3e001ac17ff8b

SHA512
9f440b5acb18da5508158f51960b61e0755c42d8af1474cecb725714f9d8599821d9f84969eebaba1a7b440d12f134c74cc9ca52c11ea702bb7d7290170c8216

Download Submit
C:\Windows\SysWOW64\Oiffkkbk.exe

Filesize
55KB

MD5
34eb7ae45c129042b90cf7d6b3364c9e

SHA1
ec1b31883b74ec091b8f20df88ecec760eda5dd1

SHA256
79bb36c58b95e32d8d398f388bc4a94ca04f06afd6a409d9220985e91a1f9159

SHA512
a56b80f8162e5170b34ad5b90c93a1e3eb23e3ddd6c1cf80315637871d3301bbebdd6ef28398e131cc999772198d12c3127fe40dc71544fd191fbe9f5e489019

Download Submit
C:\Windows\SysWOW64\Olebgfao.exe

Filesize
55KB

MD5
cb3154869b69a1fac1c3220b35c43f57

SHA1
4c8a399b629473158afdacdfbfa0c1b9efe5046e

SHA256
5896720b654b3426381fff819e81067b17c464260f9ce961e5ffb51d037f9640

SHA512
89458e69036835e05e358069ad9384768f8fc4c6a47f6404951531e71759da7b821d1e7d6ad768243a898965cf82f03fccd4d4acfe36978fbbcd3c69f61e3275

Download Submit
C:\Windows\SysWOW64\Onfoin32.exe

Filesize
55KB

MD5
202403b88fdf7609f9b648f9bf632b82

SHA1
05c53281b0772869a756bb7bc6857e25729e3739

SHA256
8ad982138f7aa64f6429d0afd6402a25848d29b87382622d6804b5533be81bbf

SHA512
7747c179777312877ef5293a88c85e945e23966be1cbe12f18bc703fefd17e5d65bfbfc405180550d19b6d26201781f2fbc8d1fdb69df686521e0f36a36d8fc1

Download Submit
C:\Windows\SysWOW64\Opglafab.exe

Filesize
55KB

MD5
16ca9982b47a2a0d044ecb15f2580a04

SHA1
fac44c7fc9be674cc333b16bcabb96cf3438ddc4

SHA256
9b87208785f614270b2e5df0906808572b97fd602be3cd4f1106a27f21b50b25

SHA512
d04893248ca62bf110cdc823d87796255ebced83ccaa248a720bb3c24e44d49d4a4c632e661f08689d0e179ab9c80ac51d8e35bd6f46a15fddc5bcbb63850d1d

Download Submit
C:\Windows\SysWOW64\Pafdjmkq.exe

Filesize
55KB

MD5
43c447e2a6f3212c13576139a0df232b

SHA1
5cb23560a13277656cbee1a630d7ecb835ebb921

SHA256
638af6d4863863e8f819a81c4ba5e3dc3a3c1ff3248c69d8790308cf035dc35d

SHA512
caa3fff6ca89c0c4e27b4fdf023e75ec80d90a118248f5f1926270ba2467dd50cc869a69420d43b0c3afda67b486211bc00528efc90e79fa7d725f5fbe4f980b

Download Submit
C:\Windows\SysWOW64\Pepcelel.exe

Filesize
55KB

MD5
9ac0bf577ac725ef58c2aad4759237e0

SHA1
c606bcf63647eb87ecd369c1e551050751d9e639

SHA256
e325896162b02721df38b6a0f705f2fa617a9298b53af878e2af0381f249481b

SHA512
b0e07f73fe9703f032a2041a69da4f139e8b93a435c2352629c815e8208c1a75411b7e7e5fa85a029d4fc3ca2074af32343602680652ee481aba5dfd45f5399d

Download Submit
C:\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
55KB

MD5
ef525c9d49fd7a2ef7daab8b24b6b6dd

SHA1
dfffac4c46932c7a333896767d68769c80bf41e1

SHA256
af5fca01556a583285666007d58b4907ef8ae771aab8b1ba5df6fb4f0f6190d7

SHA512
76a78f67d3bf4021e99bfb3cac5dac42d8a156b3793f5cd49f36dbe85ec54c7529dd2671c90d257181b66c47a70d9d72fb6b482804d2e7cb7d91dbff0d34fcc0

Download Submit
C:\Windows\SysWOW64\Pofkha32.exe

Filesize
55KB

MD5
68528e69d3957bd31d8c472d5b5a3c65

SHA1
74f42b63638a78bcaa4d22d6ba6218ec33ec1dc4

SHA256
7d85f76d7c4e05bc423f3dab7781d60a5487ff523f8e13b43af617f5a3c33e12

SHA512
464fefb60216616067a6c3e5501cf6d0a33c7e6f2b03b749337658bfd4869bcc707db9835166cbcd464b04f1d165829cb61f963965482638cabadffd0756caaf

Download Submit
\Windows\SysWOW64\Eccmffjf.exe

Filesize
55KB

MD5
17db294a16ac49a7cf808b24cda9abf3

SHA1
78830266daf19b2eaa9ddd9eb6d0a12e875bcb53

SHA256
57c861995c08e46bc20db311f270f321ba85b7a3b8144909e8703d97416698ce

SHA512
2e663b1a9eb8e58fd59d9bdb251034a02f621e9b7d5ac59340689ae2b2cbde4d57b0c7b6c9291c0cec88b2849c411a9b9018f58870e631d1977bbe2b833f54f0

Download Submit
\Windows\SysWOW64\Ecejkf32.exe

Filesize
55KB

MD5
84292ec63039db819fcc83e369dbe761

SHA1
275ae3ba1fa8c188cab77e9cb5c2e00071767005

SHA256
4b834e528ce88171ce8f9cf95e52e3bc57e9ce48e714a01441bddb1655b1d41e

SHA512
d87f775ed015a4ebd9761380b0d9d8c82329f01976c48e37035614011a50fc6a8de80b68c94487b36cf54c366ee28f2901175309fddccb3b08bc278c06f262b0

Download Submit
\Windows\SysWOW64\Effcma32.exe

Filesize
55KB

MD5
6082be5b90414a2b9e67cae20bde7e1e

SHA1
f76d832ce010ada8fc107b8c36e1da26c1f07d5f

SHA256
effc5471a62c8351e3256c0b3fd55583abcfb152167ab3820190e4f26a16a5d1

SHA512
d3db3eb4ed8b357ebd7b3edbee2cafb425dd99a78a25b66f7aead2f2c315db25310dda6553ddc360e3d9402847e342da4e2714ccbf5d3eea9ef13b3d9f99fa32

Download Submit
\Windows\SysWOW64\Egllae32.exe

Filesize
55KB

MD5
56c1a7e4f2edeaa6aef8dcbac0a5fea3

SHA1
ebe91501d93eba24f55bab5896aa3af9c2fd1221

SHA256
f54c8500a0a5ebef9b22bc006792358af7332c823037e16fabd1ba9293f16cd8

SHA512
0258ec8393713ba5f5f0074d6c4ed08a3847c26468887336a04ea65acf31523e8d8761672a98b3a3fb830a467d947b5aa25642a05413c27a9657413b20dae2e4

Download Submit
\Windows\SysWOW64\Enakbp32.exe

Filesize
55KB

MD5
4b3393186ecc5bcb57a3e2f3b188d826

SHA1
37117227537ae31c5e03efbd9c464259cf158736

SHA256
6185478dc519ac19300a4552270ba0ebe985a062292c35be9f13b17494b5cc2f

SHA512
7fcb4b01ac51ad5fc2bc81801fb6c82b24e3214744bcc1a37e545d2ade36cf8b2328867e2ae77e861bce8fb4b6912fda0bad816aa2b8caf7ab3038857df8af04

Download Submit
\Windows\SysWOW64\Enhacojl.exe

Filesize
55KB

MD5
fcf8aeee1add1ea34e57ae090cc2f7cd

SHA1
6966d57220193975c326d9e7d0e37d6747ccacb9

SHA256
8ccfa4ae34815439e053215c23a8c7cd248bd48422906ae15dbc73be64f0dba0

SHA512
430de69808d5cee8577c41f453fcd78fc2248d7959bcf198763968c6cfec6f58b2077d96b1aedecb99187c427288641c5d7e431a53da2adfd8f378952725bb51

Download Submit
\Windows\SysWOW64\Fmpkjkma.exe

Filesize
55KB

MD5
95019dce9ee1c37a49bcfc5e62e67308

SHA1
6cdefcab2704afbe7dd63dd5c9060bf8f78474ea

SHA256
b689d6d6680b4df2cf5d3740f8ab83842a8798f196c82a3f3a712410f3c77c02

SHA512
d7c32c68172b04a041e69ecbd707c4d0aabf190d11b71a8ed8faa7c86d4832a9183a1aa8d87851e9841f8f7de2c32ed13a938b07020334fdff200a4370ab9a49

Download Submit
memory/676-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-167-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/676-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-246-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/836-251-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/884-315-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/884-316-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/884-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-266-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/968-261-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/968-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-6-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1616-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-100-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1616-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-199-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1740-325-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1740-329-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1740-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-140-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1776-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-277-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1780-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-278-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2160-340-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2160-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-293-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2232-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-294-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2284-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-304-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2424-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-309-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2436-351-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2436-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-350-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2512-20-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2512-25-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2604-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-47-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2604-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-390-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2652-386-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2652-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-280-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2792-284-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2792-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-157-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2860-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-368-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2868-367-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2884-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-362-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2904-383-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2904-382-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2904-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-61-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3056-112-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3056-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads