bf4de24c74b4547437c01e26bc92cb658f168d232b719acdc51c79b05027a192

Analysis

max time kernel
147s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 20:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f7fd114d1ac5d4924a7e9871d29648d0.exe
Size

128KB
MD5

f7fd114d1ac5d4924a7e9871d29648d0
SHA1

5d141fff5e8bcd8029708ae3e0117a8be9c7780f
SHA256

bf4de24c74b4547437c01e26bc92cb658f168d232b719acdc51c79b05027a192
SHA512

12775a2cdd4760459d410638df5e83bea25b4d1ddcc85d5cd1d31fc109a0170144f40ea5e2b317890805b8a945d9a3500e01416d4b402046f181744b23aafd2b
SSDEEP

3072:Xfn113EriRnkrA535CPxMeEvPOdgujv6NLPfFFrKP9:Xfn110rInkrALCJML3OdgawrFZKP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abponp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcddcbab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f7fd114d1ac5d4924a7e9871d29648d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f7fd114d1ac5d4924a7e9871d29648d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgjkag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abponp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjkag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcddcbab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfgjjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhldpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhldpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfgjjm32.exe

Executes dropped EXE 7 IoCs

pid	Process
4060	Abponp32.exe
100	Bhldpj32.exe
460	svchost.exe
1356	Bcddcbab.exe
5004	Gggfme32.exe
3764	Bfgjjm32.exe
4496	Bbhqdhnm.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Abponp32.exe	f7fd114d1ac5d4924a7e9871d29648d0.exe
File created	C:\Windows\SysWOW64\Bhldpj32.exe	Abponp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfpdin32.exe	Bhldpj32.exe
File created	C:\Windows\SysWOW64\Fdflahpe.dll	Bcddcbab.exe
File opened for modification	C:\Windows\SysWOW64\Abponp32.exe	f7fd114d1ac5d4924a7e9871d29648d0.exe
File created	C:\Windows\SysWOW64\Igliicdk.dll	f7fd114d1ac5d4924a7e9871d29648d0.exe
File opened for modification	C:\Windows\SysWOW64\Bhldpj32.exe	Abponp32.exe
File created	C:\Windows\SysWOW64\Bfpdin32.exe	Bhldpj32.exe
File created	C:\Windows\SysWOW64\Aaopkj32.dll	Abponp32.exe
File created	C:\Windows\SysWOW64\Bbiado32.exe	Bcddcbab.exe
File opened for modification	C:\Windows\SysWOW64\Cimmggfl.exe	Bfgjjm32.exe
File created	C:\Windows\SysWOW64\Anfjipgp.dll	Bfgjjm32.exe
File created	C:\Windows\SysWOW64\Bfgjjm32.exe	Mgjkag32.exe
File opened for modification	C:\Windows\SysWOW64\Bfgjjm32.exe	Mgjkag32.exe
File created	C:\Windows\SysWOW64\Bcpcam32.dll	Mgjkag32.exe
File created	C:\Windows\SysWOW64\Mlgbnc32.dll	Bhldpj32.exe
File created	C:\Windows\SysWOW64\Bcddcbab.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Bcddcbab.exe	svchost.exe
File created	C:\Windows\SysWOW64\Pjjfgb32.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Bbiado32.exe	Bcddcbab.exe
File created	C:\Windows\SysWOW64\Cimmggfl.exe	Bfgjjm32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f7fd114d1ac5d4924a7e9871d29648d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgjkag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfgjjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhldpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflahpe.dll"	Bcddcbab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpcam32.dll"	Mgjkag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfjipgp.dll"	Bfgjjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f7fd114d1ac5d4924a7e9871d29648d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f7fd114d1ac5d4924a7e9871d29648d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abponp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfgjjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcddcbab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcddcbab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgjkag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igliicdk.dll"	f7fd114d1ac5d4924a7e9871d29648d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abponp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhldpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgbnc32.dll"	Bhldpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjfgb32.dll"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f7fd114d1ac5d4924a7e9871d29648d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f7fd114d1ac5d4924a7e9871d29648d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaopkj32.dll"	Abponp32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4060	3268	f7fd114d1ac5d4924a7e9871d29648d0.exe	53
PID 3268 wrote to memory of 4060	3268	f7fd114d1ac5d4924a7e9871d29648d0.exe	53
PID 3268 wrote to memory of 4060	3268	f7fd114d1ac5d4924a7e9871d29648d0.exe	53
PID 4060 wrote to memory of 100	4060	Abponp32.exe	55
PID 4060 wrote to memory of 100	4060	Abponp32.exe	55
PID 4060 wrote to memory of 100	4060	Abponp32.exe	55
PID 100 wrote to memory of 460	100	Bhldpj32.exe	228
PID 100 wrote to memory of 460	100	Bhldpj32.exe	228
PID 100 wrote to memory of 460	100	Bhldpj32.exe	228
PID 460 wrote to memory of 1356	460	svchost.exe	58
PID 460 wrote to memory of 1356	460	svchost.exe	58
PID 460 wrote to memory of 1356	460	svchost.exe	58
PID 1356 wrote to memory of 5004	1356	Bcddcbab.exe	177
PID 1356 wrote to memory of 5004	1356	Bcddcbab.exe	177
PID 1356 wrote to memory of 5004	1356	Bcddcbab.exe	177
PID 5004 wrote to memory of 3764	5004	Mgjkag32.exe	59
PID 5004 wrote to memory of 3764	5004	Mgjkag32.exe	59
PID 5004 wrote to memory of 3764	5004	Mgjkag32.exe	59
PID 3764 wrote to memory of 4496	3764	Bfgjjm32.exe	306
PID 3764 wrote to memory of 4496	3764	Bfgjjm32.exe	306
PID 3764 wrote to memory of 4496	3764	Bfgjjm32.exe	306

C:\Users\Admin\AppData\Local\Temp\f7fd114d1ac5d4924a7e9871d29648d0.exe
"C:\Users\Admin\AppData\Local\Temp\f7fd114d1ac5d4924a7e9871d29648d0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\SysWOW64\Abponp32.exe
  C:\Windows\system32\Abponp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\SysWOW64\Bhldpj32.exe
    C:\Windows\system32\Bhldpj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Windows\SysWOW64\Bfpdin32.exe
      C:\Windows\system32\Bfpdin32.exe
      4⤵
      PID:460
    - - C:\Windows\SysWOW64\Bcddcbab.exe
        
        C:\Windows\system32\Bcddcbab.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356

C:\Windows\SysWOW64\Bbiado32.exe
C:\Windows\system32\Bbiado32.exe
1⤵
PID:5004
- C:\Windows\SysWOW64\Bfgjjm32.exe
  C:\Windows\system32\Bfgjjm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\Cimmggfl.exe
    C:\Windows\system32\Cimmggfl.exe
    3⤵
    PID:4496

C:\Windows\SysWOW64\Ckpbnb32.exe
C:\Windows\system32\Ckpbnb32.exe
1⤵
PID:1600
- C:\Windows\SysWOW64\Dpnkdq32.exe
  C:\Windows\system32\Dpnkdq32.exe
  2⤵
  PID:2300
- C:\Windows\SysWOW64\Bammeebe.exe
  C:\Windows\system32\Bammeebe.exe
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\Bidefbcg.exe
    C:\Windows\system32\Bidefbcg.exe
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\Bekfkc32.exe
      C:\Windows\system32\Bekfkc32.exe
      4⤵
      PID:5340
    - - C:\Windows\SysWOW64\Bhibgo32.exe
        
        C:\Windows\system32\Bhibgo32.exe
        5⤵
        
        PID:4980

C:\Windows\SysWOW64\Dihlbf32.exe
C:\Windows\system32\Dihlbf32.exe
1⤵
PID:3652
- C:\Windows\SysWOW64\Dflmlj32.exe
  C:\Windows\system32\Dflmlj32.exe
  2⤵
  PID:2192

C:\Windows\SysWOW64\Dmalne32.exe
C:\Windows\system32\Dmalne32.exe
1⤵
PID:4548

C:\Windows\SysWOW64\Elpkep32.exe
C:\Windows\system32\Elpkep32.exe
1⤵
PID:3408
- C:\Windows\SysWOW64\Elbhjp32.exe
  C:\Windows\system32\Elbhjp32.exe
  2⤵
  PID:4432

C:\Windows\SysWOW64\Efhlhh32.exe
C:\Windows\system32\Efhlhh32.exe
1⤵
PID:3708
- C:\Windows\SysWOW64\Embddb32.exe
  C:\Windows\system32\Embddb32.exe
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\Jgeghp32.exe
    C:\Windows\system32\Jgeghp32.exe
    3⤵
    PID:4832
  - - C:\Windows\SysWOW64\Aednci32.exe
      C:\Windows\system32\Aednci32.exe
      4⤵
      PID:4324

C:\Windows\SysWOW64\Ckmehb32.exe
C:\Windows\system32\Ckmehb32.exe
1⤵
PID:2092

C:\Windows\SysWOW64\Fbelcblk.exe
C:\Windows\system32\Fbelcblk.exe
1⤵
PID:3008
- C:\Windows\SysWOW64\Fechomko.exe
  C:\Windows\system32\Fechomko.exe
  2⤵
  PID:3016

C:\Windows\SysWOW64\Fbgihaji.exe
C:\Windows\system32\Fbgihaji.exe
1⤵
PID:4072
- C:\Windows\SysWOW64\Fiaael32.exe
  C:\Windows\system32\Fiaael32.exe
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\Fpkibf32.exe
    C:\Windows\system32\Fpkibf32.exe
    3⤵
    PID:2348

C:\Windows\SysWOW64\Gldglf32.exe
C:\Windows\system32\Gldglf32.exe
1⤵
PID:5028
- C:\Windows\SysWOW64\Gncchb32.exe
  C:\Windows\system32\Gncchb32.exe
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\Gihgfk32.exe
    C:\Windows\system32\Gihgfk32.exe
    3⤵
    PID:5084
  - - C:\Windows\SysWOW64\Glgcbf32.exe
      C:\Windows\system32\Glgcbf32.exe
      4⤵
      PID:1156

C:\Windows\SysWOW64\Hfcnpn32.exe
C:\Windows\system32\Hfcnpn32.exe
1⤵
PID:2640
- C:\Windows\SysWOW64\Hmmfmhll.exe
  C:\Windows\system32\Hmmfmhll.exe
  2⤵
  PID:744
- C:\Windows\SysWOW64\Bbhqdhnm.exe
  C:\Windows\system32\Bbhqdhnm.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- - C:\Windows\SysWOW64\Bajqpe32.exe
    C:\Windows\system32\Bajqpe32.exe
    3⤵
    PID:5804

C:\Windows\SysWOW64\Hffken32.exe
C:\Windows\system32\Hffken32.exe
1⤵
PID:448
- C:\Windows\SysWOW64\Hmpcbhji.exe
  C:\Windows\system32\Hmpcbhji.exe
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\Hpnoncim.exe
    C:\Windows\system32\Hpnoncim.exe
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\Hblkjo32.exe
      C:\Windows\system32\Hblkjo32.exe
      4⤵
      PID:2708
    - - C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        5⤵
        
        PID:2512
      - C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        6⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        7⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        8⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        9⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        10⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        11⤵
        
        PID:3680
      - C:\Windows\SysWOW64\Coojpg32.exe
        
        C:\Windows\system32\Coojpg32.exe
        6⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Damflb32.exe
        
        C:\Windows\system32\Damflb32.exe
        7⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Dhgoimlo.exe
        
        C:\Windows\system32\Dhgoimlo.exe
        8⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\Doageg32.exe
        
        C:\Windows\system32\Doageg32.exe
        9⤵
        
        PID:5336

C:\Windows\SysWOW64\Hplbickp.exe
C:\Windows\system32\Hplbickp.exe
1⤵
PID:3644

C:\Windows\SysWOW64\Hpiecd32.exe
C:\Windows\system32\Hpiecd32.exe
1⤵
PID:2188

C:\Windows\SysWOW64\Gejopl32.exe
C:\Windows\system32\Gejopl32.exe
1⤵
PID:2288

C:\Windows\SysWOW64\Gnqfcbnj.exe
C:\Windows\system32\Gnqfcbnj.exe
1⤵
PID:3544

C:\Windows\SysWOW64\Gmojkj32.exe
C:\Windows\system32\Gmojkj32.exe
1⤵
PID:4980
- C:\Windows\SysWOW64\Bppjhl32.exe
  C:\Windows\system32\Bppjhl32.exe
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\Cbofdg32.exe
    C:\Windows\system32\Cbofdg32.exe
    3⤵
    PID:5316

C:\Windows\SysWOW64\Gehbjm32.exe
C:\Windows\system32\Gehbjm32.exe
1⤵
PID:3376

C:\Windows\SysWOW64\Fpimlfke.exe
C:\Windows\system32\Fpimlfke.exe
1⤵
PID:4836

C:\Windows\SysWOW64\Fmkqpkla.exe
C:\Windows\system32\Fmkqpkla.exe
1⤵
PID:4068

C:\Windows\SysWOW64\Khbiello.exe
C:\Windows\system32\Khbiello.exe
1⤵
PID:5124
- C:\Windows\SysWOW64\Kpiqfima.exe
  C:\Windows\system32\Kpiqfima.exe
  2⤵
  PID:5172
- - C:\Windows\SysWOW64\Kolabf32.exe
    C:\Windows\system32\Kolabf32.exe
    3⤵
    PID:5272
  - - C:\Windows\SysWOW64\Kpccmhdg.exe
      C:\Windows\system32\Kpccmhdg.exe
      4⤵
      PID:5316
    - - C:\Windows\SysWOW64\Cemcqcgi.exe
        
        C:\Windows\system32\Cemcqcgi.exe
        5⤵
        
        PID:5468
      - C:\Windows\SysWOW64\Chlomnfl.exe
        
        C:\Windows\system32\Chlomnfl.exe
        6⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Cpbgnlfo.exe
        
        C:\Windows\system32\Cpbgnlfo.exe
        7⤵
        
        PID:4884

C:\Windows\SysWOW64\Kofdhd32.exe
C:\Windows\system32\Kofdhd32.exe
1⤵
PID:5356
- C:\Windows\SysWOW64\Likhem32.exe
  C:\Windows\system32\Likhem32.exe
  2⤵
  PID:5396
- - C:\Windows\SysWOW64\Lljdai32.exe
    C:\Windows\system32\Lljdai32.exe
    3⤵
    PID:5444
  - - C:\Windows\SysWOW64\Lohqnd32.exe
      C:\Windows\system32\Lohqnd32.exe
      4⤵
      PID:5488

C:\Windows\SysWOW64\Lafmjp32.exe
C:\Windows\system32\Lafmjp32.exe
1⤵
PID:5564
- C:\Windows\SysWOW64\Lllagh32.exe
  C:\Windows\system32\Lllagh32.exe
  2⤵
  PID:5620
- - C:\Windows\SysWOW64\Lojmcdgl.exe
    C:\Windows\system32\Lojmcdgl.exe
    3⤵
    PID:5724
  - - C:\Windows\SysWOW64\Jelonkph.exe
      C:\Windows\system32\Jelonkph.exe
      4⤵
      PID:5788
    - - C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        5⤵
        
        PID:5832

C:\Windows\SysWOW64\Clbdpc32.exe
C:\Windows\system32\Clbdpc32.exe
1⤵
PID:5876
- C:\Windows\SysWOW64\Cdjlap32.exe
  C:\Windows\system32\Cdjlap32.exe
  2⤵
  PID:5936

C:\Windows\SysWOW64\Cfhhml32.exe
C:\Windows\system32\Cfhhml32.exe
1⤵
PID:5976
- C:\Windows\SysWOW64\Cifdjg32.exe
  C:\Windows\system32\Cifdjg32.exe
  2⤵
  PID:6024
- - C:\Windows\SysWOW64\Cleqfb32.exe
    C:\Windows\system32\Cleqfb32.exe
    3⤵
    PID:6084
  - - C:\Windows\SysWOW64\Cbaehl32.exe
      C:\Windows\system32\Cbaehl32.exe
      4⤵
      PID:656
    - - C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        5⤵
        
        PID:5168
      - C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        6⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        7⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        9⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Eippgckc.exe
        
        C:\Windows\system32\Eippgckc.exe
        10⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Fnnimbaj.exe
        
        C:\Windows\system32\Fnnimbaj.exe
        11⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Feimadoe.exe
        
        C:\Windows\system32\Feimadoe.exe
        12⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Fjgfgbek.exe
        
        C:\Windows\system32\Fjgfgbek.exe
        13⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\Fpandm32.exe
        
        C:\Windows\system32\Fpandm32.exe
        14⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Fpckjlje.exe
        
        C:\Windows\system32\Fpckjlje.exe
        15⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\Fpfholhc.exe
        
        C:\Windows\system32\Fpfholhc.exe
        16⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Gjqinamq.exe
        
        C:\Windows\system32\Gjqinamq.exe
        17⤵
        
        PID:3988

C:\Windows\SysWOW64\Glabolja.exe
C:\Windows\system32\Glabolja.exe
1⤵
PID:2296
- C:\Windows\SysWOW64\Gdhjpjjd.exe
  C:\Windows\system32\Gdhjpjjd.exe
  2⤵
  PID:4916

C:\Windows\SysWOW64\Gggfme32.exe
C:\Windows\system32\Gggfme32.exe
1⤵
- Executes dropped EXE
PID:5004
- C:\Windows\SysWOW64\Gfjfhbpb.exe
  C:\Windows\system32\Gfjfhbpb.exe
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\Gqagkjne.exe
    C:\Windows\system32\Gqagkjne.exe
    3⤵
    PID:1900
  - - C:\Windows\SysWOW64\Hqddqj32.exe
      C:\Windows\system32\Hqddqj32.exe
      4⤵
      PID:5884
    - - C:\Windows\SysWOW64\Hnhdjn32.exe
        
        C:\Windows\system32\Hnhdjn32.exe
        5⤵
        
        PID:5968
      - C:\Windows\SysWOW64\Hjoeoo32.exe
        
        C:\Windows\system32\Hjoeoo32.exe
        6⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Hddilh32.exe
        
        C:\Windows\system32\Hddilh32.exe
        7⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Hmpnqj32.exe
        
        C:\Windows\system32\Hmpnqj32.exe
        8⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Hcifmdeo.exe
        
        C:\Windows\system32\Hcifmdeo.exe
        9⤵
        
        PID:5464

C:\Windows\SysWOW64\Hgebnc32.exe
C:\Windows\system32\Hgebnc32.exe
1⤵
PID:5524
- C:\Windows\SysWOW64\Hjcojo32.exe
  C:\Windows\system32\Hjcojo32.exe
  2⤵
  PID:4284

C:\Windows\SysWOW64\Ifjoop32.exe
C:\Windows\system32\Ifjoop32.exe
1⤵
PID:1744
- C:\Windows\SysWOW64\Imdgljil.exe
  C:\Windows\system32\Imdgljil.exe
  2⤵
  PID:5704

C:\Windows\SysWOW64\Incdem32.exe
C:\Windows\system32\Incdem32.exe
1⤵
PID:2952
- C:\Windows\SysWOW64\Ifoijonj.exe
  C:\Windows\system32\Ifoijonj.exe
  2⤵
  PID:3944

C:\Windows\SysWOW64\Icciccmd.exe
C:\Windows\system32\Icciccmd.exe
1⤵
PID:2592
- C:\Windows\SysWOW64\Ifaepolg.exe
  C:\Windows\system32\Ifaepolg.exe
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\Iqgjmg32.exe
    C:\Windows\system32\Iqgjmg32.exe
    3⤵
    PID:5764
  - - C:\Windows\SysWOW64\Imnjbhaa.exe
      C:\Windows\system32\Imnjbhaa.exe
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\Eplgod32.exe
      C:\Windows\system32\Eplgod32.exe
      4⤵
      PID:2472

C:\Windows\SysWOW64\Icgbob32.exe
C:\Windows\system32\Icgbob32.exe
1⤵
PID:1916
- C:\Windows\SysWOW64\Jakchf32.exe
  C:\Windows\system32\Jakchf32.exe
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\Jcjodbgl.exe
    C:\Windows\system32\Jcjodbgl.exe
    3⤵
    PID:1424
  - - C:\Windows\SysWOW64\Jjdgal32.exe
      C:\Windows\system32\Jjdgal32.exe
      4⤵
      PID:4060
    - - C:\Windows\SysWOW64\Janpnfee.exe
        
        C:\Windows\system32\Janpnfee.exe
        5⤵
        
        PID:5864
      - C:\Windows\SysWOW64\Jfkhfmdm.exe
        
        C:\Windows\system32\Jfkhfmdm.exe
        6⤵
        
        PID:5916

C:\Windows\SysWOW64\Jnapgjdo.exe
C:\Windows\system32\Jnapgjdo.exe
1⤵
PID:5956
- C:\Windows\SysWOW64\Japmcfcc.exe
  C:\Windows\system32\Japmcfcc.exe
  2⤵
  PID:6128
- - C:\Windows\SysWOW64\Jgjeppkp.exe
    C:\Windows\system32\Jgjeppkp.exe
    3⤵
    PID:5204
  - - C:\Windows\SysWOW64\Jndmlj32.exe
      C:\Windows\system32\Jndmlj32.exe
      4⤵
      PID:5388
    - - C:\Windows\SysWOW64\Jcaeea32.exe
        
        C:\Windows\system32\Jcaeea32.exe
        5⤵
        
        PID:1020
      - C:\Windows\SysWOW64\Jnfjbj32.exe
        
        C:\Windows\system32\Jnfjbj32.exe
        6⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Jepbodhg.exe
        
        C:\Windows\system32\Jepbodhg.exe
        7⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\Kmlgcf32.exe
        
        C:\Windows\system32\Kmlgcf32.exe
        8⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Kceoppmo.exe
        
        C:\Windows\system32\Kceoppmo.exe
        9⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Abcgii32.exe
        
        C:\Windows\system32\Abcgii32.exe
        8⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Beaced32.exe
        
        C:\Windows\system32\Beaced32.exe
        9⤵
        
        PID:5840

C:\Windows\SysWOW64\Kjpgmj32.exe
C:\Windows\system32\Kjpgmj32.exe
1⤵
PID:1676
- C:\Windows\SysWOW64\Kmncif32.exe
  C:\Windows\system32\Kmncif32.exe
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\Khcgfo32.exe
    C:\Windows\system32\Khcgfo32.exe
    3⤵
    PID:5068
  - - C:\Windows\SysWOW64\Lennpb32.exe
      C:\Windows\system32\Lennpb32.exe
      4⤵
      PID:2520
    - - C:\Windows\SysWOW64\Ldckan32.exe
        
        C:\Windows\system32\Ldckan32.exe
        5⤵
        
        PID:1272
      - C:\Windows\SysWOW64\Lfbgmj32.exe
        
        C:\Windows\system32\Lfbgmj32.exe
        6⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Lechkaga.exe
        
        C:\Windows\system32\Lechkaga.exe
        7⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Lfddci32.exe
        
        C:\Windows\system32\Lfddci32.exe
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Lokldg32.exe
        
        C:\Windows\system32\Lokldg32.exe
        9⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Leedqa32.exe
        
        C:\Windows\system32\Leedqa32.exe
        10⤵
        
        PID:444
        
        C:\Windows\SysWOW64\Mhfmbl32.exe
        
        C:\Windows\system32\Mhfmbl32.exe
        11⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Mgkjch32.exe
        
        C:\Windows\system32\Mgkjch32.exe
        12⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Mobbdf32.exe
        
        C:\Windows\system32\Mobbdf32.exe
        13⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Mhkgnkoj.exe
        
        C:\Windows\system32\Mhkgnkoj.exe
        14⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Mmhofbma.exe
        
        C:\Windows\system32\Mmhofbma.exe
        15⤵
        
        PID:4320

C:\Windows\SysWOW64\Hclccd32.exe
C:\Windows\system32\Hclccd32.exe
1⤵
PID:3260

C:\Windows\SysWOW64\Hmbkfjko.exe
C:\Windows\system32\Hmbkfjko.exe
1⤵
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\Mhmcck32.exe
C:\Windows\system32\Mhmcck32.exe
1⤵
PID:448
- C:\Windows\SysWOW64\Mklpof32.exe
  C:\Windows\system32\Mklpof32.exe
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\Meadlo32.exe
    C:\Windows\system32\Meadlo32.exe
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\Mknlef32.exe
      C:\Windows\system32\Mknlef32.exe
      4⤵
      PID:6004
    - - C:\Windows\SysWOW64\Ndfanlpi.exe
        
        C:\Windows\system32\Ndfanlpi.exe
        5⤵
        
        PID:2288
      - C:\Windows\SysWOW64\Namnmp32.exe
        
        C:\Windows\system32\Namnmp32.exe
        6⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Kfcdaehf.exe
        
        C:\Windows\system32\Kfcdaehf.exe
        7⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Kiaqnagj.exe
        
        C:\Windows\system32\Kiaqnagj.exe
        8⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Hhnkppbf.exe
        
        C:\Windows\system32\Hhnkppbf.exe
        9⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Mmfaafej.exe
        
        C:\Windows\system32\Mmfaafej.exe
        10⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Djhiglji.exe
        
        C:\Windows\system32\Djhiglji.exe
        11⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Iacepmik.exe
        
        C:\Windows\system32\Iacepmik.exe
        12⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Jdgjgh32.exe
        
        C:\Windows\system32\Jdgjgh32.exe
        13⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Klibdcjo.exe
        
        C:\Windows\system32\Klibdcjo.exe
        14⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Jdhpba32.exe
        
        C:\Windows\system32\Jdhpba32.exe
        15⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Kpdjbapj.exe
        
        C:\Windows\system32\Kpdjbapj.exe
        16⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Lnoalehl.exe
        
        C:\Windows\system32\Lnoalehl.exe
        17⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Loqjlg32.exe
        
        C:\Windows\system32\Loqjlg32.exe
        18⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Mnjqhcno.exe
        
        C:\Windows\system32\Mnjqhcno.exe
        19⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Mgebfhcl.exe
        
        C:\Windows\system32\Mgebfhcl.exe
        20⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Mhenpk32.exe
        
        C:\Windows\system32\Mhenpk32.exe
        21⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Moofmeal.exe
        
        C:\Windows\system32\Moofmeal.exe
        22⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Mbmbiqqp.exe
        
        C:\Windows\system32\Mbmbiqqp.exe
        23⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\Mgjkag32.exe
        
        C:\Windows\system32\Mgjkag32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Nqdlpmce.exe
        
        C:\Windows\system32\Nqdlpmce.exe
        25⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Ngodlgka.exe
        
        C:\Windows\system32\Ngodlgka.exe
        26⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Nnkioq32.exe
        
        C:\Windows\system32\Nnkioq32.exe
        27⤵
        
        PID:3392

C:\Windows\SysWOW64\Neebkkgi.exe
C:\Windows\system32\Neebkkgi.exe
1⤵
PID:5160
- C:\Windows\SysWOW64\Ngcngfgl.exe
  C:\Windows\system32\Ngcngfgl.exe
  2⤵
  PID:2472
- - C:\Windows\SysWOW64\Nojfic32.exe
    C:\Windows\system32\Nojfic32.exe
    3⤵
    PID:5488
  - - C:\Windows\SysWOW64\Nbibeo32.exe
      C:\Windows\system32\Nbibeo32.exe
      4⤵
      PID:4960
    - - C:\Windows\SysWOW64\Nicjaino.exe
        
        C:\Windows\system32\Nicjaino.exe
        5⤵
        
        PID:2980
      - C:\Windows\SysWOW64\Nombnc32.exe
        
        C:\Windows\system32\Nombnc32.exe
        6⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Ondleo32.exe
        
        C:\Windows\system32\Ondleo32.exe
        7⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Oabiak32.exe
        
        C:\Windows\system32\Oabiak32.exe
        8⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Opdiobod.exe
        
        C:\Windows\system32\Opdiobod.exe
        9⤵
        
        PID:3732

C:\Windows\SysWOW64\Oeqagi32.exe
C:\Windows\system32\Oeqagi32.exe
1⤵
PID:4888
- C:\Windows\SysWOW64\Ogoncd32.exe
  C:\Windows\system32\Ogoncd32.exe
  2⤵
  PID:4360
- C:\Windows\SysWOW64\Epndddnk.exe
  C:\Windows\system32\Epndddnk.exe
  2⤵
  PID:5868

C:\Windows\SysWOW64\Onifpodl.exe
C:\Windows\system32\Onifpodl.exe
1⤵
PID:3828
- C:\Windows\SysWOW64\Oiojmgcb.exe
  C:\Windows\system32\Oiojmgcb.exe
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\Onkbenbi.exe
    C:\Windows\system32\Onkbenbi.exe
    3⤵
    PID:5740
  - - C:\Windows\SysWOW64\Oeekbhif.exe
      C:\Windows\system32\Oeekbhif.exe
      4⤵
      PID:3868
    - - C:\Windows\SysWOW64\Pgdgodhj.exe
        
        C:\Windows\system32\Pgdgodhj.exe
        5⤵
        
        PID:936
      - C:\Windows\SysWOW64\Picchg32.exe
        
        C:\Windows\system32\Picchg32.exe
        6⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Pnplqn32.exe
        
        C:\Windows\system32\Pnplqn32.exe
        7⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Piepnfnj.exe
        
        C:\Windows\system32\Piepnfnj.exe
        8⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Pbndgl32.exe
        
        C:\Windows\system32\Pbndgl32.exe
        9⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Pihmcflg.exe
        
        C:\Windows\system32\Pihmcflg.exe
        10⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Pneelmjo.exe
        
        C:\Windows\system32\Pneelmjo.exe
        11⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Pacahhib.exe
        
        C:\Windows\system32\Pacahhib.exe
        12⤵
        
        PID:456
        
        C:\Windows\SysWOW64\Phmjdbpo.exe
        
        C:\Windows\system32\Phmjdbpo.exe
        13⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Qimfoe32.exe
        
        C:\Windows\system32\Qimfoe32.exe
        14⤵
        
        PID:2344

C:\Windows\SysWOW64\Qahkch32.exe
C:\Windows\system32\Qahkch32.exe
1⤵
PID:6120
- C:\Windows\SysWOW64\Qhbcpb32.exe
  C:\Windows\system32\Qhbcpb32.exe
  2⤵
  PID:5816
- - C:\Windows\SysWOW64\Qpikao32.exe
    C:\Windows\system32\Qpikao32.exe
    3⤵
    PID:2916

C:\Windows\SysWOW64\Qbggmk32.exe
C:\Windows\system32\Qbggmk32.exe
1⤵
PID:5300
- C:\Windows\SysWOW64\Aiapjecl.exe
  C:\Windows\system32\Aiapjecl.exe
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\Alplfpbp.exe
    C:\Windows\system32\Alplfpbp.exe
    3⤵
    PID:5080
  - - C:\Windows\SysWOW64\Aonhblad.exe
      C:\Windows\system32\Aonhblad.exe
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\Aaldngqg.exe
        
        C:\Windows\system32\Aaldngqg.exe
        5⤵
        
        PID:420

C:\Windows\SysWOW64\Ahfmka32.exe
C:\Windows\system32\Ahfmka32.exe
1⤵
PID:5544
- C:\Windows\SysWOW64\Apndloif.exe
  C:\Windows\system32\Apndloif.exe
  2⤵
  PID:5952

C:\Windows\SysWOW64\Ablahjhj.exe
C:\Windows\system32\Ablahjhj.exe
1⤵
PID:1108
- C:\Windows\SysWOW64\Aejmdegn.exe
  C:\Windows\system32\Aejmdegn.exe
  2⤵
  PID:5464
- - C:\Windows\SysWOW64\Ahiiqafa.exe
    C:\Windows\system32\Ahiiqafa.exe
    3⤵
    PID:3276
  - - C:\Windows\SysWOW64\Aocamk32.exe
      C:\Windows\system32\Aocamk32.exe
      4⤵
      PID:5892

C:\Windows\SysWOW64\Aihfjd32.exe
C:\Windows\system32\Aihfjd32.exe
1⤵
PID:3556
- C:\Windows\SysWOW64\Algbfo32.exe
  C:\Windows\system32\Algbfo32.exe
  2⤵
  PID:5128

C:\Windows\SysWOW64\Aoenbkll.exe
C:\Windows\system32\Aoenbkll.exe
1⤵
PID:2772
- C:\Windows\SysWOW64\Aacjofkp.exe
  C:\Windows\system32\Aacjofkp.exe
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\Aikbpckb.exe
    C:\Windows\system32\Aikbpckb.exe
    3⤵
    PID:3152

C:\Windows\SysWOW64\Bhppap32.exe
C:\Windows\system32\Bhppap32.exe
1⤵
PID:4832
- C:\Windows\SysWOW64\Bpggbm32.exe
  C:\Windows\system32\Bpggbm32.exe
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\Bbecnipp.exe
    C:\Windows\system32\Bbecnipp.exe
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\Bedpjdoc.exe
      C:\Windows\system32\Bedpjdoc.exe
      4⤵
      PID:4020
    - - C:\Windows\SysWOW64\Blnhgn32.exe
        
        C:\Windows\system32\Blnhgn32.exe
        5⤵
        
        PID:2640

C:\Windows\SysWOW64\Biaiqb32.exe
C:\Windows\system32\Biaiqb32.exe
1⤵
PID:5428
- C:\Windows\SysWOW64\Blpemn32.exe
  C:\Windows\system32\Blpemn32.exe
  2⤵
  PID:876
- - C:\Windows\SysWOW64\Booaii32.exe
    C:\Windows\system32\Booaii32.exe
    3⤵
    PID:1600

C:\Windows\SysWOW64\Cadcfd32.exe
C:\Windows\system32\Cadcfd32.exe
1⤵
PID:5028
- C:\Windows\SysWOW64\Cikkga32.exe
  C:\Windows\system32\Cikkga32.exe
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\Clihcm32.exe
    C:\Windows\system32\Clihcm32.exe
    3⤵
    PID:2964
  - - C:\Windows\SysWOW64\Cccppgcp.exe
      C:\Windows\system32\Cccppgcp.exe
      4⤵
      PID:5900

C:\Windows\SysWOW64\Cebllbcc.exe
C:\Windows\system32\Cebllbcc.exe
1⤵
PID:3760
- C:\Windows\SysWOW64\Chphhn32.exe
  C:\Windows\system32\Chphhn32.exe
  2⤵
  PID:5168
- - C:\Windows\SysWOW64\Cpgqik32.exe
    C:\Windows\system32\Cpgqik32.exe
    3⤵
    PID:5828

C:\Windows\SysWOW64\Ccfmef32.exe
C:\Windows\system32\Ccfmef32.exe
1⤵
PID:4572
- C:\Windows\SysWOW64\Cediab32.exe
  C:\Windows\system32\Cediab32.exe
  2⤵
  PID:5440

C:\Windows\SysWOW64\Cpjmok32.exe
C:\Windows\system32\Cpjmok32.exe
1⤵
PID:1508
- C:\Windows\SysWOW64\Cchikf32.exe
  C:\Windows\system32\Cchikf32.exe
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\Cibagpgg.exe
    C:\Windows\system32\Cibagpgg.exe
    3⤵
    PID:1716
  - - C:\Windows\SysWOW64\Cpljdjnd.exe
      C:\Windows\system32\Cpljdjnd.exe
      4⤵
      PID:2512

C:\Windows\SysWOW64\Dapcab32.exe
C:\Windows\system32\Dapcab32.exe
1⤵
PID:5864
- C:\Windows\SysWOW64\Dekobaki.exe
  C:\Windows\system32\Dekobaki.exe
  2⤵
  PID:5516

C:\Windows\SysWOW64\Dhjknljl.exe
C:\Windows\system32\Dhjknljl.exe
1⤵
PID:4952
- C:\Windows\SysWOW64\Dpqcoj32.exe
  C:\Windows\system32\Dpqcoj32.exe
  2⤵
  PID:5880
- - C:\Windows\SysWOW64\Denlgq32.exe
    C:\Windows\system32\Denlgq32.exe
    3⤵
    PID:5296

C:\Windows\SysWOW64\Dadlmanj.exe
C:\Windows\system32\Dadlmanj.exe
1⤵
PID:4348
- C:\Windows\SysWOW64\Djkdnool.exe
  C:\Windows\system32\Djkdnool.exe
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\Dljqjjnp.exe
    C:\Windows\system32\Dljqjjnp.exe
    3⤵
    PID:6000

C:\Windows\SysWOW64\Dohmff32.exe
C:\Windows\system32\Dohmff32.exe
1⤵
PID:552
- C:\Windows\SysWOW64\Dfbebpdq.exe
  C:\Windows\system32\Dfbebpdq.exe
  2⤵
  PID:6088
- - C:\Windows\SysWOW64\Dllmoj32.exe
    C:\Windows\system32\Dllmoj32.exe
    3⤵
    PID:4432
  - - C:\Windows\SysWOW64\Ecfeldcj.exe
      C:\Windows\system32\Ecfeldcj.exe
      4⤵
      PID:960
    - - C:\Windows\SysWOW64\Efdbhpbn.exe
        
        C:\Windows\system32\Efdbhpbn.exe
        5⤵
        
        PID:6156
      - C:\Windows\SysWOW64\Ehcndkaa.exe
        
        C:\Windows\system32\Ehcndkaa.exe
        6⤵
        
        PID:6204

C:\Windows\SysWOW64\Eomfae32.exe
C:\Windows\system32\Eomfae32.exe
1⤵
PID:6248
- C:\Windows\SysWOW64\Ebkbmqhb.exe
  C:\Windows\system32\Ebkbmqhb.exe
  2⤵
  PID:6292
- - C:\Windows\SysWOW64\Ejbknnid.exe
    C:\Windows\system32\Ejbknnid.exe
    3⤵
    PID:6336

C:\Windows\SysWOW64\Elagjihh.exe
C:\Windows\system32\Elagjihh.exe
1⤵
PID:6376
- C:\Windows\SysWOW64\Eoocfegl.exe
  C:\Windows\system32\Eoocfegl.exe
  2⤵
  PID:6420

C:\Windows\SysWOW64\Eckogc32.exe
C:\Windows\system32\Eckogc32.exe
1⤵
PID:6464
- C:\Windows\SysWOW64\Efikco32.exe
  C:\Windows\system32\Efikco32.exe
  2⤵
  PID:6552

C:\Windows\SysWOW64\Chbenm32.exe
C:\Windows\system32\Chbenm32.exe
1⤵
PID:5264

C:\Windows\SysWOW64\Apdkmn32.exe
C:\Windows\system32\Apdkmn32.exe
1⤵
PID:2776

C:\Windows\SysWOW64\Aaanif32.exe
C:\Windows\system32\Aaanif32.exe
1⤵
PID:5056

C:\Windows\SysWOW64\Achmjmnb.exe
C:\Windows\system32\Achmjmnb.exe
1⤵
PID:6588
- C:\Windows\SysWOW64\Aloekjod.exe
  C:\Windows\system32\Aloekjod.exe
  2⤵
  PID:6636

C:\Windows\SysWOW64\Aalndaml.exe
C:\Windows\system32\Aalndaml.exe
1⤵
PID:6720
- C:\Windows\SysWOW64\Acjjpllp.exe
  C:\Windows\system32\Acjjpllp.exe
  2⤵
  PID:6768
- - C:\Windows\SysWOW64\Alaaajmb.exe
    C:\Windows\system32\Alaaajmb.exe
    3⤵
    PID:6812
  - - C:\Windows\SysWOW64\Anpnmele.exe
      C:\Windows\system32\Anpnmele.exe
      4⤵
      PID:6852

C:\Windows\SysWOW64\Aanjiqki.exe
C:\Windows\system32\Aanjiqki.exe
1⤵
PID:6892
- C:\Windows\SysWOW64\Acmfel32.exe
  C:\Windows\system32\Acmfel32.exe
  2⤵
  PID:6932

C:\Windows\SysWOW64\Ahhbfkbf.exe
C:\Windows\system32\Ahhbfkbf.exe
1⤵
PID:6976
- C:\Windows\SysWOW64\Ajfobfaj.exe
  C:\Windows\system32\Ajfobfaj.exe
  2⤵
  PID:7016

C:\Windows\SysWOW64\Abngccbl.exe
C:\Windows\system32\Abngccbl.exe
1⤵
PID:7060
- C:\Windows\SysWOW64\Aaqgop32.exe
  C:\Windows\system32\Aaqgop32.exe
  2⤵
  PID:7100

C:\Windows\SysWOW64\Adockl32.exe
C:\Windows\system32\Adockl32.exe
1⤵
PID:7140
- C:\Windows\SysWOW64\Alfkli32.exe
  C:\Windows\system32\Alfkli32.exe
  2⤵
  PID:6152

C:\Windows\SysWOW64\Andghd32.exe
C:\Windows\system32\Andghd32.exe
1⤵
PID:6228
- C:\Windows\SysWOW64\Aaccdp32.exe
  C:\Windows\system32\Aaccdp32.exe
  2⤵
  PID:6284

C:\Windows\SysWOW64\Adapqk32.exe
C:\Windows\system32\Adapqk32.exe
1⤵
PID:6356
- C:\Windows\SysWOW64\Blhhaigj.exe
  C:\Windows\system32\Blhhaigj.exe
  2⤵
  PID:6432

C:\Windows\SysWOW64\Bjkhme32.exe
C:\Windows\system32\Bjkhme32.exe
1⤵
PID:6512
- C:\Windows\SysWOW64\Bbbpnc32.exe
  C:\Windows\system32\Bbbpnc32.exe
  2⤵
  PID:5268
- - C:\Windows\SysWOW64\Beqljn32.exe
    C:\Windows\system32\Beqljn32.exe
    3⤵
    PID:6548
  - - C:\Windows\SysWOW64\Bhohfj32.exe
      C:\Windows\system32\Bhohfj32.exe
      4⤵
      PID:6616

C:\Windows\SysWOW64\Bjnece32.exe
C:\Windows\system32\Bjnece32.exe
1⤵
PID:6692
- C:\Windows\SysWOW64\Bagmpoco.exe
  C:\Windows\system32\Bagmpoco.exe
  2⤵
  PID:6744
- - C:\Windows\SysWOW64\Becipn32.exe
    C:\Windows\system32\Becipn32.exe
    3⤵
    PID:6832

C:\Windows\SysWOW64\Bhaeli32.exe
C:\Windows\system32\Bhaeli32.exe
1⤵
PID:6900
- C:\Windows\SysWOW64\Bjpaheio.exe
  C:\Windows\system32\Bjpaheio.exe
  2⤵
  PID:6964
- - C:\Windows\SysWOW64\Bbgiibja.exe
    C:\Windows\system32\Bbgiibja.exe
    3⤵
    PID:7044
  - - C:\Windows\SysWOW64\Bdhfaj32.exe
      C:\Windows\system32\Bdhfaj32.exe
      4⤵
      PID:7108
    - - C:\Windows\SysWOW64\Ckidoc32.exe
        
        C:\Windows\system32\Ckidoc32.exe
        5⤵
        
        PID:1424
      - C:\Windows\SysWOW64\Coepob32.exe
        
        C:\Windows\system32\Coepob32.exe
        6⤵
        
        PID:6272

C:\Windows\SysWOW64\Ceoillaj.exe
C:\Windows\system32\Ceoillaj.exe
1⤵
PID:6344
- C:\Windows\SysWOW64\Cdaigi32.exe
  C:\Windows\system32\Cdaigi32.exe
  2⤵
  PID:6484
- - C:\Windows\SysWOW64\Ckladcoa.exe
    C:\Windows\system32\Ckladcoa.exe
    3⤵
    PID:6528

C:\Windows\SysWOW64\Cbcieqpd.exe
C:\Windows\system32\Cbcieqpd.exe
1⤵
PID:6608
- C:\Windows\SysWOW64\Ceaealoh.exe
  C:\Windows\system32\Ceaealoh.exe
  2⤵
  PID:6716

C:\Windows\SysWOW64\Cddemi32.exe
C:\Windows\system32\Cddemi32.exe
1⤵
PID:6792
- C:\Windows\SysWOW64\Clknnf32.exe
  C:\Windows\system32\Clknnf32.exe
  2⤵
  PID:6920
- - C:\Windows\SysWOW64\Coijja32.exe
    C:\Windows\system32\Coijja32.exe
    3⤵
    PID:7096
  - - C:\Windows\SysWOW64\Ddmhcg32.exe
      C:\Windows\system32\Ddmhcg32.exe
      4⤵
      PID:4608

C:\Windows\SysWOW64\Dkgqpaed.exe
C:\Windows\system32\Dkgqpaed.exe
1⤵
PID:6324
- C:\Windows\SysWOW64\Dboiaoff.exe
  C:\Windows\system32\Dboiaoff.exe
  2⤵
  PID:6428
- - C:\Windows\SysWOW64\Dememj32.exe
    C:\Windows\system32\Dememj32.exe
    3⤵
    PID:6596
  - - C:\Windows\SysWOW64\Dhkaif32.exe
      C:\Windows\system32\Dhkaif32.exe
      4⤵
      PID:6728
    - - C:\Windows\SysWOW64\Doeifpkk.exe
        
        C:\Windows\system32\Doeifpkk.exe
        5⤵
        
        PID:6928

C:\Windows\SysWOW64\Dacebkko.exe
C:\Windows\system32\Dacebkko.exe
1⤵
PID:7068
- C:\Windows\SysWOW64\Dhnnoe32.exe
  C:\Windows\system32\Dhnnoe32.exe
  2⤵
  PID:6280
- - C:\Windows\SysWOW64\Dccbln32.exe
    C:\Windows\system32\Dccbln32.exe
    3⤵
    PID:6476
  - - C:\Windows\SysWOW64\Eddodfhp.exe
      C:\Windows\system32\Eddodfhp.exe
      4⤵
      PID:6628
    - - C:\Windows\SysWOW64\Eojcao32.exe
        
        C:\Windows\system32\Eojcao32.exe
        5⤵
        
        PID:6972
      - C:\Windows\SysWOW64\Eahomk32.exe
        
        C:\Windows\system32\Eahomk32.exe
        6⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Edgkif32.exe
        
        C:\Windows\system32\Edgkif32.exe
        7⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Ehddpdlc.exe
        
        C:\Windows\system32\Ehddpdlc.exe
        8⤵
        
        PID:3608

C:\Windows\SysWOW64\Elpppcdl.exe
C:\Windows\system32\Elpppcdl.exe
1⤵
PID:6300
- C:\Windows\SysWOW64\Eoollocp.exe
  C:\Windows\system32\Eoollocp.exe
  2⤵
  PID:4440

C:\Windows\SysWOW64\Eamhhjbd.exe
C:\Windows\system32\Eamhhjbd.exe
1⤵
PID:6668
- C:\Windows\SysWOW64\Eehdii32.exe
  C:\Windows\system32\Eehdii32.exe
  2⤵
  PID:7008
- - C:\Windows\SysWOW64\Elbmebbj.exe
    C:\Windows\system32\Elbmebbj.exe
    3⤵
    PID:7180

C:\Windows\SysWOW64\Ekemap32.exe
C:\Windows\system32\Ekemap32.exe
1⤵
PID:7224
- C:\Windows\SysWOW64\Eaoenjqa.exe
  C:\Windows\system32\Eaoenjqa.exe
  2⤵
  PID:7268
- - C:\Windows\SysWOW64\Ednajepe.exe
    C:\Windows\system32\Ednajepe.exe
    3⤵
    PID:7308
  - - C:\Windows\SysWOW64\Eleikb32.exe
      C:\Windows\system32\Eleikb32.exe
      4⤵
      PID:7500
    - - C:\Windows\SysWOW64\Fnjhccnd.exe
        
        C:\Windows\system32\Fnjhccnd.exe
        5⤵
        
        PID:7584
      - C:\Windows\SysWOW64\Ikmnec32.exe
        
        C:\Windows\system32\Ikmnec32.exe
        6⤵
        
        PID:7628

C:\Windows\SysWOW64\Anmagenh.exe
C:\Windows\system32\Anmagenh.exe
1⤵
PID:6680

C:\Windows\SysWOW64\Iohjebkd.exe
C:\Windows\system32\Iohjebkd.exe
1⤵
PID:7664
- C:\Windows\SysWOW64\Ibffbnjh.exe
  C:\Windows\system32\Ibffbnjh.exe
  2⤵
  PID:7708
- - C:\Windows\SysWOW64\Idebniil.exe
    C:\Windows\system32\Idebniil.exe
    3⤵
    PID:7756

C:\Windows\SysWOW64\Iiqooh32.exe
C:\Windows\system32\Iiqooh32.exe
1⤵
PID:7796
- C:\Windows\SysWOW64\Ikokkc32.exe
  C:\Windows\system32\Ikokkc32.exe
  2⤵
  PID:7844
- - C:\Windows\SysWOW64\Jenedhaa.exe
    C:\Windows\system32\Jenedhaa.exe
    3⤵
    PID:7948
  - - C:\Windows\SysWOW64\Dpqonl32.exe
      C:\Windows\system32\Dpqonl32.exe
      4⤵
      PID:7988

C:\Windows\SysWOW64\Dhjcdimf.exe
C:\Windows\system32\Dhjcdimf.exe
1⤵
PID:8180
- C:\Windows\SysWOW64\Dikpla32.exe
  C:\Windows\system32\Dikpla32.exe
  2⤵
  PID:7212

C:\Windows\SysWOW64\Dpehikja.exe
C:\Windows\system32\Dpehikja.exe
1⤵
PID:7336
- C:\Windows\SysWOW64\Efopeeao.exe
  C:\Windows\system32\Efopeeao.exe
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\Einmaaqb.exe
    C:\Windows\system32\Einmaaqb.exe
    3⤵
    PID:6076
  - - C:\Windows\SysWOW64\Ealkcm32.exe
      C:\Windows\system32\Ealkcm32.exe
      4⤵
      PID:4580
    - - C:\Windows\SysWOW64\Kaehepeg.exe
        
        C:\Windows\system32\Kaehepeg.exe
        5⤵
        
        PID:7460
      - C:\Windows\SysWOW64\Nahgik32.exe
        
        C:\Windows\system32\Nahgik32.exe
        6⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Ooqqmoac.exe
        
        C:\Windows\system32\Ooqqmoac.exe
        7⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Cihcen32.exe
        
        C:\Windows\system32\Cihcen32.exe
        8⤵
        
        PID:7716

C:\Windows\SysWOW64\Dmglmpkn.exe
C:\Windows\system32\Dmglmpkn.exe
1⤵
PID:7256

C:\Windows\SysWOW64\Dpckclld.exe
C:\Windows\system32\Dpckclld.exe
1⤵
PID:8128

C:\Windows\SysWOW64\Dmdogpmq.exe
C:\Windows\system32\Dmdogpmq.exe
1⤵
PID:8096

C:\Windows\SysWOW64\Djfckenm.exe
C:\Windows\system32\Djfckenm.exe
1⤵
PID:8056

C:\Windows\SysWOW64\Dhgfoioi.exe
C:\Windows\system32\Dhgfoioi.exe
1⤵
PID:8024

C:\Windows\SysWOW64\Diafkl32.exe
C:\Windows\system32\Diafkl32.exe
1⤵
PID:7744
- C:\Windows\SysWOW64\Dkpbgh32.exe
  C:\Windows\system32\Dkpbgh32.exe
  2⤵
  PID:7804

C:\Windows\SysWOW64\Dcgjie32.exe
C:\Windows\system32\Dcgjie32.exe
1⤵
PID:6112
- C:\Windows\SysWOW64\Dpmknf32.exe
  C:\Windows\system32\Dpmknf32.exe
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\Dpphcf32.exe
    C:\Windows\system32\Dpphcf32.exe
    3⤵
    PID:2324

C:\Windows\SysWOW64\Ejlban32.exe
C:\Windows\system32\Ejlban32.exe
1⤵
PID:3496

C:\Windows\SysWOW64\Ejoogm32.exe
C:\Windows\system32\Ejoogm32.exe
1⤵
PID:3836

C:\Windows\SysWOW64\Fmbdnhme.exe
C:\Windows\system32\Fmbdnhme.exe
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aanjiqki.exe

Filesize
1KB

MD5
a0865ccf3fb85665b799be622b797618

SHA1
8fdf20aabb021d59e70fa205c0c98d536153d0fc

SHA256
03c9a731723a987586da67f8e552467e85ba3a89836e28bed4d071d7ba95355b

SHA512
c1b1019c3c250371e3c0bf387a41a701af280a5bf81ef93b22cf8adf73854f978192fc1ed8465acacc6f7fb4a3de028632f9cf99ebb0f119294c7c7ccde21e4e

Download Submit
C:\Windows\SysWOW64\Aednci32.exe

Filesize
25KB

MD5
f6ab5d319b9cc94414089ef15194d5e7

SHA1
58f495d473dc8576d345a3f8f2720d60abc47f92

SHA256
e188685b44d136d63ab18d13cff9cc727c2bf7cc46ae1d621dad093402d3f7c3

SHA512
27f1534f86c138295a8426d8445e4ca798c2f81e099ec12fee00d0bce3c82693800d10bf7d7a82092c07b7fb452f8ff1745518d21064f343b9c7537f4aaa2607

Download Submit
C:\Windows\SysWOW64\Aednci32.exe

Filesize
22KB

MD5
64a458a51a64ee9e0ec9b1534747f9af

SHA1
6e3a97e79b7d78454cf95fab0a36066ba2393fa3

SHA256
307bd1b7c36ef3c79b5a21dd45e6a6598ce2bea95068e0ce504210196112266e

SHA512
71783c67eba89225aa23f1f24fb5e6d382c16fa0034211d71dfa31095a91871a95c45dc68fd19eba7b1d2d2e638da7f2487e97eead41dec44153827c46fa0d30

Download Submit
C:\Windows\SysWOW64\Ahhbfkbf.exe

Filesize
14KB

MD5
8fb03763d870c3f6a76001d72e1ff7a7

SHA1
bdb74fa6da346827bc7dba86accf8f3a178e84c7

SHA256
08cf4a3cda36806bf9cd0ee1e1fcc154aa3195b76ce3b0499f6a304e8903e02b

SHA512
3e72d8374141b1550bfab9810fbc5647d722ab48b5b18a682381e3898388943cf15c68a63c9984c355efc298e5c6887ab14154094375dbab97c4eb117cbea676

Download Submit
C:\Windows\SysWOW64\Cihcen32.exe

Filesize
25KB

MD5
3e3a1e722972764ba0e0605c9ba95b1f

SHA1
7840e7a40dba2a56c88fd0744e7331c6dfbd2720

SHA256
e18b66c31d26165f477facda1f9a60b5f1b1c5d0156eae5a7a839392169f6f8a

SHA512
3a36987a4d09abb220a7206c8afc4d1d14208e9925bb224bce5a57637d02e48d21e94fd5b4dffbc0f25567bb2f6d288c93803619a40cf493340b6ab68af1b01b

Download Submit
C:\Windows\SysWOW64\Ckpbnb32.exe

Filesize
128KB

MD5
693418674fb2adda099133ad4a1ddae7

SHA1
8e1806ffedaecb8596f306699a85219087972e80

SHA256
97000119f803bc4b92877c5ad1b44aa484671633f2b540d33ef8e18a07069fb0

SHA512
96102b472a336dc9803c83ce4e2dfedd649e128c52976305bd60ec360a17a731a37f5564718fc387bf3cbbdc38a04ed14ea74eb761d6849bda19c32c68022bb0

Download Submit
C:\Windows\SysWOW64\Dflmlj32.exe

Filesize
5KB

MD5
b95058a1e4650f0b07ade7799596a789

SHA1
a2c67c990da55dec002e6eaf03a9de05c8aba9ca

SHA256
d2e62afe5a5624ce3e1e0fa963f914bff100cdd81d5b0119e3b8521829b64d09

SHA512
a87caeecba00f4131668535214cfa6dc08e240e1940f6ae92ec6b3aaaa1b41b3faa1b0f889beeed7f4a70f875c07a1c5f49a7b8bdd8bd0c168c3a57b6b151c8a

Download Submit
C:\Windows\SysWOW64\Dihlbf32.exe

Filesize
22KB

MD5
b8e002119865ecb3b1e80d8bf1ea7fdc

SHA1
a988f260ddfe699e8c00c3481bb4b32992a7c253

SHA256
fc6873075ab0c4324923c3005e80bdcacfdb1e75d31771820546f2d492a3e7da

SHA512
0aeea8cc2eeae5ece8be7dcaa070cc8d0b9d53c5c15e013ff6d600064975cd86d26f1bfeb158687900dddc2ff1813fbc6ce59d3c525bdaced08a85435cbc860b

Download Submit
C:\Windows\SysWOW64\Doeifpkk.exe

Filesize
1KB

MD5
dd99b56829ccb6d2fc73488c9662bf59

SHA1
046ac313aaed1ad99a510aa202e258e2d51dfc58

SHA256
de601410ded9441ecf4c7494ef51011962ccf1d4926c140a8469dcd71f4d0bdc

SHA512
0959d00c8172d293552203a0f8f6cc87398b4afe04915a3581bfba870396e502b52d2c8bcc9ece1ba2525caa5b007506637d867fc4ce8ad3b97dccce5046fa3f

Download Submit
C:\Windows\SysWOW64\Dpehikja.exe

Filesize
32KB

MD5
57bb12a0f954a19cd253a41037cfce5a

SHA1
1c8b67f1026242202091c72e474004b31acdf628

SHA256
13760212227711a36fc1783041e098b1dca27a22432829d38541b20867038b3c

SHA512
0a6ba4c827c59db1e2f3f00558967fa0870cbcaa514cd552477baa5fd7eef3931fc7d993c7a5ce2a0ff23b27fe593b91b8047982ab372a6e65fd29cab3c9fa0d

Download Submit
C:\Windows\SysWOW64\Dpgbgpbe.exe

Filesize
33KB

MD5
363b31f849a1fe3f3407485dbc6a38b4

SHA1
5f4d9c79f1bbb92fcf636f7381e8ea12741e2425

SHA256
587420c3fddee546b7d07b0000232ae8e84bf39610fdc1fa92b5f931f0101c2e

SHA512
2d3905865199dd8df64f4d3e0871ef4aee79fefa1a4c37163536ec25d08dc9b6070bfb2cf15fa41c31b6cf2ca70b4a83452d24e4234e4478e67e394e864eea90

Download Submit
C:\Windows\SysWOW64\Dpnkdq32.exe

Filesize
6KB

MD5
367c8198a344ab72274111acc729f426

SHA1
87d42af6b7e484b25aa524a77effb0aa30322152

SHA256
26d3510b467c1fa0b6438fcdc3cc1a15ff950565131933607be7e6bad2ee8ec4

SHA512
237f73cb3ba7ab780bf1a330d60c208029e639b1d7c9f69072b4da92d4484fbe4efbdc3756daff7e5077b408e91727b4af166f1b1442d02b748ee4a1f8a816c9

Download Submit
C:\Windows\SysWOW64\Dpnkdq32.exe

Filesize
128KB

MD5
644930e0acac019a1bbc21fc105d58bf

SHA1
06ed78143785e88fe45bf02a01b4b54f44fefd28

SHA256
0d13f1c06dea6692821371c07b8f25496c633c5c7075e27413eddcea5f3fe568

SHA512
c68533392172550873e966346ec0fcc87cc79caa8aa7b646f073822b9752f05495429285aab1e113cd7a59b6dce1a19fef00a9c062773ce231a3436a9b64dc06

Download Submit
C:\Windows\SysWOW64\Edgkif32.exe

Filesize
10KB

MD5
a43d00e9ab42fdc8716d944ed09395d2

SHA1
295d4a313c953e8d512494923c3dd36f91fd7cb4

SHA256
f0e883901558f78a1e7ee196694613f7b710e7783b6ca007ea2cf259688ac073

SHA512
8ce7431a29ff0ad1d6debdc635372e7aa731e5fc30575299465d8631c618dccf56158a0851a071d02fafc41d94b7437fa28272b5b2d3eb5418bc4a1c6d32f009

Download Submit
C:\Windows\SysWOW64\Ejchbmna.exe

Filesize
16KB

MD5
dd6adc2facba201998b5cb1d7a9bc31d

SHA1
3f2d14491977f4548e6a921f1d0b3578de64ef01

SHA256
9395c35c0a6aa214d03e4adc0d3dc70215bf90c4ec6dc5ca758e75df6b3ae02d

SHA512
48db48f557e2314db1c0d07f1f166e6d9345761d131a36e5058dea56cfa0c3510f2abe69677ed0a0f617abe75495b51ef889bd8265e2ef4ef3037e5fac2aa205

Download Submit
C:\Windows\SysWOW64\Fnjhccnd.exe

Filesize
56KB

MD5
4a94770cd51bfde2166c8f3bb65e0a66

SHA1
13b8a60cfbd2b01ffc24995aaeb057e86dd330c1

SHA256
84d257a903bf8cd340c3a4122313cabb30af2c318974d352cde6753e5aedb855

SHA512
30b63ceb6757666979ef4561dc3e799447404fdcbe27d7806553e377855b598ad945574b4f178f5239ea0e79b740079eb89509f96e82a88c8bf118584083f7c3

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
7KB

MD5
b34e88b7cd37862a9382ab945bf9981d

SHA1
e9760429b8fa72113653fbffd62ef40fcebf25a9

SHA256
cd439bd93094fae4349969f3de5f211f22b259bb494d4e0ecfb6caf15ed25091

SHA512
a48f3e62fdf1291253be274fe4c359468d173489d7f8961aec9c445eda261e099a3911d7489c9da82f9db27b04b76d653720b2ff2fb1eb5844d4d48da7474131

Download Submit
C:\Windows\SysWOW64\Iiqooh32.exe

Filesize
44KB

MD5
3054ee3293edd60cee1fcdb218223dcb

SHA1
57aef7b4650dc19da45de069741779eb2706e516

SHA256
113027c889f7873a7540902ed0d15b42bed23caa9348a3181e4f39c1fbd9ed35

SHA512
f7620accbe28280bdc0eb1784729d94e395ff83269b598411c679c137acb07089792cf32ed87d5c50a1ccd31853434a2478408cc4827246a9d8198d9a13e47f9

Download Submit
C:\Windows\SysWOW64\Kaehepeg.exe

Filesize
42KB

MD5
27421552342fd9b5fcae268ff9a90c1b

SHA1
a873760271d80420f6e7be5db335257200668ef0

SHA256
f4de9ae9d14d6437e236b2be9e6ecfbe73a051e64f9b20ea9add0e8b6c378922

SHA512
e90b65c7a0457f7f0a03f02572b7464e7a194a4272a438f7a95f91510956c6686241bad3a77fe655a7b75b7ab54f3262d70038614709687da61151ec764a21a5

Download Submit
C:\Windows\SysWOW64\Kpdjbapj.exe

Filesize
1KB

MD5
96bce04d33a44e2683f8d918f1b5875d

SHA1
62f034756b257a483e7a54c696e0550f6e48599b

SHA256
41c0340f047fcc876f7392d140f68cce21be65cfb9cc3ac1b6448505a2d0d732

SHA512
5936b910f899c97188fcc5fdc0c73068bcd6188e8266fa8f1528db89c4a30a54e2babf1e21810ac0e03a36a8a6adf86400f7ff8c4c160844c24ea311a93acc64

Download Submit
C:\Windows\SysWOW64\Likhem32.exe

Filesize
13KB

MD5
7039b731a318ce9ae840b8084a4f3cd0

SHA1
10e4160d5f9a8d2b368fc0fe4e6a15c65f19535a

SHA256
33894ac237758adf1026e0d11265654db17cd0a8e6e070488a1ac02b171d9776

SHA512
38983b9e25e23dfd3b83c7176befb09affd14a095cffffcd84ef48b59dacfc68243e384d2bd5bdd08e849515d8a101f64daf89a7db5dbd4ea2769c66fe4ddd63

Download Submit
C:\Windows\SysWOW64\Mnjqhcno.exe

Filesize
16KB

MD5
3063028905cab89daca60fd640863c1f

SHA1
8af7eddf5c5ca9d3f6c3bde56fef14e96680c3ba

SHA256
fe08ce96dfc6f074df99d9671bd6676d024ae4626d78dcf860d0bd7cc78cb3b2

SHA512
26a2c53de9fd58e8c1c57d3c163727f4f651d35a25c3b7fb73fc2e3215ec86dbd408f1317f45f95727db8679c98207751fd7b571aa81a0fdb07a3dc692ce324e

Download Submit
C:\Windows\SysWOW64\Neebkkgi.exe

Filesize
12KB

MD5
b3d2679ce2f47f9dc194fea67ec3c08e

SHA1
abd48ce7d86a60d60aaa63aa7ae24b9e667f0630

SHA256
35770abd52240e8cdce99b24e1422a72fb50036babe74a502eaa6dc3af9a7ab0

SHA512
ca102d783d3c241c4ddbd31cc90d3ec773609a3290869fdf7e1a71ecff29ec5e54d7034c9d022e0910c03248bd1301448c1a87dce39bd0cd277a8d1a7ac39e6b

Download Submit
C:\Windows\SysWOW64\Nqdlpmce.exe

Filesize
21KB

MD5
5c238990bb96b8b2b7c536b2ea4a7ae4

SHA1
8e58ae52ec20fadb96bcbe01b7124a0ed14ddc26

SHA256
43facd64e08fde253d72c09ba846b5a1c409d904ed7d1e59bea7086c1e1d993d

SHA512
3d6f3a6dc1e1e0ea082e426f2db0a527f6a3c4dcde217cc326ae5060a47cc00b40650d2e91dc1c15b6ddedf44b3895bccad921e7677b6cfd60eee7eaff934bb6

Download Submit
memory/100-98-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/100-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/448-322-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/460-24-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/460-106-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/744-313-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1060-222-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1156-292-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1356-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1356-115-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1600-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1600-150-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2016-145-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2016-217-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2092-63-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2092-143-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2188-295-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2192-173-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2192-107-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2288-259-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2300-154-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2300-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2348-226-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2348-304-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2640-305-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3008-178-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3016-187-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3268-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3268-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3376-311-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3376-235-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3408-117-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3408-182-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3544-321-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3544-250-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3644-319-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3652-99-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3652-164-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3708-138-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3708-204-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3764-133-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3764-47-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4060-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4060-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4068-197-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4072-287-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4072-213-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4324-169-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4364-279-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4432-126-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4432-191-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4496-139-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4496-55-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4548-89-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4548-159-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4832-233-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4832-155-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4836-207-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4980-314-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4980-243-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5004-124-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5004-40-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5028-267-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5084-281-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads