7fb36173efeab9de6f6eddacd39b428d5ca07c0ab61c3887493f97be911bc7f5

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b073676e0b53d295f14cff067cf595eb.exe
Size

276KB
MD5

b073676e0b53d295f14cff067cf595eb
SHA1

846018fa129413cb77899d77952400759a0c46cf
SHA256

7fb36173efeab9de6f6eddacd39b428d5ca07c0ab61c3887493f97be911bc7f5
SHA512

5ed80f3f7218e035a00ac22697b40dac008684435a926e1a084f55f9d1de97f30c1acd11cfd2e0add9f0e889faa038cb3e0b228e3d401cc4b68dffcf2e2ae00b
SSDEEP

6144:E5je+8EHq2uRBvqdYORLSdn7MUZst5qXsunbLwMddjPXmF6EC1LlzxAKN+xTU5Ax:oj3qPvaR+pMUQunbpd/mF6ECJlzxAKNO

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaleglc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonoao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddligq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpqldc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paelfmaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qoelkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmadco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmeede32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efepbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdcliikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoobdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmeede32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejopl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iphioh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alkijdci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcanll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojdgnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilccoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcniglmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnqfcbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkconn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifaim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkbmqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojajin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bohbhmfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neqopnhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paelfmaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blqllqqa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lclpdncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neqopnhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpdegjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpcjgnhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilccoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpabni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iphioh32.exe

Malware Dropper & Backdoor - Berbew 40 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000200000001e7dd-6.dat	family_berbew
behavioral2/files/0x000200000001e7df-10.dat	family_berbew
behavioral2/files/0x000200000001e7e1-22.dat	family_berbew
behavioral2/files/0x000200000001e7e3-30.dat	family_berbew
behavioral2/files/0x000700000001e0ce-38.dat	family_berbew
behavioral2/files/0x000200000001e7e6-46.dat	family_berbew
behavioral2/files/0x000200000001e7e8-54.dat	family_berbew
behavioral2/files/0x000300000001e7c9-63.dat	family_berbew
behavioral2/files/0x000200000001e7eb-70.dat	family_berbew
behavioral2/files/0x000200000001e7ed-78.dat	family_berbew
behavioral2/files/0x000200000001e7ef-86.dat	family_berbew
behavioral2/files/0x000200000001e7f4-94.dat	family_berbew
behavioral2/files/0x000200000001e7f6-102.dat	family_berbew
behavioral2/files/0x000200000001e7fa-110.dat	family_berbew
behavioral2/files/0x000200000001e7fc-118.dat	family_berbew
behavioral2/files/0x000200000001e7fe-126.dat	family_berbew
behavioral2/files/0x000200000001e803-134.dat	family_berbew
behavioral2/files/0x000300000001e7f2-142.dat	family_berbew
behavioral2/files/0x000200000001e805-150.dat	family_berbew
behavioral2/files/0x000200000001e808-158.dat	family_berbew
behavioral2/files/0x000200000001e80a-166.dat	family_berbew
behavioral2/files/0x000a00000002302d-174.dat	family_berbew
behavioral2/files/0x000a000000023031-183.dat	family_berbew
behavioral2/files/0x000600000002313e-190.dat	family_berbew
behavioral2/files/0x0006000000023141-198.dat	family_berbew
behavioral2/files/0x000600000002314a-206.dat	family_berbew
behavioral2/files/0x000600000002314d-214.dat	family_berbew
behavioral2/files/0x0007000000023143-222.dat	family_berbew
behavioral2/files/0x0007000000023145-230.dat	family_berbew
behavioral2/files/0x0008000000023147-238.dat	family_berbew
behavioral2/files/0x000800000002314c-246.dat	family_berbew
behavioral2/files/0x0006000000023150-254.dat	family_berbew
behavioral2/files/0x000600000002315c-287.dat	family_berbew
behavioral2/files/0x0006000000023164-311.dat	family_berbew
behavioral2/files/0x0006000000023168-323.dat	family_berbew
behavioral2/files/0x000600000002316c-335.dat	family_berbew
behavioral2/files/0x000600000002317e-389.dat	family_berbew
behavioral2/files/0x00060000000231af-534.dat	family_berbew
behavioral2/files/0x00060000000231fb-797.dat	family_berbew
behavioral2/files/0x0006000000023239-1013.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1908	Dikihe32.exe
1256	Efepbi32.exe
4144	Efjimhnh.exe
4916	Fcniglmb.exe
3108	Ffobhg32.exe
2600	Fplpll32.exe
4436	Fideeaco.exe
5072	Gfkbde32.exe
1484	Gdcliikj.exe
5052	Hkbmqb32.exe
2408	Hpabni32.exe
392	Idahjg32.exe
1276	Iphioh32.exe
2812	Ilccoh32.exe
1020	Jpaleglc.exe
2644	Jdodkebj.exe
736	Jnlbojee.exe
3608	Kkconn32.exe
660	Kgipcogp.exe
4440	Kcpahpmd.exe
1848	Lddgmbpb.exe
4280	Lmpkadnm.exe
1884	Lclpdncg.exe
224	Lnadagbm.exe
700	Mgobel32.exe
4000	Nmenca32.exe
4872	Nlfnaicd.exe
4120	Neqopnhb.exe
4616	Njmhhefi.exe
2948	Nhahaiec.exe
2292	Onnmdcjm.exe
2660	Ohkkhhmh.exe
3684	Paelfmaf.exe
4988	Pkegpb32.exe
4004	Qoelkp32.exe
1976	Amjillkj.exe
2316	Alkijdci.exe
3644	Aolblopj.exe
4372	Aonoao32.exe
1888	Akepfpcl.exe
4052	Adndoe32.exe
5064	Bnhenj32.exe
1656	Bohbhmfm.exe
3152	Bhbcfbjk.exe
2216	Blqllqqa.exe
1568	Cfipef32.exe
2572	Ckhecmcf.exe
4200	Cnindhpg.exe
2144	Cohkokgj.exe
4956	Cdecgbfa.exe
4756	Dfdpad32.exe
3440	Dnpdegjp.exe
1788	Dmadco32.exe
4064	Ddligq32.exe
4360	Ddnfmqng.exe
3960	Eofgpikj.exe
4488	Efblbbqd.exe
1560	Ennqfenp.exe
3140	Epmmqheb.exe
3508	Eifaim32.exe
5048	Ebnfbcbc.exe
4236	Feoodn32.exe
4980	Fimhjl32.exe
3976	Ffqhcq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Baannc32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Mfbhmo32.dll	Adndoe32.exe
File created	C:\Windows\SysWOW64\Ljnlecmp.exe	Loighj32.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Pnifekmd.exe
File opened for modification	C:\Windows\SysWOW64\Iipfmggc.exe	Imiehfao.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Dapgni32.dll	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Oplfkeob.exe	Nmkmjjaa.exe
File opened for modification	C:\Windows\SysWOW64\Lnadagbm.exe	Lclpdncg.exe
File opened for modification	C:\Windows\SysWOW64\Lqojclne.exe	Lgdidgjg.exe
File opened for modification	C:\Windows\SysWOW64\Mqimikfj.exe	Mjodla32.exe
File created	C:\Windows\SysWOW64\Ipehcj32.dll	b073676e0b53d295f14cff067cf595eb.exe
File created	C:\Windows\SysWOW64\Iibccgep.exe	Ipjoja32.exe
File created	C:\Windows\SysWOW64\Gdglhf32.dll	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Pjpbba32.dll	Ennqfenp.exe
File opened for modification	C:\Windows\SysWOW64\Gimqajgh.exe	Gpelhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ipjoja32.exe	Iipfmggc.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Efepbi32.exe	Dikihe32.exe
File created	C:\Windows\SysWOW64\Hfhgkmpj.exe	Hoobdp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnplfj32.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Gpcpel32.dll	Jedccfqg.exe
File created	C:\Windows\SysWOW64\Mcpcdg32.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Kkconn32.exe	Jnlbojee.exe
File created	C:\Windows\SysWOW64\Gmigpf32.dll	Pkegpb32.exe
File created	C:\Windows\SysWOW64\Dahcld32.dll	Ipjoja32.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Ddligq32.exe	Dmadco32.exe
File created	C:\Windows\SysWOW64\Ennqfenp.exe	Efblbbqd.exe
File opened for modification	C:\Windows\SysWOW64\Mgbefe32.exe	Mqimikfj.exe
File created	C:\Windows\SysWOW64\Mjcngpjh.exe	Mgbefe32.exe
File created	C:\Windows\SysWOW64\Amjillkj.exe	Qoelkp32.exe
File created	C:\Windows\SysWOW64\Gbnoiqdq.exe	Gejopl32.exe
File created	C:\Windows\SysWOW64\Jkjpda32.dll	Kpcjgnhb.exe
File created	C:\Windows\SysWOW64\Ghjnkpdc.dll	Gmdcfidg.exe
File created	C:\Windows\SysWOW64\Dbqpfg32.dll	Jilfifme.exe
File created	C:\Windows\SysWOW64\Oihgmo32.dll	Fcniglmb.exe
File created	C:\Windows\SysWOW64\Gaigbkko.dll	Fplpll32.exe
File created	C:\Windows\SysWOW64\Eofgpikj.exe	Ddnfmqng.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Kkconn32.exe	Jnlbojee.exe
File created	C:\Windows\SysWOW64\Ekaacddn.dll	Omgmeigd.exe
File created	C:\Windows\SysWOW64\Bmjkic32.exe	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Qnidao32.dll	Idahjg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmeede32.exe	Jocefm32.exe
File created	C:\Windows\SysWOW64\Bohgljdl.dll	Komhll32.exe
File opened for modification	C:\Windows\SysWOW64\Nopfpgip.exe	Mjcngpjh.exe
File created	C:\Windows\SysWOW64\Qoelkp32.exe	Pkegpb32.exe
File created	C:\Windows\SysWOW64\Cohkokgj.exe	Cnindhpg.exe
File created	C:\Windows\SysWOW64\Nlnhqepf.dll	Epmmqheb.exe
File created	C:\Windows\SysWOW64\Lelgfl32.dll	Chdialdl.exe
File created	C:\Windows\SysWOW64\Efjimhnh.exe	Efepbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lmpkadnm.exe	Lddgmbpb.exe
File created	C:\Windows\SysWOW64\Cboeco32.dll	Gfeaopqo.exe
File created	C:\Windows\SysWOW64\Ahfmpnql.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Hbobhb32.dll	Aaldccip.exe
File created	C:\Windows\SysWOW64\Illddp32.dll	Lclpdncg.exe
File opened for modification	C:\Windows\SysWOW64\Oaplqh32.exe	Ojdgnn32.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Ljqhkckn.exe	Ljnlecmp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6784	6460	WerFault.exe	244

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmmqheb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefchq32.dll"	Gdcliikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofeei32.dll"	Jpaleglc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfipef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eifaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmchiim.dll"	Gnqfcbnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnlbojee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golneb32.dll"	Gfkbde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadmq32.dll"	Ohkkhhmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlbhekk.dll"	Fimhjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejopl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjcgjio.dll"	Jocefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedccfqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpejkd32.dll"	Gbnoiqdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iibccgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgffoo32.dll"	Iplkpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adndoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfkbde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohkkhhmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejopl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahcld32.dll"	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilccoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmenca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klplbbaq.dll"	Onnmdcjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhenj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eifaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgobel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjpda32.dll"	Kpcjgnhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhahaiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmeede32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbqpfg32.dll"	Jilfifme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coqncejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lclpdncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdecgbfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgibkpc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1908	4760	b073676e0b53d295f14cff067cf595eb.exe	91
PID 4760 wrote to memory of 1908	4760	b073676e0b53d295f14cff067cf595eb.exe	91
PID 4760 wrote to memory of 1908	4760	b073676e0b53d295f14cff067cf595eb.exe	91
PID 1908 wrote to memory of 1256	1908	Dikihe32.exe	92
PID 1908 wrote to memory of 1256	1908	Dikihe32.exe	92
PID 1908 wrote to memory of 1256	1908	Dikihe32.exe	92
PID 1256 wrote to memory of 4144	1256	Efepbi32.exe	93
PID 1256 wrote to memory of 4144	1256	Efepbi32.exe	93
PID 1256 wrote to memory of 4144	1256	Efepbi32.exe	93
PID 4144 wrote to memory of 4916	4144	Efjimhnh.exe	94
PID 4144 wrote to memory of 4916	4144	Efjimhnh.exe	94
PID 4144 wrote to memory of 4916	4144	Efjimhnh.exe	94
PID 4916 wrote to memory of 3108	4916	Fcniglmb.exe	95
PID 4916 wrote to memory of 3108	4916	Fcniglmb.exe	95
PID 4916 wrote to memory of 3108	4916	Fcniglmb.exe	95
PID 3108 wrote to memory of 2600	3108	Ffobhg32.exe	96
PID 3108 wrote to memory of 2600	3108	Ffobhg32.exe	96
PID 3108 wrote to memory of 2600	3108	Ffobhg32.exe	96
PID 2600 wrote to memory of 4436	2600	Fplpll32.exe	97
PID 2600 wrote to memory of 4436	2600	Fplpll32.exe	97
PID 2600 wrote to memory of 4436	2600	Fplpll32.exe	97
PID 4436 wrote to memory of 5072	4436	Fideeaco.exe	98
PID 4436 wrote to memory of 5072	4436	Fideeaco.exe	98
PID 4436 wrote to memory of 5072	4436	Fideeaco.exe	98
PID 5072 wrote to memory of 1484	5072	Gfkbde32.exe	99
PID 5072 wrote to memory of 1484	5072	Gfkbde32.exe	99
PID 5072 wrote to memory of 1484	5072	Gfkbde32.exe	99
PID 1484 wrote to memory of 5052	1484	Gdcliikj.exe	100
PID 1484 wrote to memory of 5052	1484	Gdcliikj.exe	100
PID 1484 wrote to memory of 5052	1484	Gdcliikj.exe	100
PID 5052 wrote to memory of 2408	5052	Hkbmqb32.exe	101
PID 5052 wrote to memory of 2408	5052	Hkbmqb32.exe	101
PID 5052 wrote to memory of 2408	5052	Hkbmqb32.exe	101
PID 2408 wrote to memory of 392	2408	Hpabni32.exe	102
PID 2408 wrote to memory of 392	2408	Hpabni32.exe	102
PID 2408 wrote to memory of 392	2408	Hpabni32.exe	102
PID 392 wrote to memory of 1276	392	Idahjg32.exe	103
PID 392 wrote to memory of 1276	392	Idahjg32.exe	103
PID 392 wrote to memory of 1276	392	Idahjg32.exe	103
PID 1276 wrote to memory of 2812	1276	Iphioh32.exe	104
PID 1276 wrote to memory of 2812	1276	Iphioh32.exe	104
PID 1276 wrote to memory of 2812	1276	Iphioh32.exe	104
PID 2812 wrote to memory of 1020	2812	Ilccoh32.exe	105
PID 2812 wrote to memory of 1020	2812	Ilccoh32.exe	105
PID 2812 wrote to memory of 1020	2812	Ilccoh32.exe	105
PID 1020 wrote to memory of 2644	1020	Jpaleglc.exe	106
PID 1020 wrote to memory of 2644	1020	Jpaleglc.exe	106
PID 1020 wrote to memory of 2644	1020	Jpaleglc.exe	106
PID 2644 wrote to memory of 736	2644	Jdodkebj.exe	107
PID 2644 wrote to memory of 736	2644	Jdodkebj.exe	107
PID 2644 wrote to memory of 736	2644	Jdodkebj.exe	107
PID 736 wrote to memory of 3608	736	Jnlbojee.exe	108
PID 736 wrote to memory of 3608	736	Jnlbojee.exe	108
PID 736 wrote to memory of 3608	736	Jnlbojee.exe	108
PID 3608 wrote to memory of 660	3608	Kkconn32.exe	109
PID 3608 wrote to memory of 660	3608	Kkconn32.exe	109
PID 3608 wrote to memory of 660	3608	Kkconn32.exe	109
PID 660 wrote to memory of 4440	660	Kgipcogp.exe	111
PID 660 wrote to memory of 4440	660	Kgipcogp.exe	111
PID 660 wrote to memory of 4440	660	Kgipcogp.exe	111
PID 4440 wrote to memory of 1848	4440	Kcpahpmd.exe	112
PID 4440 wrote to memory of 1848	4440	Kcpahpmd.exe	112
PID 4440 wrote to memory of 1848	4440	Kcpahpmd.exe	112
PID 1848 wrote to memory of 4280	1848	Lddgmbpb.exe	113

C:\Users\Admin\AppData\Local\Temp\b073676e0b53d295f14cff067cf595eb.exe
"C:\Users\Admin\AppData\Local\Temp\b073676e0b53d295f14cff067cf595eb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\Dikihe32.exe
  C:\Windows\system32\Dikihe32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\Efepbi32.exe
    C:\Windows\system32\Efepbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\Efjimhnh.exe
      C:\Windows\system32\Efjimhnh.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\SysWOW64\Fcniglmb.exe
        
        C:\Windows\system32\Fcniglmb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
      - C:\Windows\SysWOW64\Ffobhg32.exe
        
        C:\Windows\system32\Ffobhg32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Fplpll32.exe
        
        C:\Windows\system32\Fplpll32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Fideeaco.exe
        
        C:\Windows\system32\Fideeaco.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Gdcliikj.exe
        
        C:\Windows\system32\Gdcliikj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Hkbmqb32.exe
        
        C:\Windows\system32\Hkbmqb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Hpabni32.exe
        
        C:\Windows\system32\Hpabni32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Idahjg32.exe
        
        C:\Windows\system32\Idahjg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Jpaleglc.exe
        
        C:\Windows\system32\Jpaleglc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Jdodkebj.exe
        
        C:\Windows\system32\Jdodkebj.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Jnlbojee.exe
        
        C:\Windows\system32\Jnlbojee.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Kgipcogp.exe
        
        C:\Windows\system32\Kgipcogp.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Lddgmbpb.exe
        
        C:\Windows\system32\Lddgmbpb.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Lmpkadnm.exe
        
        C:\Windows\system32\Lmpkadnm.exe
        23⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Lclpdncg.exe
        
        C:\Windows\system32\Lclpdncg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Lnadagbm.exe
        
        C:\Windows\system32\Lnadagbm.exe
        25⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Mgobel32.exe
        
        C:\Windows\system32\Mgobel32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        28⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Neqopnhb.exe
        
        C:\Windows\system32\Neqopnhb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Njmhhefi.exe
        
        C:\Windows\system32\Njmhhefi.exe
        30⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Nhahaiec.exe
        
        C:\Windows\system32\Nhahaiec.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Onnmdcjm.exe
        
        C:\Windows\system32\Onnmdcjm.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ohkkhhmh.exe
        
        C:\Windows\system32\Ohkkhhmh.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Paelfmaf.exe
        
        C:\Windows\system32\Paelfmaf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Amjillkj.exe
        
        C:\Windows\system32\Amjillkj.exe
        37⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Alkijdci.exe
        
        C:\Windows\system32\Alkijdci.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        39⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Aonoao32.exe
        
        C:\Windows\system32\Aonoao32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        41⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        45⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        48⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        50⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        52⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        57⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        62⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        65⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        66⤵
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2516
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        71⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        73⤵
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        75⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        76⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        77⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        79⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3200
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        81⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        82⤵
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        84⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        85⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        86⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        87⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        93⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        100⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        101⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        102⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        103⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        105⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        110⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        111⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        112⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        113⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        114⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        121⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        122⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        124⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        127⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        128⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        136⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        140⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        141⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        142⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        145⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        147⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        148⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        149⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        150⤵
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        151⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6460 -s 400
        152⤵
        Program crash
        
        PID:6784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6460 -ip 6460
1⤵
PID:6508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aolblopj.exe

Filesize
192KB

MD5
d4429919c7a5f8592ecc4ea58e517ced

SHA1
c4dcca53a017ec9376785a3b495912b1f69f81d2

SHA256
0cd9988026d99151df66e3e8398e7c3859a904f70bb9a39a3a88a63b7db48417

SHA512
b3eb54611305cb8a8b232a3187e2479520b3d1aeb03327e3dffbd1ee3fcb0488456bebe5be896e168a760310f35aae9beb595dfa2b6c722c24e2346c15c2353a

Download Submit
C:\Windows\SysWOW64\Bhbcfbjk.exe

Filesize
276KB

MD5
9db176d27dbca434d7804520098c7ffb

SHA1
4f1afc3d94bed98f10acd4d54d36dea3072c3b3a

SHA256
4ebc460f1e0a23b4a10de1f22c306ac7d6ca5eaddac40a6256535fd76f464ad2

SHA512
d444e97fca370ce94cb89d4800a72e91e7eac7ffa3fd6a700c046231e81bafd7db358523484561f45d6d061f4590d20206796ab4b466cb56d4876512f2d4641a

Download Submit
C:\Windows\SysWOW64\Bnhenj32.exe

Filesize
276KB

MD5
1909d25a351d6a7ec6dc37368b0a7356

SHA1
19fa0554446a2e00cbb5859a29ff10e2e4354b94

SHA256
9f7a4b2234e3f96b580a51e1e0959d3d7dff074731f251f0ca7b4ac39b9cd256

SHA512
cbf5350919ae05af025cbd813b42e95d4cb1bcbc1583742e5061ad23302ccf3ee0b7bfce1d33980a7f69edf4760f2d38f0d867c564761b9c63ad00297470bb24

Download Submit
C:\Windows\SysWOW64\Cfipef32.exe

Filesize
276KB

MD5
2069d13f3d1135318c8edf7023f7925f

SHA1
d2c36f595da8d3c1168f0ef76df2a1684821d29f

SHA256
6b23970d24cba257d659671f2af0397a5b459f18b4a9afea6c5ed6f5ae9a062d

SHA512
e4b25bfb6c06293ba2a3e028f1598be42c2664058022a8f2bae7721b228b7c8b8e9cbc8c5fbdeb13ef1ca1c2856d130eb92120daf44bbd7a57cdd3e9de2ec562

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
276KB

MD5
eb3f1a070a45d1619060a1475817435b

SHA1
39c384cd94493b6cccdc1fc12084e987c06f12d9

SHA256
66bd06cdfd667ff9688904834eaba87206d1b47052611bb47cb0770a0e41baba

SHA512
6febaa9fcc7760eeffd62098d522b31fbd4e18c1ed7df1fb9f0d2a6a4d08fad59dd3fa45ecf6063dedf108d09853d66c156355bc69a26bc058b93b279193bc2c

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
276KB

MD5
f84ac456c5b15ec7965d9c37e874149e

SHA1
2dbffc6cfea4ba230e70c4a95de5e37458b3d622

SHA256
9a300da4274ec9ad1e2d2e58e322f60570914e620656ff9083dc57d70c9f88c2

SHA512
c0665522d07788845575d0a8dcaac52953d41d4184e4bef99e330380ebff87433a104f4a8c8b8a93229f802152a77dd01b7dba3a895168f79cfb1a905af19fc9

Download Submit
C:\Windows\SysWOW64\Dikihe32.exe

Filesize
276KB

MD5
47b2bb95b5c410b5c812585f57791779

SHA1
85694f15dc9114267c4f13b4e17b927840f23b31

SHA256
44a06d4a5e0a18b96fe1653f59b486bc129ff53f0d5c93a00204b6df130b31cd

SHA512
c173300e9cadb20028c32f50cea20c7e7246f6065f266e2fcac732c4b677fb08175483bd628606b79136214af56eb2cab03332eaf22a393dc7b1c6d9293139ec

Download Submit
C:\Windows\SysWOW64\Efepbi32.exe

Filesize
276KB

MD5
021a71fd832fb19fd3375f00bef9e672

SHA1
7112488ed20db3bd4a579b642556a1c8d9f56bff

SHA256
5c5adf2fa034567681df47a57b5074ae2e80fb4f3fc0d4624f1d89606c51539a

SHA512
24782175ec8954ced3a5b3cd625d9509f38659b09aaad1f4f3eb7d6ee95683acad701387f7039881bc9addfb116120424518b6bd6d771355caf614634fd92b42

Download Submit
C:\Windows\SysWOW64\Efjimhnh.exe

Filesize
276KB

MD5
5b6c2ef26ffc9954801f800146096521

SHA1
8dca3692831b0498c744bb758c8110f72ef95d96

SHA256
a60d5a558d6f3bb93a0b5a88711712f47fa7369dde809cecff138fc587660d0a

SHA512
188a78bc221157596322a431cfc83310f591770f6d7c85e60d7e6ab53478ce8edc77051d5516a40eaf1049e2c873a2a994758ad7cd3cd2ac18dadc5114696baa

Download Submit
C:\Windows\SysWOW64\Fcniglmb.exe

Filesize
276KB

MD5
ad8882b77b842bc07ef6e3786e5e21b6

SHA1
a779edba204923b53cdc71c6778a374e64c68160

SHA256
ebb893417410d8a66c71efbc39cbe8c93ce07803b6b3bd3834b6473640e60656

SHA512
b9a5cc5d1a6379e208b54e9c4f37d1344bad3b93ecc7ae2b36e411bea7475f48c77ecb0089fa50801a751328578c78ebe8f39532ef24090c228fe8145e1f5f41

Download Submit
C:\Windows\SysWOW64\Ffobhg32.exe

Filesize
276KB

MD5
d0394ac4f1537af1eb5370189bc1fc12

SHA1
102e868961cf6a1f10313a66f7e58cf4a41f4299

SHA256
ac42c2d58444cd852d0108fc11c55f3ee6fc5e52c339c3513594d4883daf07d5

SHA512
135f899ce817e4bb71d0b1a602aba487cd5cebbdca2ed48d0e2628a2e38e645d3b03727155c4e40e50df6cf069b1b1583792a089b3cec42d1e80826727df7b3c

Download Submit
C:\Windows\SysWOW64\Fideeaco.exe

Filesize
276KB

MD5
aab3a136a0a6aa2f4984d6ccc12ad07c

SHA1
ad80acc2f5312eec5d84d1f39234bb55de73e96d

SHA256
de645a502cfbf65e452554a654667efeb8e7ca64e46ab53341368dcf21687162

SHA512
adaf7c140df0c3e2303ebbe8a2f28e217672ccc806e664164a5efea42fd2edd986263b642f7a12c6a6495b91244b96c15040e1c85e179a7f8801d4f8e71e31db

Download Submit
C:\Windows\SysWOW64\Fplpll32.exe

Filesize
276KB

MD5
b3aae5fca815fd89af5524d0c8104189

SHA1
3398c8b16e97729e2054a69442bd5255b0374883

SHA256
40c865196dd3e05846024881b77402b7d55850af9bb346a0e0fbc6d6ae5f46de

SHA512
64fbb4cc6f766832ce3e081058a4bbde4f961109e3655e2284387880087b49e80ed31d95913551b6a9df4a2bc42fb18abf3feec6d9ad1dea8519bdd235a8e133

Download Submit
C:\Windows\SysWOW64\Gdcliikj.exe

Filesize
276KB

MD5
f1fb9b04f195a0b962e9b904c2a902c5

SHA1
15fc929b1569e715d28d35988390501ef99f5800

SHA256
796cbacf2e71cabaa97c0f87339b50e796f3b2758366c1daaf36b2c7b9e8a164

SHA512
f07b7f427fd04c7e35415bfdc915b7e234f5907305090201ad1b6011b716281a6f2995b34ee177b7e9d1ccb2ac08ab4bb3310f96bf2df5166290051289acd16b

Download Submit
C:\Windows\SysWOW64\Gfkbde32.exe

Filesize
276KB

MD5
f35ba65815606f287a33a9a060c77807

SHA1
c470c6c22cd1ecfc511e35e5453b75320277b86c

SHA256
b9e8900a1e70d1a34543e4167b722394a1891ac59b37c09b9a63ba3db81deeef

SHA512
5b1310149cfb36d4777eebd9701620a05c863b9c94ee04dccaac88e59c380363cbae540252b6aceb390df8e43aca32bd5d699eff7b1a0adb9524ede5ef4a8e29

Download Submit
C:\Windows\SysWOW64\Hkbmqb32.exe

Filesize
276KB

MD5
02edf3836bf3ffc8a254916ef7b3eba1

SHA1
a3865c80ddb251c2f50f89638c111cca398d7c79

SHA256
df2a708e2791d9fb2450c0778efc656b678512b7379cf67624a22747554d29cd

SHA512
a293ec8a1b856f5031755ac6aa7996c3bdf3df68f32609bb1c1e08688fe73885a0b9aa7c848dc4e32de7806879992dac0536db27fc8c9905e1242cca968a51d9

Download Submit
C:\Windows\SysWOW64\Hpabni32.exe

Filesize
276KB

MD5
513afc63b226b879a3fafa449305eec0

SHA1
ed159b443f5634a6d9f8c0a29ca53e4527cbaef1

SHA256
c46eb0e26dffc2223929ea40c7f53097959c75251839e34887a3006119657ea5

SHA512
746a9e95db7967ffd372775e6941112ed7e5f276a0f0e513f08ff3a4c6163159480b86b26f9c539b5e2799842f4f06265373257252c903c9936ea50eb8ad1880

Download Submit
C:\Windows\SysWOW64\Hpqldc32.exe

Filesize
276KB

MD5
c99daf5176939faa72d437d35bb3ea4c

SHA1
b244cda11124f9b26e685ee73bd926ac948650cf

SHA256
e85592b390cd94acc437503b3a8adc55635045892a92597266820e368dd409ed

SHA512
5520bc1fe3f93ea35f07610ded039835f33f18e2b03ef13d238653e4ebf2e89851f948620ef7afc744e73361e1e5b2d1ec633b534aff468d76af1eb57de46cff

Download Submit
C:\Windows\SysWOW64\Idahjg32.exe

Filesize
276KB

MD5
96bbf74ecffa5d8e010b66b3b6ca8834

SHA1
0b3a0c931533fd07dab0a6d8e888dcc84770778c

SHA256
ac93a153785957e42868e9572eb26983fb85eadd42e4396eedfc9408384e4fb5

SHA512
bc21e072bbf3baad9187ae60e95991576ea01966c745929939d1eefe03398b463b249475e7fb14f91dd383dc62dab05a7c6b718e965acf0f9a6aae2e5d9ccdd3

Download Submit
C:\Windows\SysWOW64\Ilccoh32.exe

Filesize
276KB

MD5
5ff5efeed599cdb122bdaa623d6ed494

SHA1
d1e11e35dbaba20f45ddaa339635eb0ec6aef3ba

SHA256
55d6e4c659f6d4a98fc9116f6e002720b7f74cdf800f3ddbda9914336c16b7ce

SHA512
25b3e360e0466507b12efa9cefe432fd2b2feff0cc24525119e8f18675e356407ad80ddf7f6742316a7bff6e5ec3e3c6f89114956a1f57f58b39230f8665c383

Download Submit
C:\Windows\SysWOW64\Iphioh32.exe

Filesize
276KB

MD5
223af8eadd67704a7d15bd6c07d58393

SHA1
0c5699f5d4f3ab3f8d114e8d7e64c730b2f50d7c

SHA256
02572f978d6278b0e4ca9798a47324b26bafdbac073a4cc952d0566f69a98167

SHA512
be8cfb9067e5d398c0ed024debbfda13768ca6acb298d16a7814e7620fbc6ae2bad6fb708262f92cdffedebffca05e81746c5b15dcab4775a480fb8fe19cc1d6

Download Submit
C:\Windows\SysWOW64\Jdodkebj.exe

Filesize
276KB

MD5
b891d3d9f27728093fe638be29911c2d

SHA1
609145e9f8df8d1eacf9467cb6d4972d58012079

SHA256
9c29b9392a1c7e6c98c8fc450f2a3b5ddc6adc691b5a0e29bcf25742458e383f

SHA512
17e3000e69cc7e96e8c7a4f56343488c6979d60af3993c9d92ad849a100b2fc3fcfaa5dd4e56eb32c02bd43812407372ec1be84b365c81e47e7a7e0596e3b696

Download Submit
C:\Windows\SysWOW64\Jnlbojee.exe

Filesize
276KB

MD5
4fa2148f4976f0e7affe60629c8018b8

SHA1
803e56c3cc8cdb967e19e2aa0aeac8e3bd091cf1

SHA256
1d8febf668990279dbb0a9825540c61ea096ab643d6a47ce1d5deedec0b53a95

SHA512
9db06d786c1c2e14d269fa35d0a4d89d21d0dcff3fb281a8d0f3629888b72db64c8f26cd921a1fd38f30985d004e20e8ba7312b4fcd11d731d07c608c8da79a2

Download Submit
C:\Windows\SysWOW64\Jpaleglc.exe

Filesize
276KB

MD5
c5d097d1c3a61089fd3c3485f3236828

SHA1
f21ba3e1d9ffad2b8d09d5ed0f630046f4ab31fc

SHA256
8846b529b48c68c0327e99488621f5177d0f04ae1442869ca6485a9049bc5226

SHA512
cd9a9858621656d324e3662486080ae57450119211d42ccd353d446ec8181db4d4c60a1e8bc0ae5e43f5df28817b58556356697962901d6c76232ac6a16fdd4e

Download Submit
C:\Windows\SysWOW64\Kcpahpmd.exe

Filesize
276KB

MD5
73e7691f08020181a85758a0ee8b5c29

SHA1
796fc0c766fb225434cd240d9d462cb49216b01a

SHA256
48a1c5adf22175d917630ed00b2749b64f94498ddd81bba72511681f7061eaec

SHA512
2ad3519646dfbf0b52cc088e94e2cfae694aa881303a6cfc315a84c12e942216be92e20d813133cdd0905294a2930fc69145c38343fdbfa9f5c6b48c311011fa

Download Submit
C:\Windows\SysWOW64\Kgipcogp.exe

Filesize
276KB

MD5
7ef595c31fe3dc9728ba2e2cf5bcb590

SHA1
be9dd89c33a6b3ec634b346dd396ede72e4d89b6

SHA256
5b1a652d853f8ed3d170e35d9f700886ce0e6391129e35a49e1fbcd7b3dfbe06

SHA512
3b6f9f8b1c524adc17d0bea7c0aef137bd6c3069cb08feebd35592421a2962a1d002edc58e3495a561de7eb736cff5ee0efbd2faa37c414247002670e78f4df1

Download Submit
C:\Windows\SysWOW64\Kkconn32.exe

Filesize
276KB

MD5
142988437b9218c4ab18b4415e2a4ad0

SHA1
d9c3daea1e5347ff80dd579809a8eb9a188086e4

SHA256
b80891b0aa72bc13c9ec9008d2c046471f7771892cc978b6c86f82b6e3244b6d

SHA512
a5ef2f0d9ed51a7775d0e473db1d8644dccce88095a9109fda66285b3f9c83c00f98eff8624b3954db681105a2f967534f2ce6add28d54f6c04d30852e08b547

Download Submit
C:\Windows\SysWOW64\Lclpdncg.exe

Filesize
276KB

MD5
e6a12ae0d8734b41121e212c50407521

SHA1
48d525b428cee6336cbf8927a1632e0d903afc57

SHA256
e4312277632a29e4dee460c196f66002c0c2da777e2e7d6c17b0b78c30db4bf8

SHA512
ce8e6dc0a1ab5328882e98abb14ff4b1013b67c06ed009f04afd73844680df30da5ed10c2930c26bb34f2925ac64edbdd81d8ff27f35ff759e82abdcc6337fad

Download Submit
C:\Windows\SysWOW64\Lddgmbpb.exe

Filesize
276KB

MD5
586258f2697feab40de9764abffdfa53

SHA1
0ebcc50307ec2ac634769e8a973bf7236471f57f

SHA256
bb96d96863a5f5629a80b39f5034d969b296b038fc0b908d84b9e8a776d5ad8d

SHA512
0d7b53ceee471276c9045d7b178c07a450d5cd3454161f07101ba25e5217b4a769df7a41670d86f19c05cef5a0a8a524eee41727450b83b0b24e3b62994bd79d

Download Submit
C:\Windows\SysWOW64\Lmpkadnm.exe

Filesize
276KB

MD5
1b2392160c0c07a53719a8484333de1a

SHA1
a048835a54ca1f1a3cb1c073fc8248c5616198d4

SHA256
c7a7463fdd6f678147f6f09e3ca371460d18cf6861737282205e7a3596177d5c

SHA512
1c0f759263ec9fc496d23dfd9b6947bbe2a414fd72d6378094d95d36c1130d87cd1de3131451caa462f5927b46b1df61ad68510c102902df138de4865953caa7

Download Submit
C:\Windows\SysWOW64\Lnadagbm.exe

Filesize
276KB

MD5
86f739b86ffb670dafd377d783c6b6f8

SHA1
0d5f7342a7868131a5ef5d75347acdb88206d22a

SHA256
e13ef6b6a4891a41a915635444cfb53bf9dbe5d742f0730090c70e90f8cb4513

SHA512
8ab18692d2615c4827bb660f5d3bbc21d8b52d8dcf2ff6ff532b9a7aafeea647000cfdb6f6eb128dcf79e3c9540ee19ba7685b1f4c728462a6654dd8386785bd

Download Submit
C:\Windows\SysWOW64\Mgobel32.exe

Filesize
276KB

MD5
a0973f1c0c047a76c399472d4d78ef5f

SHA1
eb376a36699002aa44f45b49f89df7b0deb0fa34

SHA256
ca321d1b49507ea882f4b9697c211f216d672772d9267649087cd4239d21c2db

SHA512
d218d2dae2b1f91083d0fa21f3633b22f1594d4582fdc9ebd13b34fbce3af7f3e674fbb30195b91be0dd9bc2c1fda20622c310aa81ec372c48cc000f671aa21e

Download Submit
C:\Windows\SysWOW64\Neqopnhb.exe

Filesize
276KB

MD5
408829fd7dccae75a76430c43a984318

SHA1
5f8e8db9ae48921e28d6ee786b65991d289cfa58

SHA256
269f8c08fdc48c460dc2e67dfe273184da8bf2ab9dd68f140c106b2055605e90

SHA512
a0f06f26e263566c1b01b1ac144de326a2dfd23a35b4c894e2cc5a25bfdf859f8dad0396cc5989e4667e20a965d099b2ad57236cd8b10145ca0c6dc316d00e92

Download Submit
C:\Windows\SysWOW64\Nhahaiec.exe

Filesize
276KB

MD5
ea6bb8f864168ad028019935be4c678d

SHA1
77b80cfa6ba8dbb5d1d7d40d0bca6f9b83ab45f2

SHA256
422cc38587408ae146e67287bd9ff900733512e14a29d5469071dcb8b81d58b3

SHA512
a8a7ca4e588a6a46d5d2afa3f51fa881927a7131ab79723a485ecc164f2df5a1a433713470f7553034c7c535cc5bf947fc9aaafab5e81199e04ca78b3786c66d

Download Submit
C:\Windows\SysWOW64\Njmhhefi.exe

Filesize
276KB

MD5
22d1f51f7bdcd436082ec8266b887917

SHA1
7364558b55e844e5a5ee9b6557305bb494d17972

SHA256
781f3b8d73bb90a0ef49320d4600a0d6b91a47c35747b7b5511ce9846d961334

SHA512
0c04edcefd55afa72d1ae9c5cb4bf4d060aab4ec8107bd94abb33d2fb6836928f8e9d880cc5bd9389c2486447f0449d8958a20f03c1dc7c6f23262a8f2dc88c7

Download Submit
C:\Windows\SysWOW64\Nlfnaicd.exe

Filesize
276KB

MD5
39cef3c9953b339b57853952edbe685f

SHA1
27fcd4d995ac331e0675011eb483d062a1a8de08

SHA256
757f7422c77178e0aa4719bf345dd1da36648b6b9477cb13fdcde946bc3a351c

SHA512
ec60aba8dca493d58ab16d57d6e4118fd82f83941daffad5a235e6fb2f06fa22e3bef4060e98a72bfd669f4a4c0b3becb7dacfcc7ef2eaecd299688d6e6c7f61

Download Submit
C:\Windows\SysWOW64\Nmenca32.exe

Filesize
276KB

MD5
32edc51758d869874f40f22f3144726c

SHA1
d39cbb34f0e85edaf228818fd375c8f58ecf1c2b

SHA256
f894d4dfa77f06d94c0140eb6dc846877c6594861a037c59e3adbba4ead3988e

SHA512
180374d0a8c39206ead2c4aa12839a6d98dfab14655f35ea09d1e141ec293d1220e92c6c18319a0cdce4de3af518672d3245c291a957aa7c5838d3921204171f

Download Submit
C:\Windows\SysWOW64\Ohkkhhmh.exe

Filesize
276KB

MD5
07dcc65635d73564164cb4d1fb69ec32

SHA1
ef1ff918317ac5ef841ba52c721df065740242c7

SHA256
d2298e2b06180bb77efc082422d5112e6a86737b2697ad753756c664c71a7d83

SHA512
8419b858a9f291767988948e3aca7cf42e37e9860ce65f6110a6648e72c4e9270fb3131bc5b638fb85d1a0aa3cccaaf4178105f4a3a74973870c1775045686b4

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
276KB

MD5
692f80ad4ddb3bfb466b83c67c0c1161

SHA1
572ef9fb17f2e6592e03ac769ea8dac904cc84f3

SHA256
eb8aa791934ca9959b6c3274bdc349602effb9538deefdf1102fb9fa1fa33b4c

SHA512
757da4f9a57006e21bab003bd4e6e1e444fb0f0b82fa63dad865547d57c5397995e22ebb5faa73219fa64da5bf24a116b73754f6fbee275292bcf122495c45d3

Download Submit
C:\Windows\SysWOW64\Onnmdcjm.exe

Filesize
276KB

MD5
05b3224fbeb1e5b6553e9dbaa05bee9f

SHA1
122f5ddae00919f13631182e9160b4430471b2ac

SHA256
ad6408377ce9056ba2d91bada9ce3ad7b07be2acbafc1c98fb8313c530efe79d

SHA512
d4892c18a32eab558bc32d9d54b56ced078dceb24e00ae89a95a180fa24a7ac5ac0ee0e185bdcb3260b9d99058cd976bbcc490643631b86a7ea336111f1393dc

Download Submit
memory/224-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads