ec9f6a6dc4f81d8fdd7985a6549c6befa759e9d7eb6cfc49c218ba7069253b1a

Analysis

max time kernel
154s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a149c1b2b4f97f3430c547d58c45237c.exe
Size

55KB
MD5

a149c1b2b4f97f3430c547d58c45237c
SHA1

13f12bfd4093592010b63dbd2b862cab096f3f30
SHA256

ec9f6a6dc4f81d8fdd7985a6549c6befa759e9d7eb6cfc49c218ba7069253b1a
SHA512

fbc05047bda39bb3e8d6d532b61cfc8c71105d1537a8fc821cbd0e1a9c45845f0955d2662af30322ba0269693ef1bdb8a690f1797da7623810d41805ccaa82ee
SSDEEP

1536:dmiMcrZGVsGRvixHHvCiErzwHl9jFmpn2LmN:dmi5Z5GwHvCiVnjFh6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mknlef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eppobi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkekjdck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apggckbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebagdddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqofippg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iafkld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgfdgpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mknlef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcodfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcdfho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhnichde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhnichde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgmebnpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liabjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bichcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Binhnomg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imfmgcdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcfnqccd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npbceggm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgfdgpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhaope32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjelibg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edplhjhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nahdapae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bichcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpkbfdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimldogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emgblc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbiabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihmfco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmjomlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfqdid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhflhcfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpmeimpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebokodfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjelibg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebejem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcnnllcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jflnafno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoind32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnamofdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edplhjhi.exe

Executes dropped EXE 64 IoCs

pid	Process
376	Npbceggm.exe
2600	Ofhknodl.exe
3864	Ojhpimhp.exe
4996	Pagbaglh.exe
3712	Pnplfj32.exe
4172	Aaldccip.exe
3688	Bkgeainn.exe
3516	Boenhgdd.exe
3116	Cdbpgl32.exe
1392	Dkekjdck.exe
2276	Edplhjhi.exe
952	Ekonpckp.exe
180	Ekcgkb32.exe
4380	Gnnccl32.exe
4812	Ggmmlamj.exe
2052	Hnphoj32.exe
4756	Ihmfco32.exe
4796	Iafkld32.exe
4564	Iajdgcab.exe
4268	Jaonbc32.exe
4396	Jocnlg32.exe
1636	Jimldogg.exe
2896	Kplmliko.exe
4436	Kabcopmg.exe
3152	Legben32.exe
3000	Mjlalkmd.exe
4056	Mpeiie32.exe
3372	Pbhgoh32.exe
704	Apggckbf.exe
5104	Binhnomg.exe
4980	Dpjfgf32.exe
3960	Dncpkjoc.exe
1220	Fcpakn32.exe
5068	Fqfojblo.exe
4256	Gdgdeppb.exe
116	Gjcmngnj.exe
5024	Gcnnllcg.exe
5084	Hccggl32.exe
2204	Halaloif.exe
1892	Ihceigec.exe
2940	Jnbgaa32.exe
5056	Jjnaaa32.exe
1288	Kdmlkfjb.exe
1416	Lacijjgi.exe
3748	Lhbkac32.exe
3420	Lehhqg32.exe
4904	Moalil32.exe
4824	Medglemj.exe
2960	Nlcidopb.exe
3336	Nhlfoodc.exe
4820	Pmhkflnj.exe
948	Pbgqdb32.exe
924	Afnlpohj.exe
1876	Bpbpecen.exe
3656	Cehlcikj.exe
4744	Dfakcj32.exe
2220	Emgblc32.exe
4232	Fpmeimpn.exe
4252	Hnehdo32.exe
5040	Imdgljil.exe
3148	Ifcben32.exe
3392	Iaifbg32.exe
2284	Kceoppmo.exe
2508	Kmbmdeoj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nlcidopb.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Pbgqdb32.exe	Pmhkflnj.exe
File opened for modification	C:\Windows\SysWOW64\Imdgljil.exe	Hnehdo32.exe
File created	C:\Windows\SysWOW64\Klbjgbff.dll	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Mlkhbi32.dll	Ihmfco32.exe
File created	C:\Windows\SysWOW64\Mpeiie32.exe	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Hkglgq32.dll	Moalil32.exe
File opened for modification	C:\Windows\SysWOW64\Cbqonf32.exe	Cemndbci.exe
File opened for modification	C:\Windows\SysWOW64\Dnkbcp32.exe	Dioiki32.exe
File created	C:\Windows\SysWOW64\Iafkld32.exe	Ihmfco32.exe
File opened for modification	C:\Windows\SysWOW64\Hnehdo32.exe	Fpmeimpn.exe
File opened for modification	C:\Windows\SysWOW64\Mhoind32.exe	Mdaqhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgejkh32.exe	Cbiabq32.exe
File created	C:\Windows\SysWOW64\Qnhkpgaj.dll	Nahdapae.exe
File opened for modification	C:\Windows\SysWOW64\Ihmfco32.exe	Hnphoj32.exe
File created	C:\Windows\SysWOW64\Hhdjkflc.dll	Pbhgoh32.exe
File opened for modification	C:\Windows\SysWOW64\Gjcmngnj.exe	Gdgdeppb.exe
File opened for modification	C:\Windows\SysWOW64\Lehhqg32.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Ifofkacc.dll	Lmqiec32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjfgf32.exe	Binhnomg.exe
File created	C:\Windows\SysWOW64\Lpljgpbj.dll	Kceoppmo.exe
File opened for modification	C:\Windows\SysWOW64\Fcodfa32.exe	Flekihpc.exe
File created	C:\Windows\SysWOW64\Hiocnbpm.dll	Halaloif.exe
File created	C:\Windows\SysWOW64\Mdcbee32.dll	Fpmeimpn.exe
File created	C:\Windows\SysWOW64\Fcaqka32.exe	Fcodfa32.exe
File created	C:\Windows\SysWOW64\Jcbhjg32.dll	Pklkbl32.exe
File opened for modification	C:\Windows\SysWOW64\Liabjh32.exe	Lcpqgbkj.exe
File created	C:\Windows\SysWOW64\Ekcgkb32.exe	Ekonpckp.exe
File created	C:\Windows\SysWOW64\Dioiki32.exe	Dnienqbi.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Midfjnge.exe	Libido32.exe
File created	C:\Windows\SysWOW64\Hjpdjplo.dll	Dioiki32.exe
File created	C:\Windows\SysWOW64\Fidgmfgl.dll	Joaojf32.exe
File opened for modification	C:\Windows\SysWOW64\Poeahaib.exe	Ngnppfgb.exe
File opened for modification	C:\Windows\SysWOW64\Epehnhbj.exe	Ebagdddp.exe
File opened for modification	C:\Windows\SysWOW64\Hcdfho32.exe	Hgmebnpd.exe
File created	C:\Windows\SysWOW64\Legben32.exe	Kabcopmg.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Apggckbf.exe
File created	C:\Windows\SysWOW64\Edkakncg.dll	Medglemj.exe
File created	C:\Windows\SysWOW64\Dbfccfbm.dll	Hnehdo32.exe
File opened for modification	C:\Windows\SysWOW64\Iaifbg32.exe	Ifcben32.exe
File created	C:\Windows\SysWOW64\Moqknklp.dll	Ikmpcicg.exe
File created	C:\Windows\SysWOW64\Ekonpckp.exe	Edplhjhi.exe
File opened for modification	C:\Windows\SysWOW64\Dncpkjoc.exe	Dpjfgf32.exe
File opened for modification	C:\Windows\SysWOW64\Kdmlkfjb.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Epehnhbj.exe	Ebagdddp.exe
File created	C:\Windows\SysWOW64\Jqofippg.exe	Icbbimih.exe
File created	C:\Windows\SysWOW64\Binhnomg.exe	Apggckbf.exe
File created	C:\Windows\SysWOW64\Gjcmngnj.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Jmjdlb32.dll	Kdmlkfjb.exe
File opened for modification	C:\Windows\SysWOW64\Oaejhh32.exe	Mhoind32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkkgbmi.exe	Liabjh32.exe
File opened for modification	C:\Windows\SysWOW64\Iafkld32.exe	Ihmfco32.exe
File opened for modification	C:\Windows\SysWOW64\Jjnaaa32.exe	Jnbgaa32.exe
File opened for modification	C:\Windows\SysWOW64\Mknlef32.exe	Mkgfdgpq.exe
File opened for modification	C:\Windows\SysWOW64\Ghcbohpp.exe	Fhnichde.exe
File created	C:\Windows\SysWOW64\Fhflhcfa.exe	Ebejem32.exe
File created	C:\Windows\SysWOW64\Bkgeainn.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Epopbo32.dll	Bkgeainn.exe
File opened for modification	C:\Windows\SysWOW64\Nlcidopb.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Mbfggf32.dll	Cbiabq32.exe
File created	C:\Windows\SysWOW64\Gmefoohh.dll	Ekcgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnmjomlg.exe	Poeahaib.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
224	3152	WerFault.exe	238

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Midfjnge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnienqbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkfpm32.dll"	Ghgeoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbqonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlnlak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agckiqgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdaqhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaejhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhnichde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjelibg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moalil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mejcig32.dll"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpmeimpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaifbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipffl32.dll"	Mdaqhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dioiki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkkgbmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbhgqgk.dll"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpljgpbj.dll"	Kceoppmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebejem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbnknpqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fblpflfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agckiqgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkpeom32.dll"	Mknlef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jflnafno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnnccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchknl32.dll"	Fhflhcfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a149c1b2b4f97f3430c547d58c45237c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlipbfgc.dll"	Cbqonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkgdlkh.dll"	Oaejhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnnccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqofippg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjbdk32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anncek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqiec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfnnmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiale32.dll"	Jqofippg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paomog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgamo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phajblpj.dll"	Flekihpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajkfn32.dll"	Qnamofdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbiabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhlebfjp.dll"	Fblpflfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liabjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcbee32.dll"	Fpmeimpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbqonf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfnnmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mopabjci.dll"	Haafnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoiqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcfnqccd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 376	1800	a149c1b2b4f97f3430c547d58c45237c.exe	91
PID 1800 wrote to memory of 376	1800	a149c1b2b4f97f3430c547d58c45237c.exe	91
PID 1800 wrote to memory of 376	1800	a149c1b2b4f97f3430c547d58c45237c.exe	91
PID 376 wrote to memory of 2600	376	Npbceggm.exe	92
PID 376 wrote to memory of 2600	376	Npbceggm.exe	92
PID 376 wrote to memory of 2600	376	Npbceggm.exe	92
PID 2600 wrote to memory of 3864	2600	Ofhknodl.exe	93
PID 2600 wrote to memory of 3864	2600	Ofhknodl.exe	93
PID 2600 wrote to memory of 3864	2600	Ofhknodl.exe	93
PID 3864 wrote to memory of 4996	3864	Ojhpimhp.exe	94
PID 3864 wrote to memory of 4996	3864	Ojhpimhp.exe	94
PID 3864 wrote to memory of 4996	3864	Ojhpimhp.exe	94
PID 4996 wrote to memory of 3712	4996	Pagbaglh.exe	95
PID 4996 wrote to memory of 3712	4996	Pagbaglh.exe	95
PID 4996 wrote to memory of 3712	4996	Pagbaglh.exe	95
PID 3712 wrote to memory of 4172	3712	Pnplfj32.exe	96
PID 3712 wrote to memory of 4172	3712	Pnplfj32.exe	96
PID 3712 wrote to memory of 4172	3712	Pnplfj32.exe	96
PID 4172 wrote to memory of 3688	4172	Aaldccip.exe	97
PID 4172 wrote to memory of 3688	4172	Aaldccip.exe	97
PID 4172 wrote to memory of 3688	4172	Aaldccip.exe	97
PID 3688 wrote to memory of 3516	3688	Bkgeainn.exe	98
PID 3688 wrote to memory of 3516	3688	Bkgeainn.exe	98
PID 3688 wrote to memory of 3516	3688	Bkgeainn.exe	98
PID 3516 wrote to memory of 3116	3516	Boenhgdd.exe	99
PID 3516 wrote to memory of 3116	3516	Boenhgdd.exe	99
PID 3516 wrote to memory of 3116	3516	Boenhgdd.exe	99
PID 3116 wrote to memory of 1392	3116	Cdbpgl32.exe	100
PID 3116 wrote to memory of 1392	3116	Cdbpgl32.exe	100
PID 3116 wrote to memory of 1392	3116	Cdbpgl32.exe	100
PID 1392 wrote to memory of 2276	1392	Dkekjdck.exe	101
PID 1392 wrote to memory of 2276	1392	Dkekjdck.exe	101
PID 1392 wrote to memory of 2276	1392	Dkekjdck.exe	101
PID 2276 wrote to memory of 952	2276	Edplhjhi.exe	102
PID 2276 wrote to memory of 952	2276	Edplhjhi.exe	102
PID 2276 wrote to memory of 952	2276	Edplhjhi.exe	102
PID 952 wrote to memory of 180	952	Ekonpckp.exe	103
PID 952 wrote to memory of 180	952	Ekonpckp.exe	103
PID 952 wrote to memory of 180	952	Ekonpckp.exe	103
PID 180 wrote to memory of 4380	180	Ekcgkb32.exe	104
PID 180 wrote to memory of 4380	180	Ekcgkb32.exe	104
PID 180 wrote to memory of 4380	180	Ekcgkb32.exe	104
PID 4380 wrote to memory of 4812	4380	Gnnccl32.exe	105
PID 4380 wrote to memory of 4812	4380	Gnnccl32.exe	105
PID 4380 wrote to memory of 4812	4380	Gnnccl32.exe	105
PID 4812 wrote to memory of 2052	4812	Ggmmlamj.exe	106
PID 4812 wrote to memory of 2052	4812	Ggmmlamj.exe	106
PID 4812 wrote to memory of 2052	4812	Ggmmlamj.exe	106
PID 2052 wrote to memory of 4756	2052	Hnphoj32.exe	107
PID 2052 wrote to memory of 4756	2052	Hnphoj32.exe	107
PID 2052 wrote to memory of 4756	2052	Hnphoj32.exe	107
PID 4756 wrote to memory of 4796	4756	Ihmfco32.exe	108
PID 4756 wrote to memory of 4796	4756	Ihmfco32.exe	108
PID 4756 wrote to memory of 4796	4756	Ihmfco32.exe	108
PID 4796 wrote to memory of 4564	4796	Iafkld32.exe	109
PID 4796 wrote to memory of 4564	4796	Iafkld32.exe	109
PID 4796 wrote to memory of 4564	4796	Iafkld32.exe	109
PID 4564 wrote to memory of 4268	4564	Iajdgcab.exe	110
PID 4564 wrote to memory of 4268	4564	Iajdgcab.exe	110
PID 4564 wrote to memory of 4268	4564	Iajdgcab.exe	110
PID 4268 wrote to memory of 4396	4268	Jaonbc32.exe	111
PID 4268 wrote to memory of 4396	4268	Jaonbc32.exe	111
PID 4268 wrote to memory of 4396	4268	Jaonbc32.exe	111
PID 4396 wrote to memory of 1636	4396	Jocnlg32.exe	112

C:\Users\Admin\AppData\Local\Temp\a149c1b2b4f97f3430c547d58c45237c.exe
"C:\Users\Admin\AppData\Local\Temp\a149c1b2b4f97f3430c547d58c45237c.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\Npbceggm.exe
  C:\Windows\system32\Npbceggm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\Ofhknodl.exe
    C:\Windows\system32\Ofhknodl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\Ojhpimhp.exe
      C:\Windows\system32\Ojhpimhp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
      - C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:180
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        26⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        39⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        41⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        56⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Emgblc32.exe
        
        C:\Windows\system32\Emgblc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Fpmeimpn.exe
        
        C:\Windows\system32\Fpmeimpn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Hnehdo32.exe
        
        C:\Windows\system32\Hnehdo32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Imdgljil.exe
        
        C:\Windows\system32\Imdgljil.exe
        61⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Ifcben32.exe
        
        C:\Windows\system32\Ifcben32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Iaifbg32.exe
        
        C:\Windows\system32\Iaifbg32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Kceoppmo.exe
        
        C:\Windows\system32\Kceoppmo.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Kmbmdeoj.exe
        
        C:\Windows\system32\Kmbmdeoj.exe
        65⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\Lmqiec32.exe
        
        C:\Windows\system32\Lmqiec32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Mkgfdgpq.exe
        
        C:\Windows\system32\Mkgfdgpq.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Mknlef32.exe
        
        C:\Windows\system32\Mknlef32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Nahdapae.exe
        
        C:\Windows\system32\Nahdapae.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Ngnppfgb.exe
        
        C:\Windows\system32\Ngnppfgb.exe
        70⤵
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Poeahaib.exe
        
        C:\Windows\system32\Poeahaib.exe
        71⤵
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Pnmjomlg.exe
        
        C:\Windows\system32\Pnmjomlg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2016
        
        C:\Windows\SysWOW64\Agckiqgg.exe
        
        C:\Windows\system32\Agckiqgg.exe
        73⤵
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Anncek32.exe
        
        C:\Windows\system32\Anncek32.exe
        74⤵
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Bichcc32.exe
        
        C:\Windows\system32\Bichcc32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3544
        
        C:\Windows\SysWOW64\Biedhclh.exe
        
        C:\Windows\system32\Biedhclh.exe
        76⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Bfnnmg32.exe
        
        C:\Windows\system32\Bfnnmg32.exe
        77⤵
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Bpfcelml.exe
        
        C:\Windows\system32\Bpfcelml.exe
        78⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Bfpkbfdi.exe
        
        C:\Windows\system32\Bfpkbfdi.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4032
        
        C:\Windows\SysWOW64\Cnlpgibd.exe
        
        C:\Windows\system32\Cnlpgibd.exe
        80⤵
        
        PID:648
        
        C:\Windows\SysWOW64\Clpppmqn.exe
        
        C:\Windows\system32\Clpppmqn.exe
        81⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Cemndbci.exe
        
        C:\Windows\system32\Cemndbci.exe
        82⤵
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\Cbqonf32.exe
        
        C:\Windows\system32\Cbqonf32.exe
        83⤵
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Dimcppgm.exe
        
        C:\Windows\system32\Dimcppgm.exe
        84⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Dfqdid32.exe
        
        C:\Windows\system32\Dfqdid32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2384
        
        C:\Windows\SysWOW64\Dlnlak32.exe
        
        C:\Windows\system32\Dlnlak32.exe
        86⤵
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Efhjjcpo.exe
        
        C:\Windows\system32\Efhjjcpo.exe
        87⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Eppobi32.exe
        
        C:\Windows\system32\Eppobi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4512
        
        C:\Windows\SysWOW64\Ebokodfc.exe
        
        C:\Windows\system32\Ebokodfc.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4040
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Epehnhbj.exe
        
        C:\Windows\system32\Epehnhbj.exe
        91⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Flekihpc.exe
        
        C:\Windows\system32\Flekihpc.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Fcodfa32.exe
        
        C:\Windows\system32\Fcodfa32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Fcaqka32.exe
        
        C:\Windows\system32\Fcaqka32.exe
        94⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Fhnichde.exe
        
        C:\Windows\system32\Fhnichde.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ghcbohpp.exe
        
        C:\Windows\system32\Ghcbohpp.exe
        96⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Hgmebnpd.exe
        
        C:\Windows\system32\Hgmebnpd.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Hcdfho32.exe
        
        C:\Windows\system32\Hcdfho32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4448
        
        C:\Windows\SysWOW64\Hhaope32.exe
        
        C:\Windows\system32\Hhaope32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:544
        
        C:\Windows\SysWOW64\Imfmgcdn.exe
        
        C:\Windows\system32\Imfmgcdn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3660
        
        C:\Windows\SysWOW64\Icbbimih.exe
        
        C:\Windows\system32\Icbbimih.exe
        101⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Jqofippg.exe
        
        C:\Windows\system32\Jqofippg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Jflnafno.exe
        
        C:\Windows\system32\Jflnafno.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Kjamhd32.exe
        
        C:\Windows\system32\Kjamhd32.exe
        104⤵
        
        PID:660
        
        C:\Windows\SysWOW64\Lhopgg32.exe
        
        C:\Windows\system32\Lhopgg32.exe
        105⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Lpjelibg.exe
        
        C:\Windows\system32\Lpjelibg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Libido32.exe
        
        C:\Windows\system32\Libido32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Midfjnge.exe
        
        C:\Windows\system32\Midfjnge.exe
        108⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Mhjpceko.exe
        
        C:\Windows\system32\Mhjpceko.exe
        109⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Miklkm32.exe
        
        C:\Windows\system32\Miklkm32.exe
        110⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Mdaqhf32.exe
        
        C:\Windows\system32\Mdaqhf32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mhoind32.exe
        
        C:\Windows\system32\Mhoind32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Oaejhh32.exe
        
        C:\Windows\system32\Oaejhh32.exe
        113⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Paomog32.exe
        
        C:\Windows\system32\Paomog32.exe
        114⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Pklkbl32.exe
        
        C:\Windows\system32\Pklkbl32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        116⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Qnamofdf.exe
        
        C:\Windows\system32\Qnamofdf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Ahgamo32.exe
        
        C:\Windows\system32\Ahgamo32.exe
        118⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bnoiqd32.exe
        
        C:\Windows\system32\Bnoiqd32.exe
        119⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        120⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Cbiabq32.exe
        
        C:\Windows\system32\Cbiabq32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Cgejkh32.exe
        
        C:\Windows\system32\Cgejkh32.exe
        122⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Cejjdlap.exe
        
        C:\Windows\system32\Cejjdlap.exe
        123⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Cbnknpqj.exe
        
        C:\Windows\system32\Cbnknpqj.exe
        124⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Cgjcfgoa.exe
        
        C:\Windows\system32\Cgjcfgoa.exe
        125⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Dnienqbi.exe
        
        C:\Windows\system32\Dnienqbi.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Dioiki32.exe
        
        C:\Windows\system32\Dioiki32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Dnkbcp32.exe
        
        C:\Windows\system32\Dnkbcp32.exe
        128⤵
        
        PID:776
        
        C:\Windows\SysWOW64\Ebejem32.exe
        
        C:\Windows\system32\Ebejem32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Fhflhcfa.exe
        
        C:\Windows\system32\Fhflhcfa.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Fblpflfg.exe
        
        C:\Windows\system32\Fblpflfg.exe
        131⤵
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Ghgeoq32.exe
        
        C:\Windows\system32\Ghgeoq32.exe
        132⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Gekeie32.exe
        
        C:\Windows\system32\Gekeie32.exe
        133⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Haafnf32.exe
        
        C:\Windows\system32\Haafnf32.exe
        134⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Ikmpcicg.exe
        
        C:\Windows\system32\Ikmpcicg.exe
        135⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Jjgcgo32.exe
        
        C:\Windows\system32\Jjgcgo32.exe
        137⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Kcfnqccd.exe
        
        C:\Windows\system32\Kcfnqccd.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Lcpqgbkj.exe
        
        C:\Windows\system32\Lcpqgbkj.exe
        139⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Liabjh32.exe
        
        C:\Windows\system32\Liabjh32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Mpkkgbmi.exe
        
        C:\Windows\system32\Mpkkgbmi.exe
        141⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Midoph32.exe
        
        C:\Windows\system32\Midoph32.exe
        142⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        143⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 400
        144⤵
        Program crash
        
        PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3152 -ip 3152
1⤵
PID:5756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
55KB

MD5
0767eb0eeb3b921076788aa0aa58657d

SHA1
de9af2d627c5a8da1f23d8770ab073a030207ade

SHA256
4a9f738165730c9fd6ef256646ad1cc8c391ce45244f191843e5f375cfda43c4

SHA512
e8e2048e122e0b2474c0f7a082981d0fbc8f0e5441a3a090dc7a9f3d40fd0a0a5488cbac502280c494c4b2b4ba0fcc2839ccddae35dfc80370d9b1aa943636ef

Download Submit
C:\Windows\SysWOW64\Apggckbf.exe

Filesize
55KB

MD5
c6cbfef6acf470783c733d386cd57367

SHA1
6d9e165d9ff576a180e999ecf24ac162d9f9ba38

SHA256
cea03ce182a3d4a9445b49252f2d5d3f09179014e48d996fb87164e2757f6f86

SHA512
4a1b4a2db5bc64101a4e30e6d700c576cc786dfeb06c1d682eb4acbb84e8141c57160ff9b489f3e19bc557b7cb02626e5cb4570ca7772557598e8c08299a562f

Download Submit
C:\Windows\SysWOW64\Biedhclh.exe

Filesize
55KB

MD5
c761474e18ba1b0e1f799279bf528304

SHA1
179e2b4ce58be625ea96d539bcb55a0668b32ca5

SHA256
e204d8900d41582f4e6389377a6c663e74efbb288f76ede17b67d1179faf3489

SHA512
78e5a24fa2bf569133e9008c48a8718f7bd2a14d4c0d6bdba0b25302cdfb8d62ebae7af0bb26afedf8b1bb06a438b209c5b5f54ab481e58029bf7da652c27d10

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
55KB

MD5
4490f51334e3ffae176e5ac4ab772206

SHA1
bbf7abe92b0b845a54a1fad1378373574e6075e4

SHA256
9ad604296f6ab6ec577e17351cb1946b1aada7106352b59f0a5e29c54a33139f

SHA512
d9f022ffcc204564bf2615322c271319717f566d8e0367a90de489db62dd9227ac22f81010435a64767dfc034e161da4bec7ab563930f42414c4d19dafac72bb

Download Submit
C:\Windows\SysWOW64\Bkgeainn.exe

Filesize
55KB

MD5
f7c7873e925cc76ab09e0fb2798b5db7

SHA1
3df11d557703e70bb7ff6820ab3a0c06c8ae4fb0

SHA256
48f8efb94bb5b796c1a629d22acde4a56d86a047a11b5438c4eee9cf2b0a62c2

SHA512
178b768633db428f5bba984cd750a5e2319c73590a315ab542aea1931c502c647185c4a55048192d1f7b28bc046ed954b02658485c82f8397d49d81dc4d9279e

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe

Filesize
55KB

MD5
dbc695fb5b4b389baabdfe5e90bb1bd7

SHA1
69a4db88e527cf7f9bee05397fe89d7ef882b7e6

SHA256
d1c4c547e8b7e3240eed11ab3a7b0075326e404fd7d73d02aa86f76e889b9741

SHA512
795412b24859031da27b968691d188ec8d33c9e36de9b72fdd36f8073d53ba0662294f65b08da7bcd98e051d75d4c556df2d202555a42767c864768b2bd74809

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
55KB

MD5
e737d1a47624b963c5843e804fcfe11c

SHA1
74cf3895287c3f9fdf18ece8f0913cdb16266621

SHA256
b684f7f6ac18293c66667c8fa07f1e867a707fb76599df31ea8e47c9edf43508

SHA512
304bfcf7a833595f1cfa07b5136377bec7155617d75ac5df7f1c7273948c03533ad25d41bb143407e7b77d521ea99c5d52bb37f7349f19188fee6f8f9dbee2db

Download Submit
C:\Windows\SysWOW64\Dkekjdck.exe

Filesize
55KB

MD5
3e1355f29948afd4080e33f7fa21cfe2

SHA1
b41117ce58a7c0ef571ff37ba58d818e8227c201

SHA256
be74f347cef61d7b06917a4e1cda79c60941e8d05ef7615c39961112811bc215

SHA512
ca5cc8bcc73bc19de4a8634dd7fb345e5734d751f3ba832520e1702bf994a2ec2f114ec3726a6b15c4b0f9970bd45e8b9b905989a786d16ea1efeca9757b78aa

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
55KB

MD5
0b0acda411d03b88bc6cd9567f79a9cc

SHA1
3308a5ca54f7aaed57db3ba53e3ac848868f12d9

SHA256
9cca400de2ccceaeba99e838c5615c784909ca1765690cd16128713691db49dc

SHA512
e01d55ac33b4312a48ce0363268caf223dcc6d0ebd40f1b04cca223cfc012bc855bfd3e4d98aec2cb9a34f675d3077e9dd300c59b0c57f8ae1efa49c02d29b00

Download Submit
C:\Windows\SysWOW64\Dpjfgf32.exe

Filesize
55KB

MD5
268c8371961b7a7f5cc7d0d42fa4f5b4

SHA1
ba0ee978d99d050afaffaa76d9ea13ede0eb771d

SHA256
b6872d49e6173d4268f920f311b4e546b194dd32d236b6aeb0027a764223d177

SHA512
0f94d6ceb6bdfcaff1857b0e01898d6cf05ffa8d4517854449d66ecb7e75f36a9300ba9f74f8cf4b68396260ea2a7e7fc0ce2e7b50d01eaef6ef5b61413ad02d

Download Submit
C:\Windows\SysWOW64\Edplhjhi.exe

Filesize
55KB

MD5
35eb8d8d3588ec4d47289a939862d677

SHA1
603dd9cee58d56fcd7d54f59d74acf94ec6137ce

SHA256
4829b28e7e4133311979576a81b0cb5599da501bc78b9c93a8a3b3c4bb126d45

SHA512
6a3bb640fd39014882d2a3b353f5974de4f7e60881563f4d66ebb34ea3c95213a896285b94b26d7eb7955b48592a5b76bbf3ff56213fc7b66b6a66f209670473

Download Submit
C:\Windows\SysWOW64\Ekcgkb32.exe

Filesize
55KB

MD5
e8d5ed44e66ef877316b25bb5761798a

SHA1
cb16d47b3c73c5656c351c310f9359a02b3dfb61

SHA256
3ac8f09f263c00b8d7dcf271e9ccae3e9779937986ab9224d8be2bd5af599a39

SHA512
2c09ec25cec8c7eee2309df2d23de49dfd9e6014c951100bad5edf3c4f46c8fcdce488d3864d6fe5bc76326dc6e4641993b7ea6d6765e645037ae52ef7d5395c

Download Submit
C:\Windows\SysWOW64\Ekonpckp.exe

Filesize
55KB

MD5
092755e61d8bea1420f567525467539b

SHA1
feabcb741bd6d1daee9f9890710eea84540c3254

SHA256
641ea751e3c02dbf94a835e99ec5be93a08aa74a993cc5230028629dae29735b

SHA512
673cf4e0b5caf389d8cf9ffb3511bb6937c354ece1bdfc4612e77453c23637d39f233699e0b075fca6c14b2557c84389a0d9b5ad0d73e2a262029d2562002732

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
55KB

MD5
0259f2bfc26be885d49fa7dbd320c7f4

SHA1
2eedab3f84306a5a80d9bfd1e07bddfbc353f9c1

SHA256
8eddf565a771f07608b93e34e266f213e44710bb4062a429bd95a19db7886ca0

SHA512
d693442cefc44d73233e3b7112843fd4fca1ff1f4bcf117827fcd21bf2378b8f13724a69f7930a1366a257af1656590be251e4ae7e1eea6ce182c39079c3561a

Download Submit
C:\Windows\SysWOW64\Ggmmlamj.exe

Filesize
55KB

MD5
b8a45671f14920558681da76fbc69773

SHA1
2635a1dd0e7c9f1100c6d4e64cd8b98fe3f29679

SHA256
9c7962d6d8af9352a9ddb64ec59d5554d26d22a4b3c624f3d53fc41d5b86ce7e

SHA512
afac9b87f2f6b7834f4fda9c2d50697107e9dcf71e979325e57ca66d08eaca7689532ee394d4b9fd4f4524df344e11bc89652fa10eb13787fd20e061057bb9d2

Download Submit
C:\Windows\SysWOW64\Gjcmngnj.exe

Filesize
55KB

MD5
bef37bed133ebfd763641176ceaf82d2

SHA1
217bdfc97cd9bc880a3d74d5442090554beb1a1a

SHA256
c1169da9eb1fb5e043c7f7cbc97b83e2962fac70c4e99a679b7f55cd1b07060f

SHA512
bb2263f3de7963508816be99b207fc051bce308addfab88d5929adbf2e1e5c78e11024ecc9fa1791b7aaac2cb08d180dae6f8454508c574b88e9009e6bd87a86

Download Submit
C:\Windows\SysWOW64\Gnnccl32.exe

Filesize
55KB

MD5
671aef309ff2cc7d6aaf8e0562c40a41

SHA1
c75509e069535292112579a8eb12a1180f6d064d

SHA256
911a430e9ff7e8f5724e4875261d171d53a6cd48cf5c0ab75aa30cc8d2af10e3

SHA512
fa2009b0487a23f4947e2ce6f6c102af6602c5c6aacd07bbc3105c7fd599973d0b8cac63b1ae6ab9212233c56045ec7f890a3f0e26d62eb5a05bec30c1563ada

Download Submit
C:\Windows\SysWOW64\Hnphoj32.exe

Filesize
55KB

MD5
53947c646a6d41fdee460b51af3d54a3

SHA1
24292225f94126361e91d54f55e5d4344101b0f4

SHA256
e42b030447602eea7e120e8fbfffe5592347b72f79a1d78c06d50ac16c23a488

SHA512
eb533dcbe2d1499ce55b07b1c432a7ae0951e3c7b6035aac57e699152e19164f92877465eff89cb59f238fee28629dd3fc21a872caffd9e9131b03890b45e7f8

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
55KB

MD5
bf8884ef60794fdf92a590359445fa9d

SHA1
ad72b5cff1c36ea3505cc339de0365385d620c5c

SHA256
a6ea1f3db3fa752993ab58dc2d379271d37a4cd776557feca21576280d6a8c38

SHA512
b6e027cc70ea3e02c78bc142aa81f527344f050d3d502adbd2ee982ff24ea1f79cf91c8f0394824940b42303804f30ea126737715ff6afc78b74600a04095df6

Download Submit
C:\Windows\SysWOW64\Iajdgcab.exe

Filesize
55KB

MD5
b2d2df2a02dd1cee0d65d44ff3966882

SHA1
adb2bb69deb2455e7c42ce8803fea49481614b0e

SHA256
20630aef6410e2d8898a14c1d6c72a4c002c977e1dca07acb79453e3a22b4902

SHA512
14329cc52e86b96f94f10086f7e86f39ce13cd619b85b8e9eae764886a238b77f319447d08d61a49593fd237819034a54c0b094d74e82893ca98190b81864143

Download Submit
C:\Windows\SysWOW64\Ihmfco32.exe

Filesize
55KB

MD5
d0c9a8510bd8ce2b5ad30425aa8e7d73

SHA1
06c85a570900b206066b7f46d99276c5e5bb201b

SHA256
9e9bdfd8d019fe0be3142fe1bf6fa2ceb89678d8a4f33491acf8864c1009bc04

SHA512
6b3a8ffae88c8681bcae5225ffc5f80fff82158f9e056194a1cc566da7397c2903a6fa413b64faf97b6b57207aba070c8f7eca49d4f00622d3c88793e3d2e208

Download Submit
C:\Windows\SysWOW64\Jaonbc32.exe

Filesize
55KB

MD5
7fbbcfc906226ec9ebe8f6f4519ef74c

SHA1
555650092217340d38863bd502bf1d3b1aa30369

SHA256
f7a59f0b46e1b6ff50bf5ef110cfede3c6cc0d9d1e0d642138137170da388297

SHA512
99d1b3e91c8c471f7da8a422f9c3e57cf4ece13d1938b97213d44ffb9af96fb086f858723351ed05d6bd5990112f8fcf09de2860868be7e84821c5bbc4f9f9d2

Download Submit
C:\Windows\SysWOW64\Jimldogg.exe

Filesize
55KB

MD5
9f9ab110de260827a22706df470e3e3c

SHA1
b970b8c325c1ff6bec3b122ee7981601cc4594f9

SHA256
10a7bf174f6dce3d673626a326e0b3e157112ce30760b9899b31ed7f9a0a48a5

SHA512
bfc368b8dd647ee6fbce5f7a9c604b256fa3ba6e586a0e3cbf3042107dec27b43081a7875d39d49405d09c0db845b838c0f65a9e392a5cfb25ee139cec8655cd

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
55KB

MD5
3448ec8d5ef121f8670bf54ab2f84ce5

SHA1
3620dd8789038e9e98a272f8b76016ffef4ffeec

SHA256
0961bce12ba10c31badb5ff16e73172c923f8bf12ae91c763975142787c8ae6a

SHA512
dc0ac948116da4af5a2d689f439faa760845d7a3cc987448ed02dfb44aaee8b30c184aab3a20c6b94ad2d98d438be8d31050caa3c1e122f6ceb471ca5ef0b48b

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
55KB

MD5
9eecba348026f21eaafaf212bce8a7f8

SHA1
36e1aa80136bc553e85c440aaff464514d7d1297

SHA256
f51ff1498b2e4352544c707e794972f66742f2b8f17e61b7be976e1690300183

SHA512
1f1b50116355a9a1fece47f0d9891750c4eb3949222547fa39199111a39aa71d76e357d9b1fa7b11484b11858ed7bdc3495732040f65cd2db9d09f47faefde8a

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
55KB

MD5
18f5a362e3f703e97a161404c46ca3a7

SHA1
71a2c58d6cfe04edd46ee2de825ddcc1f6f62278

SHA256
16d103905518888d04d80f53ffc8a5e1f0ae537ff3ca215b56436d1c5b7815cf

SHA512
dbac47861f657defa6870f74e5fe3aaf6a7fe5bafca6fcafdca823a724576ace660dfbc843af0f18e00c08c3f6d4040019ec54e35d67a64886de33531aa875fb

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
55KB

MD5
c2edec774e3c410705071e16c51485de

SHA1
1e64a821030692a6fe6a55a834e50caaac66568b

SHA256
079d07de0877dabdb09f94bd323b9dfc52427ee7e67659fc5fd99e2a37fb0f1b

SHA512
80c9495cfda2ef094ba6c2019246ef951102fdeb82415e5cdb52d3cd43c3ae442eed1df04b74895e9376dc6a85be5e836b30baee4d0b5c4c9d47d2852c8e495b

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
55KB

MD5
6bfdcb715669e83a53dad88290f02b32

SHA1
cfe673a4507928a56e97967764e94249b75b8453

SHA256
50f251a42d78e6406995d92dad4f7549c8196213c02769dbcb86f9adad6d18d1

SHA512
a62f74ae1122372ead4570c237c6c5fac366affb27ca3836e0425838ccc864509c32b2f617bbbc43a6484111df738dd2f2999a8b151f6b7fafec141450501adf

Download Submit
C:\Windows\SysWOW64\Mhoind32.exe

Filesize
55KB

MD5
dc08c3e465a998dc45bac4eb709a8c9a

SHA1
256254e93e8354e928b794e7110ccff48d9a514d

SHA256
cbe0decfa4a3963388e54f5d5f1aca8ac5009f4b06ea2dbae4692f0190518197

SHA512
b423ff7a250550587c43694ed6d1e55abf48c45b17ded50ec7f90766bb58fd579284bf846760d737f2f06c11318894f66492161faeb0d659d6bbbf65cf2730db

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
55KB

MD5
c25e28041dada0c208aa1ce614929856

SHA1
6285f824fbaa1a1221350d18de14ef29d2372601

SHA256
d82dda4ef960c4be6ba9701ecc8c9c979de66f83884387092570e158ef1af299

SHA512
0fe45f42f63b7749bad9d6a40500644fd75d24aa645b18676ec3a76d6372aadcbab078f5f3cef2ed37b0e623a195cfc527cc68f66b528294b6c43d048e96894a

Download Submit
C:\Windows\SysWOW64\Mpeiie32.exe

Filesize
55KB

MD5
5bbb03c92d73458e473cd71760741e76

SHA1
8e03170d9a0537ca16bf12af4b783f1d2ee40d0d

SHA256
63d02e4cd7c64f6983990a3c0fbd68d72aae5c5d707cafd4dd51f20adfcb188b

SHA512
583ec760499fce32ea287c109f22e1da37f095a1a76fbcbc63df632cebacd016ef05331fda4edcd35c5dcb58e57ddac810d69713734e94ff5b9752f3127e1fbf

Download Submit
C:\Windows\SysWOW64\Ngnppfgb.exe

Filesize
55KB

MD5
61e98ed81212f7f4901fbc0ed38ac1b2

SHA1
528e787012eba4035c948745c59df1195c63c21b

SHA256
32336d5441f4050f2982b1d08bae282790964f2401eedde898548a19018c38a1

SHA512
e59518b42b68b079e9505e8a09d79434e5dfd300e473e2bf95ef8488482533d5604da2e872aa69c9d0c7c69ae474ae78da52f12c1ba8cdff864eb178f153d18c

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
55KB

MD5
b447c70393453bf3418e6fe72ef4b0c0

SHA1
b1fddfae176cc4e365ac3189a00880a35bad0909

SHA256
809a2831273a250d89e626a6f3e430f0aa89e827cb2736f14846e28a90ed63b7

SHA512
ae3b2a41b3548ff5ae87033dcca16c57c69e9628c8ede07d984f62e4d10b9d44c8203b15973ec2a2b43bdfec1eb8246cd0aa71c478d224383c06c324ce5fa216

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
55KB

MD5
df8ccd059e6689a96438b2aaf1d9778b

SHA1
c2fd3177f753d88d35b8c55d01707502a12944b0

SHA256
2ec35642bc1f89b164a3ac953f1ccfd3d14d1577107cd3d6dbd2c491033c1076

SHA512
bddcbcf771773f1429950af883640b50a212411d3d318048f749aa01576634fdb8da5738ccaae93721149e7e0239a0d8bb9945550684bf8efb55c654fef8272f

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
55KB

MD5
6de71faa0179469e6488952b3797cbdc

SHA1
9a4734fbfcef7c77c5367e66f5ec687d0005e924

SHA256
3c8d2b75220ca2a95b8c932b62349561c3aa066f66f94f9d120b2e2852407b93

SHA512
ea4fd0d3a53191f7afdc3c61433f886da29909e66477ae4765d08c53da99c9bf2a2f3b86c382b98559c3ea3cddf302d4f63972d6dce8271b3fa22f296576c571

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
55KB

MD5
8f50c2143e5d824fb268fdb515bf97de

SHA1
ac5c62c85e90aaafdb1682d8eec083fec0c1f12c

SHA256
eb74f613c734c983275db498bd429201e60884eaf33b7923c66939cb9c4f9424

SHA512
c001f3de78a8c72bc64d9f9915dcd9eab7aa013a5482d0a0cc9ddb0d49acc00362b5c91c169195cc4c4a186838c1fc977403d87e6084530ffe12719820f012be

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
55KB

MD5
790cc36cfa5b13ffbd76d6a716679a2c

SHA1
af6163cae5a3d6b6d92564cb7e58ef3aa998acee

SHA256
27787cfa60dc8af376cb9013f51fbbd3e25857a9765cedfb9d6709d54311f7ad

SHA512
1ebbfa0b6d1ede9949615e1a715e0edb8a8166d4e86bf4de4ed213500d4d6d5cc3e436cf486e220bb8b987636a57c952be52b88997baf0cb9355a51293573867

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
55KB

MD5
0d84998948000cefe17a9113fad4f2d2

SHA1
a453e1ccf26b54afdc18eb73768cbbc6be3f4165

SHA256
ea27dd0066224e7634d6a9ccf8f21d2807f39e20e66e460b2ed3bf92468ae919

SHA512
859269eae81a6d7909bff3a4d8c74fbd47f69241f892eb0e4f8c85073ff0c20bbba2c9c94f256e327702820c401ff1ab5f1c9c503812ba20d6fb5985bb394dbc

Download Submit
memory/116-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/180-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/180-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads