d0051eec84e965bcc80b3d5cbcabfff3a92ad475d6a7b45d8fd2fd37cbe6bed5

Analysis

max time kernel
97s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2024.02.08/03a3a464ef2a1fbe54b35a8effbf54f9.exe
Size

704KB
MD5

03a3a464ef2a1fbe54b35a8effbf54f9
SHA1

e1d0b9a184b8237604e4aeca0617ff552a03e512
SHA256

d9177637cdb5e533cbd79df70eb4c73d2a16ec7f40500c848e7ceaa850c4ed97
SHA512

ebbb69912ade407817542e3ced65a32b6155f4acf338c3851726e0ba601647e6ddb9f871b098130d02be3612284f5834d95e322c556311768772255710b99e5d
SSDEEP

12288:KIVttK00rQg5W/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5b:KIK00rQg5Wm0BmmvFimm0MTP7hm0b

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfbjdnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amkhmoap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qapnmopa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajaelc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnkfmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcnnllcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnhkdd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefkkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koonge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjhfif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kedlip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe

Executes dropped EXE 64 IoCs

pid	Process
2540	Fqppci32.exe
3860	Fndpmndl.exe
4932	Filapfbo.exe
4192	Finnef32.exe
3632	Fnkfmm32.exe
4132	Fiqjke32.exe
1624	Ggmmlamj.exe
4532	Hbenoi32.exe
2184	Hhaggp32.exe
1012	Hnlodjpa.exe
1456	Hldiinke.exe
2816	Ieojgc32.exe
3252	Ibcjqgnm.exe
3768	Ihpcinld.exe
1332	Iamamcop.exe
2896	Jbccge32.exe
1132	Kedlip32.exe
2732	Koonge32.exe
3640	Kpnjah32.exe
3384	Kiikpnmj.exe
5000	Lohqnd32.exe
880	Lhcali32.exe
228	Lcmodajm.exe
3852	Mpclce32.exe
3504	Mpeiie32.exe
4456	Nciopppp.exe
2800	Nijqcf32.exe
3168	Nbbeml32.exe
1736	Nfqnbjfi.exe
4392	Ojcpdg32.exe
4972	Opbean32.exe
2832	Pcpnhl32.exe
4156	Ppikbm32.exe
3296	Piapkbeg.exe
3796	Pbjddh32.exe
364	Pfhmjf32.exe
4196	Qapnmopa.exe
2120	Amfobp32.exe
2860	Amikgpcc.exe
548	Amkhmoap.exe
1452	Ajaelc32.exe
3212	Aalmimfd.exe
4984	Bmbnnn32.exe
1544	Bfkbfd32.exe
3284	Bfmolc32.exe
2008	Bmggingc.exe
5068	Bpedeiff.exe
5100	Binhnomg.exe
3008	Bipecnkd.exe
2368	Bbhildae.exe
1480	Cienon32.exe
2188	Ccmcgcmp.exe
4416	Cdmoafdb.exe
4700	Caqpkjcl.exe
3192	Ccblbb32.exe
2332	Ckidcpjl.exe
4688	Cacmpj32.exe
5080	Dgpeha32.exe
3844	Dinael32.exe
4608	Daeifj32.exe
2892	Dcffnbee.exe
3520	Dnljkk32.exe
3676	Ddfbgelh.exe
748	Ddhomdje.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lehhqg32.exe	Lefkkg32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Hnlodjpa.exe	Hhaggp32.exe
File opened for modification	C:\Windows\SysWOW64\Gbbkocid.exe	Gdnjfojj.exe
File opened for modification	C:\Windows\SysWOW64\Aalmimfd.exe	Ajaelc32.exe
File created	C:\Windows\SysWOW64\Hgocgjgk.exe	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hnhkdd32.exe
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Lbebilli.exe
File created	C:\Windows\SysWOW64\Nooikj32.exe	Nheqnpjk.exe
File opened for modification	C:\Windows\SysWOW64\Iamamcop.exe	Ihpcinld.exe
File created	C:\Windows\SysWOW64\Jfmlqhcc.dll	Kedlip32.exe
File created	C:\Windows\SysWOW64\Njogfipp.dll	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Opbean32.exe
File opened for modification	C:\Windows\SysWOW64\Jdalog32.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Gqhomdeb.dll	Klgqabib.exe
File created	C:\Windows\SysWOW64\Ibcjqgnm.exe	Ieojgc32.exe
File created	C:\Windows\SysWOW64\Bkgppbgc.dll	Kiikpnmj.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Ekngemhd.exe
File opened for modification	C:\Windows\SysWOW64\Lhmafcnf.exe	Klgqabib.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pbbgicnd.exe
File created	C:\Windows\SysWOW64\Finnef32.exe	Filapfbo.exe
File opened for modification	C:\Windows\SysWOW64\Kpnjah32.exe	Koonge32.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Ocknbglo.exe	Obkahddl.exe
File opened for modification	C:\Windows\SysWOW64\Hjfbjdnd.exe	Hannao32.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Mlifnphl.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Okahhpqj.dll	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Ookhfigk.exe	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Acppddig.exe	Qpbgnecp.exe
File opened for modification	C:\Windows\SysWOW64\Finnef32.exe	Filapfbo.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Piceflpi.exe
File created	C:\Windows\SysWOW64\Nbjnhape.dll	Hnlodjpa.exe
File created	C:\Windows\SysWOW64\Inidkb32.exe	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Naapmhbn.dll	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Eapjpi32.dll	Piapkbeg.exe
File created	C:\Windows\SysWOW64\Nheqnpjk.exe	Nchhfild.exe
File created	C:\Windows\SysWOW64\Koonge32.exe	Kedlip32.exe
File opened for modification	C:\Windows\SysWOW64\Ojcpdg32.exe	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Daeifj32.exe
File created	C:\Windows\SysWOW64\Jfbnnelf.dll	Nheqnpjk.exe
File opened for modification	C:\Windows\SysWOW64\Acppddig.exe	Qpbgnecp.exe
File opened for modification	C:\Windows\SysWOW64\Filapfbo.exe	Fndpmndl.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Ojcpdg32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqpbm32.exe	Icachjbb.exe
File opened for modification	C:\Windows\SysWOW64\Fqppci32.exe	03a3a464ef2a1fbe54b35a8effbf54f9.exe
File created	C:\Windows\SysWOW64\Fllinoed.dll	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Fqfojblo.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Jlkklm32.dll	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Gjhfif32.exe	Gcnnllcg.exe
File created	C:\Windows\SysWOW64\Jcokoo32.dll	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Efoomp32.dll	Amkhmoap.exe
File created	C:\Windows\SysWOW64\Dinael32.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Binhnomg.exe	Bpedeiff.exe
File opened for modification	C:\Windows\SysWOW64\Ielfgmnj.exe	Hjfbjdnd.exe
File created	C:\Windows\SysWOW64\Idjcam32.dll	Leabphmp.exe
File created	C:\Windows\SysWOW64\Ckmpakdh.dll	Nooikj32.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Omcbkl32.exe
File opened for modification	C:\Windows\SysWOW64\Qmanljfo.exe	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Ajaelc32.exe	Amkhmoap.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpbem32.dll"	Hjfbjdnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfknmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbbkocid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpabila.dll"	Gdnjfojj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lefkkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iamamcop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoomp32.dll"	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dffdcecg.dll"	Gjhfif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfbjdnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpclaedf.dll"	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaflkim.dll"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkjom32.dll"	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icachjbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjhfif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbpbd32.dll"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbphca32.dll"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokomfqg.dll"	Ieojgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icachjbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijaaij32.dll"	Jdalog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koonge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll"	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iecmhlhb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2540	1336	03a3a464ef2a1fbe54b35a8effbf54f9.exe	87
PID 1336 wrote to memory of 2540	1336	03a3a464ef2a1fbe54b35a8effbf54f9.exe	87
PID 1336 wrote to memory of 2540	1336	03a3a464ef2a1fbe54b35a8effbf54f9.exe	87
PID 2540 wrote to memory of 3860	2540	Fqppci32.exe	88
PID 2540 wrote to memory of 3860	2540	Fqppci32.exe	88
PID 2540 wrote to memory of 3860	2540	Fqppci32.exe	88
PID 3860 wrote to memory of 4932	3860	Fndpmndl.exe	89
PID 3860 wrote to memory of 4932	3860	Fndpmndl.exe	89
PID 3860 wrote to memory of 4932	3860	Fndpmndl.exe	89
PID 4932 wrote to memory of 4192	4932	Filapfbo.exe	90
PID 4932 wrote to memory of 4192	4932	Filapfbo.exe	90
PID 4932 wrote to memory of 4192	4932	Filapfbo.exe	90
PID 4192 wrote to memory of 3632	4192	Finnef32.exe	91
PID 4192 wrote to memory of 3632	4192	Finnef32.exe	91
PID 4192 wrote to memory of 3632	4192	Finnef32.exe	91
PID 3632 wrote to memory of 4132	3632	Fnkfmm32.exe	92
PID 3632 wrote to memory of 4132	3632	Fnkfmm32.exe	92
PID 3632 wrote to memory of 4132	3632	Fnkfmm32.exe	92
PID 4132 wrote to memory of 1624	4132	Fiqjke32.exe	93
PID 4132 wrote to memory of 1624	4132	Fiqjke32.exe	93
PID 4132 wrote to memory of 1624	4132	Fiqjke32.exe	93
PID 1624 wrote to memory of 4532	1624	Ggmmlamj.exe	94
PID 1624 wrote to memory of 4532	1624	Ggmmlamj.exe	94
PID 1624 wrote to memory of 4532	1624	Ggmmlamj.exe	94
PID 4532 wrote to memory of 2184	4532	Hbenoi32.exe	96
PID 4532 wrote to memory of 2184	4532	Hbenoi32.exe	96
PID 4532 wrote to memory of 2184	4532	Hbenoi32.exe	96
PID 2184 wrote to memory of 1012	2184	Hhaggp32.exe	95
PID 2184 wrote to memory of 1012	2184	Hhaggp32.exe	95
PID 2184 wrote to memory of 1012	2184	Hhaggp32.exe	95
PID 1012 wrote to memory of 1456	1012	Hnlodjpa.exe	97
PID 1012 wrote to memory of 1456	1012	Hnlodjpa.exe	97
PID 1012 wrote to memory of 1456	1012	Hnlodjpa.exe	97
PID 1456 wrote to memory of 2816	1456	Hldiinke.exe	98
PID 1456 wrote to memory of 2816	1456	Hldiinke.exe	98
PID 1456 wrote to memory of 2816	1456	Hldiinke.exe	98
PID 2816 wrote to memory of 3252	2816	Ieojgc32.exe	100
PID 2816 wrote to memory of 3252	2816	Ieojgc32.exe	100
PID 2816 wrote to memory of 3252	2816	Ieojgc32.exe	100
PID 3252 wrote to memory of 3768	3252	Ibcjqgnm.exe	99
PID 3252 wrote to memory of 3768	3252	Ibcjqgnm.exe	99
PID 3252 wrote to memory of 3768	3252	Ibcjqgnm.exe	99
PID 3768 wrote to memory of 1332	3768	Ihpcinld.exe	101
PID 3768 wrote to memory of 1332	3768	Ihpcinld.exe	101
PID 3768 wrote to memory of 1332	3768	Ihpcinld.exe	101
PID 1332 wrote to memory of 2896	1332	Iamamcop.exe	102
PID 1332 wrote to memory of 2896	1332	Iamamcop.exe	102
PID 1332 wrote to memory of 2896	1332	Iamamcop.exe	102
PID 2896 wrote to memory of 1132	2896	Jbccge32.exe	103
PID 2896 wrote to memory of 1132	2896	Jbccge32.exe	103
PID 2896 wrote to memory of 1132	2896	Jbccge32.exe	103
PID 1132 wrote to memory of 2732	1132	Kedlip32.exe	104
PID 1132 wrote to memory of 2732	1132	Kedlip32.exe	104
PID 1132 wrote to memory of 2732	1132	Kedlip32.exe	104
PID 2732 wrote to memory of 3640	2732	Koonge32.exe	105
PID 2732 wrote to memory of 3640	2732	Koonge32.exe	105
PID 2732 wrote to memory of 3640	2732	Koonge32.exe	105
PID 3640 wrote to memory of 3384	3640	Kpnjah32.exe	106
PID 3640 wrote to memory of 3384	3640	Kpnjah32.exe	106
PID 3640 wrote to memory of 3384	3640	Kpnjah32.exe	106
PID 3384 wrote to memory of 5000	3384	Kiikpnmj.exe	107
PID 3384 wrote to memory of 5000	3384	Kiikpnmj.exe	107
PID 3384 wrote to memory of 5000	3384	Kiikpnmj.exe	107
PID 5000 wrote to memory of 880	5000	Lohqnd32.exe	108

C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03a3a464ef2a1fbe54b35a8effbf54f9.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03a3a464ef2a1fbe54b35a8effbf54f9.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\Fqppci32.exe
  C:\Windows\system32\Fqppci32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\Fndpmndl.exe
    C:\Windows\system32\Fndpmndl.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\SysWOW64\Filapfbo.exe
      C:\Windows\system32\Filapfbo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
      - C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2184

C:\Windows\SysWOW64\Hnlodjpa.exe
C:\Windows\system32\Hnlodjpa.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\Hldiinke.exe
  C:\Windows\system32\Hldiinke.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\Ieojgc32.exe
    C:\Windows\system32\Ieojgc32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\Ibcjqgnm.exe
      C:\Windows\system32\Ibcjqgnm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3252

C:\Windows\SysWOW64\Ihpcinld.exe
C:\Windows\system32\Ihpcinld.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\SysWOW64\Iamamcop.exe
  C:\Windows\system32\Iamamcop.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\Jbccge32.exe
    C:\Windows\system32\Jbccge32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Kedlip32.exe
      C:\Windows\system32\Kedlip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        9⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        11⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        13⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        23⤵
        Executes dropped EXE
        
        PID:364
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        26⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        33⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        35⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        39⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        40⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        44⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        46⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        48⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        50⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        51⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4424
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        53⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4896
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        55⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        56⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        58⤵
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        59⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        60⤵
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        61⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        63⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:860
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        65⤵
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        66⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        67⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        68⤵
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        69⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        71⤵
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        72⤵
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        74⤵
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4904
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Gjhfif32.exe
        
        C:\Windows\system32\Gjhfif32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        82⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        83⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        84⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        85⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        86⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        87⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        91⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        94⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        98⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        100⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        101⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        102⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        103⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        104⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        105⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        109⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        110⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        111⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        116⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        117⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        119⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        121⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        122⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        124⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        126⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        129⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        132⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        134⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        136⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        137⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        139⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        140⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        142⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        143⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2528
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        146⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        147⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        150⤵
        
        PID:6280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
704KB

MD5
306b5c78e0fedc7adccadef56b9e12b2

SHA1
bdd04ab7ef102d35d7fb8df1b5f4d21002aced19

SHA256
c7c68ba3cc9a26b23192a20bb8bebebd7ca12ad91ea5860aeee337dd4afcd81a

SHA512
e4e7b1677cd1fa9cb901ac33a816d1dace7ef2e3154ae104f5fc4c527eca4759cd3aa07b0edf40d56647badf2be68446462c733ab3f8c522b9e313b537c95225

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
704KB

MD5
858b9ae450c3d9fd13b1cb497bcb04e9

SHA1
0ffeb3e8ab911d6d2883e2337de7974790e33ed1

SHA256
085977dec834a8df5a99578590548885325047d96498e62cc2342594aa7ca069

SHA512
34eecd728d6f7e6844c1ae63942b6941b9a976d0b954a02f5d88b7456fea55c0f25328f91342c37666837588067f40699a050754854111456de62345e1125fde

Download Submit
C:\Windows\SysWOW64\Eglfjicq.dll

Filesize
7KB

MD5
1f62eba8e6ec1df60e4288d77ef272c6

SHA1
65bf10267eae25e45717ae6d18b86b0d59bebbd4

SHA256
1731e327ed408a22143570b6640516161da4524980c81a01a7954a4448633d16

SHA512
b3ed3038d371655ce958864147e8030a80fd4c6b423d69577b20f21e3f2f09eaf88ae3540d7c74112ab31ff230affcf79c1d42b6ac7dbc394fad52507465479c

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
704KB

MD5
51d9aef1c6c81cf05f7f5b2d47cc115a

SHA1
28d179a9ea90a2d7ea8fd29f685d339a20f19f8f

SHA256
22fb0f5099d178912078d6da785908b166e7e56f66d893dafadb501a2d77e4b4

SHA512
f1933efab024ad09474a6bc902c701fb5cae0b37aff1c0e62c2ca1185c17cb5ea1146e12a0b2f35d55016d624721e4abf0f0280ff2b5acaaf0c696845f073628

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
704KB

MD5
656a7c3fd222d1e94dbc4784ca53db3a

SHA1
81f712ea78f55411046bef3a896bfa5cfef75a40

SHA256
dc091b7b1775bd5e798a95926159c99c9703cb9a864871f9907898f4f02f8e16

SHA512
f12ff19e2dadfda3cb014fcbbf53a99b2b8ff8ee79b8baa051b4a2c9b06f7250187365cdf15b7a5779bb47a9cbf89ddf9aad15e7fade0389f0ec7f915c4a2aed

Download Submit
C:\Windows\SysWOW64\Fcekfnkb.exe

Filesize
704KB

MD5
0a89238fe7ab52fb48fc766357470c04

SHA1
07f29bfc418e72e51d54c36d3a37d617f50253c7

SHA256
7b8064ae7245d86252a438c76f7344c08cf286f358e7e7388274228bc4f1eb04

SHA512
27662732b1f1ff47237af565aa9dccfee6a9c7d9ba558117930f7126fef68e9ceac4ee75bdf8c973e3f383d19ac934d121236ec67d6afd647c8f6c801c0644b2

Download Submit
C:\Windows\SysWOW64\Filapfbo.exe

Filesize
704KB

MD5
47b11b75a64d0c32fc226589dbdb5275

SHA1
35320e4976c6eee7d739fb32b50784b87a35351f

SHA256
9b55230eea40ec7eb3b496fd587adae55742051f3fea683756d5074c165514b2

SHA512
2acbe21afbcedb3e30c0dd6bf0e6fb5213374c2e18c7ee23bc6dcb12db5d648e4a341f5b4802e2e75bc2cd2142730113d9999a64d6093d4b4627169f0af6307e

Download Submit
C:\Windows\SysWOW64\Finnef32.exe

Filesize
704KB

MD5
9c5ca82bce24501c9fcdc026ae953ee4

SHA1
806879f2df9ded29d6c93ab754deec0f840f0ea5

SHA256
445f9dc56cc328a03c77090cd18262ac3db1c8265fb5e8b66810a24dd71c47ec

SHA512
55690df41894c95efd540856dbe54a469736d0e79e4a3e8861617bd9c09f6df57b3424b24c73d090186fdd75b2cba1c98873e7a1068580a8517d1d041831ca35

Download Submit
C:\Windows\SysWOW64\Fiqjke32.exe

Filesize
704KB

MD5
4df329d8a2e6f30d71e9aaefd59eb9d9

SHA1
3e890aa3cde7a03ca677e8fe84e614356dede7c8

SHA256
ee4b8f3707361a206ea13f9e37ba9308b1e29198f8a6a3fdc46e812b7a1cbb41

SHA512
8b979daf57a365e0cf719217413fa992ccc9e2b10fbc2914435a7f5be4e94f7a55939477d34f14ae0cd6074bdf50ba5c1748134056697dbd9048108c5601d4a4

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
704KB

MD5
6f5b164e1d46b9d5a3784398ba60f6ee

SHA1
b469b141c76951ee809d4cb531e3f68e38bbbd68

SHA256
cfaff1244550fa943bd4de44efa1405556e814b21f0a34cbf095cbb33fd3becc

SHA512
dfa02537452671be07f0b7506bc967eb2c959255b01199ffeac7cb45f01af09676f964b6d437397c55959cc126d8fe94aa3ee8ab4ab1005a372db3783b6555be

Download Submit
C:\Windows\SysWOW64\Fndpmndl.exe

Filesize
704KB

MD5
dccee8ae86125c37e041f48a84d338b0

SHA1
02fa737652e7dc3a0879e1dbf665e0d5692c2eac

SHA256
86cee1cec0ce540ba8a94cc12e43ae41fdd123761e1f564bb2d05207c3e0c6c5

SHA512
c6feccc5ec493996ad2bed013884d074218ab832575d1cd5a382764f81cce591b4525c227140b24a6e72116c44329cd530ee540a207138e04e47c8cf63490afd

Download Submit
C:\Windows\SysWOW64\Fnkfmm32.exe

Filesize
704KB

MD5
646b6318663364b023db892caa048e92

SHA1
6d97da12902f5ef48f993d63a8aec7f1b18da588

SHA256
ba9650c43d6a81e08d221f9bf5a355b5b726d57fb36f80b8d6aa7b60a38a5ab7

SHA512
4ef27b4932f842d28f7f791eeba9af20c5ba33cac4dceb27e5e14a707c5e24fd8219a239bac3f4ed0cdf112f041fc36c9280ad7105ff9c8663be002ebfa0b58a

Download Submit
C:\Windows\SysWOW64\Fqppci32.exe

Filesize
704KB

MD5
a836eac08fc19c0f7d29fa851004ebf8

SHA1
bd982d9a6cf303bb666cb23f849359e04a210d11

SHA256
0f0aa340e5edc03609c4125e57c2140873d039d9d89feee78b5a351efd3596dd

SHA512
10fc05286172b759382f50b8ff1b98d8e0bf1d925721b33106d678d45efb5844d5053a4aff1f1f0efde3d239cbeaf8af52923308cee1b75bd3948f43b22ce96b

Download Submit
C:\Windows\SysWOW64\Gbbkocid.exe

Filesize
704KB

MD5
134d5272de37956e048618d21765ba70

SHA1
f669f03bf712e6ef459fb575467003710c70db8b

SHA256
c1c4f33c23ef5a01ac91c7638b2cd512a546fb27644d7ce74c55f3240d2f63f5

SHA512
bd5fce204614c59a9ce21271b0ce3156ce28e39a0dbff3073a973a8e7d28d80d6a7165f4b01e55b4a2ca66d2d47077901b9da527afcc80baa914fe166162549b

Download Submit
C:\Windows\SysWOW64\Gbhhieao.exe

Filesize
64KB

MD5
0524985828129a8e9326e3719257a69e

SHA1
e3da411baeb0ee89a9f81115d06bc3718937f4f1

SHA256
e2e5e3475c046eeac845e8853a3708210b4836a5251933a912f74243edb686d7

SHA512
712fbb9d93b9fcf5219dd6b466dd75b84fe2291b864c2a0d76a8cf36b6e542c251e5c21cae1d838f695f7a8462bc9515caa645a1b9a968f324ff32a70e2543e4

Download Submit
C:\Windows\SysWOW64\Ggmmlamj.exe

Filesize
704KB

MD5
cae5c22945ef8a65c9bcace0c510b9ce

SHA1
fa699240554320a567e1c2b9f54210b65a422e07

SHA256
d7615e34cca4d79edd081fd5cd56adcb3c4ba511c988405e8867da2e9a5d56a5

SHA512
da95b11d5cca34e519746c4c73811c689aec69bcec2eb491431776e7c591e49cfce0c33d734173659089d084895708ab9f052edc2a6b7c2d7792b2e66ebffc7a

Download Submit
C:\Windows\SysWOW64\Hbenoi32.exe

Filesize
704KB

MD5
2da2244fc7791f66fd2ab961c982f12f

SHA1
e8a6786c36dff2466c4253bb83706e812707fab6

SHA256
6607198f61268dc51cc0ca26f73c9a4dad4a02ee188466f06af4baab2d042a56

SHA512
b3ae98221ac2b4de849a3166e7259e64c331e0b2c0b4df93fa766316b390e5c0084a0e1337243ba86a5d44bd4d5200bcc0dc51d4d78239950778c057919593f9

Download Submit
C:\Windows\SysWOW64\Hhaggp32.exe

Filesize
704KB

MD5
5c857100475711e696170739865fed09

SHA1
911c943798d8e3bfc18a13ea3c253eae52dc72db

SHA256
844a8388163e65e97097057414461f57e8ff6d63e7d6ac141d5c3c5068925ff9

SHA512
985a51883105699a777645eb9fbcc717d00b8c122fc1322e8000ca8d943dbf13bdd558232dc0edb1d481dd655a05b4ee8398f4082e474e5fc985aeb476a43b76

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
576KB

MD5
7188ef0fda73a4cf13f98b5dd15593fb

SHA1
f7c86f75fd412023e1f4adc229b8fb829b588c65

SHA256
e044bf3da15247d80df3046c5cf9f1554f403d5f3ab31fa09fa6711f0f746eed

SHA512
38cacda105583f5ff756cc19c1e40ca9bba606368fb10e73538d00871563c2b6cccbe9b826b0f253bb447462b32b710d382226fbd7f7498ba8fb3de34ee2c754

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
704KB

MD5
29e8824f4f65147836796d2d79093be4

SHA1
4fc107355b4f0e935266db7eef0a811fa6fbf2d1

SHA256
119650ddef9cfc9787743093ecfc00e9e3885f00962e14e26305827347b384dd

SHA512
3413820d3b999aef717277fe116a4e8be5f6a2b30b60ff23c6fee86c5739dbc5b7964778a05a32ef0c0f9a6672a0ae27297f2c0359d42bb3fcd9228ff23db366

Download Submit
C:\Windows\SysWOW64\Hnlodjpa.exe

Filesize
704KB

MD5
887d30e3bd7966400f14a9aa16fdec24

SHA1
3bc4d08500b536d946fe9ffb7b96a041532af795

SHA256
96ce2f70adb185d79dd9141177d6f0c3233440b5d9a653a9d1f6ec64802cd805

SHA512
e4011c38c9ddc6d0d723ca56b612628ca2c30646795e805e9045fb3f8c58b9e20379dd5054bfd7d9f0bfc533bbc8b65a15d5c85e4e67e029564c5644e20f4e94

Download Submit
C:\Windows\SysWOW64\Hnmeodjc.exe

Filesize
704KB

MD5
8f2e3d0e923fbe5fa434b81e8aee5316

SHA1
f7a9cbc5aeba48b186e9913729c6a702787c3015

SHA256
3d4d276777f9a582b81f1add82ff96d3f5554194716ed2006f9170253e8c0d7a

SHA512
e152c9bdef1f803fb610b4db3723b9b9b4ba78c48221cddca02719867b46303f0628a597636581e246d6f380437596017a165a59b39ca1a56c33aa74c05c1b56

Download Submit
C:\Windows\SysWOW64\Iamamcop.exe

Filesize
704KB

MD5
ecdfc2db194ee444cd6ae9e26a656e6c

SHA1
479bbc8d99e9bd731d0de673f40ffee781828ea4

SHA256
e48dd1995f83986df7a23ba78b0034fdbf1eb2feaf6f64cdc1f5a917d13eeaf2

SHA512
b1e64961bc22f690edf257105c019662b941006b694c8947875722e854a51db97fa8b93172c70c6a6348abaf29833d344402dd0016c7c82d452714624a319640

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
704KB

MD5
bc58c78c02cbd08ae8387ecc2ae61da8

SHA1
0e49d07de2e5848147d2ca7b6bbaa51bcd7215dc

SHA256
f707a6fcbc7334b9373100a207b90fd9cbc9c9c6fe09de489e64c0c9f7e587d7

SHA512
878166725adc21553a55d204e64d719d8078c81f9240f374b1fa4f0eed5eca6cf93c81743620367b51924b62267d18a864228abd4b07ecb84870ef65c542d594

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
704KB

MD5
ea1750e0419b77c9a92a8d9db9546041

SHA1
09ce8a7b4a8b44377392f174b310a4bb488d66d5

SHA256
9a79dec5bce9f668a47c6176b72275512140afa0d36caf973b4f27c19a2ac7e1

SHA512
05aaa02fd59cd8a4a4a73de3f0d620cc69a9868e3c47b86ec850a7ec8df5df2532465b6886210bc00b72065dccd17cb232124e97c0fe659d1cfbd89a8cecbcfe

Download Submit
C:\Windows\SysWOW64\Ihpcinld.exe

Filesize
704KB

MD5
262c556d246b8860c3b79bd4cfdfcaac

SHA1
49105db1f54faacd0aecde6ce7314c3bcbe0e1c1

SHA256
30bf314c20fb6522007ae26100953a3dbd8c3378661a748037bca4831bd4da51

SHA512
aeab83295cc6e0254cc7861a413a5d274256106369eefe838f82833fcd030759ebffe39738210dc74f93d1922e853067482948b57a42ddf5d54fbc0a57af8f21

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
704KB

MD5
a8bf4d2c024e9db4b9d9e2abfdc47230

SHA1
49584d85ce3a43548b47b7a26c53fa642bf6e9d1

SHA256
489f61afa46de969d732ed0a0a8c44ef50f9d42bbe39c87e4cef1bd612ffc9c6

SHA512
8e67581c9492b2975e09266ef81bd24d2c91602199875ffff0744ab7d9b408738ee3ffe286d9b6627ea3d8bda7609befdd2b5e35c7e6173e7c16c62939ecf02f

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
704KB

MD5
56c5fd9802855331ab81dcbfabfd0972

SHA1
682b8fb4bc1050921d9422b4f6b8719628bef017

SHA256
17ab26c49284c10a6e474542c35896c29d2c18f73b1bc97750a01fa541c3cdd9

SHA512
03062b6a92c83abac6ae8d938c564aa0d5324556c38029e32e394760481aea5fe4c0cb531cf5a467b90b6df588ee9679b967fb6309c8a6ae6485ff6da1061f51

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
704KB

MD5
ffc0d43246b9ffa844e37a5f62a7974f

SHA1
d256ffd368d12b69b2cb698b9648cac63883244b

SHA256
0c586c8e743e2cf6e610ee810d1174d4032bafadc15a8c014fa60abff4cc84c2

SHA512
628d9c4eaf64724c006ae9c2b5ac539be2bd7f974b14afe79a5254dc180966871c734194ec3c93111a965451a53e2fa176590d177a3376c10537a542bab7c700

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
704KB

MD5
36c332b0002d270bd65a613aa27b660b

SHA1
bc213bfc64c6c3d64b5c0a47d61b24cc03b9b4d0

SHA256
61a30923a307c23c8c8bf2b4fde49e915e0e042d06e5237a3454c04a18fa8471

SHA512
08f6f96cbec115d60145b4a4a46f1c8f12000015102b7ed794332c0bf495037981afb4e3aa28a6f9496d1c0a12abfc7183e5c037de5fcc32c8183188f379639d

Download Submit
C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
704KB

MD5
99f7c6b3f91e3045656806e4d1d64099

SHA1
0372e182ceb7907c5af465f21bdd2df6dc276ba6

SHA256
f02c32ad4b9db0b0d4e9284311606f5cd814ea079e35b867ad1f7be11dc8828a

SHA512
7635d2c95673a1892a4bb0817b9a60c6ae4488dad684b838071fdbb10d6cd8ee2d601b1db7c00222efd2d34301b83cfee17dfa6cbabd49cbfb28fce6b5d78496

Download Submit
C:\Windows\SysWOW64\Klgqabib.exe

Filesize
510KB

MD5
a56a39f2c2e91c1bb775fba324d362af

SHA1
2af1dd176e318e27b1176c9e4edbd2e390beabb7

SHA256
661008ee74c91ae908848c9649bedccbc23a753490898fcacad22ae39a05ebc8

SHA512
3d6291dea7709df768ae31686dc9885d5991f4ea082fcc2c99f0043f627921ceb43d97a7f72683b289ca570c1948fb6d69a9bc6c5372b0df1778bad818d0fbf6

Download Submit
C:\Windows\SysWOW64\Koonge32.exe

Filesize
704KB

MD5
7e67be848bd6a2ff2197c78606a9edce

SHA1
35c32904f9b467956a3268ff496a362cd7438802

SHA256
cc1d046a639e8aa5f422281d88a1b630a723f330705df18f230c0907cdbdc1d8

SHA512
87620da8c9d2132ae4351a76fc327d1e26604245902bf52f2bf183fa5a3e7e23db06cc40f8ab44df3167d6c937f2edcf7c8f1968eb8e30c5bec1f113bc52ab6b

Download Submit
C:\Windows\SysWOW64\Kpnjah32.exe

Filesize
704KB

MD5
fbe5ec3d0ac11989a3bcfb07e6b76145

SHA1
8bb1ea873e91a1d28cb48d2bec960c5ef4e80eb9

SHA256
6531d1f502a9a07dba0c258395bed5d4953b1d726c2a1125cc308d94bfff34f0

SHA512
0d28d1323734d860ec21677e10b49ea69d646beb4a571f8173ec751e78243d64143b09f13d48757ac1ef7c1207f784b5c1469a0c97e29d30420c88c939f6af22

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
704KB

MD5
4e0fe3aaebd2c4e7b49cacabb6ee48ec

SHA1
c6b367efb2d526ab480034adc0ad0f7ae84ed357

SHA256
e9ff14b01401b4bd7b430bfa9cd1cfa273e77363268205e58dd44a47d378ce99

SHA512
03fecf5ed64dddf507de598f89f942017b4eb1d90bfd4adeaabae8683ee9d1f20488a0f9030ffdf71623aa7cf3ae322043d4253ef9e02ce79ecd47419a1ded04

Download Submit
C:\Windows\SysWOW64\Lhcali32.exe

Filesize
704KB

MD5
619ce426be9b8e5c74cb0a50c0835810

SHA1
2c6ca7e32bfa0ecada5d09e45f1ec762f2cafe5b

SHA256
8599c0c144b64162585486cc07216dfbae53196fc7953ef06508a3a4b7225829

SHA512
76fba93c85edc7c9684aecb4a7261a5b4942bb6b0f27246df81621ad0decc68e15dc6a05f414cb4eb3caa06b5dbd7be9d4b728dd71a00ea57e61ea94532fd6ac

Download Submit
C:\Windows\SysWOW64\Lohqnd32.exe

Filesize
704KB

MD5
c2429315453de4f8f19800ce84feaf48

SHA1
8f363a6ea4367a24fb3545087c1f3a401b8475e6

SHA256
90986498ce7024f4f00c32909b2557f2bce0241af5bfed08385d5b6b2c1004ec

SHA512
b869620f2ccf5bc2fbcd467dc435c5ecd3b3fc907d610b94dca6d52ed23a95f4a58b9dbc7c724877a35a76e8f9a85a708ec625c8b06bae6ae64dc980f80e13b5

Download Submit
C:\Windows\SysWOW64\Lohqnd32.exe

Filesize
320KB

MD5
cd664c3f712dbde0595c027ec38b8256

SHA1
329adca88d2ba9bfca26b656bc7d3558dfe82d29

SHA256
717c3b3fa7418b9981d6d7242fa7e1e74de2b63f37e559fb742ea48e74618e17

SHA512
786ea90fb6eb8602f0cac9c69135b41645b54e2b1c6ff8ef97795ec19fa89a5fd7162d32f6de911c3467950088f25d133e973797823142627d4b9c0c749c4854

Download Submit
C:\Windows\SysWOW64\Mpclce32.exe

Filesize
704KB

MD5
91cd662c5356628cb575ec742db91fcf

SHA1
c922d84ac199c1023847a076081d61184b03f9a5

SHA256
4eda2bd1ba81f7f93c1a98b8e7a7d739a76f91e38e809fbc82a2c2211f803558

SHA512
33c9ebe9fa9702f49b7b9c3a0e37bb2482a2baa206f128cc6d6867b9610e0367ebb8c5ba7848d062cb0282908778a40d94ba4d9410acf72bd63d1428a200c4e4

Download Submit
C:\Windows\SysWOW64\Mpeiie32.exe

Filesize
704KB

MD5
10983fd3383647088a01854ce4980cc9

SHA1
9eb46a407ac1e3c61f40045bc4a1fc0980f3a01e

SHA256
6dd543e1555cc400922dd34e4d2266ba956b8fa1cb8c12b2d6c8b9021e5c7837

SHA512
8cc2633c04670e15943006a2625cc05246eb91d4797cd353fa1e52a1fead7b9aaa6a32d4c29610570d8ce1ae96f691ad9cdc717e4961d1db4914f52bfbcba6ae

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
704KB

MD5
3eeb29611081c5783cda7692e1a68cc8

SHA1
233c63d20fdf8fb55e641ae68bd972bfb842a284

SHA256
49dff01c45d86aea699ce11fe95853efeed7389a28d4f73421539a7233ba7363

SHA512
f150ecb9b96cd9b2f17bf7902483767b86fcd9ee081f655384a110fc49a3f653d998e42455783e61ccef9a4bf7006731c353d54f6d367c4e215d088d5929fbeb

Download Submit
C:\Windows\SysWOW64\Nciopppp.exe

Filesize
704KB

MD5
7681376823bd6bba06dbce27c982f19e

SHA1
083ce6ab8d330509980f88b5583029647d71e50a

SHA256
6f27768252b5f56de3bb0146eea54cf58088b7af15075a62479f8f4aaef755bd

SHA512
bf896554041a4615b610c77d7e8f1a85715f946b89092437262cdaccc55f60f785a5612e3c67ac88ef45b45055a1018b7c3a38c05241cb3825354f5f7afb8d22

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
704KB

MD5
eca9779f330a2661fde4aced8f393716

SHA1
a715a6df4dbb6752db50a659f8e5d708b9f13b37

SHA256
b2b2e54e094cd495563df7770d4ec5ee49717213ddce0a4453d3b53191fc45f3

SHA512
ea16e23f193b50d6f2ae75f5af116672b06b9f22d8cd165c698820f0cccc462d61b6ff1691c773fda25f64537b7f2f0429950d2ebe3b5a770481a5035ad67374

Download Submit
C:\Windows\SysWOW64\Nfqnbjfi.exe

Filesize
704KB

MD5
68e5438db79fcb282c5821a4f641fde2

SHA1
ef6a1d3d81cc9705ce707a09bbc87fc38a5be482

SHA256
74c486841c8ed381d9447e666c089380b4e6ba9c54ae399eb3ca450e09d57ca1

SHA512
02f210e17ddc565fb978f9b9e1f03bc85fd12698c05ecf149e712280d6d86a2f8fedc357333ba6f8a26d3ba97896dd038d41547b2b3e287a359f0892dfcda89a

Download Submit
C:\Windows\SysWOW64\Nijqcf32.exe

Filesize
704KB

MD5
8daa02598e69429669e503b72f780f6f

SHA1
cab98a29b7911f3ff2157ccb80a2128fef91c0ab

SHA256
32a03e2ea7755a7a7ee4ceabfffb1d76680631aafd63a6c043eac29b2b9461c2

SHA512
f6b0c6b897580f3971aa04d585811eaa600453f596754b4592700060528f770e2383a974737facb0dbd471936384482523adcb8749591fa65793b59477e85439

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
640KB

MD5
8eef1d6d597b6aeb84110fe529914342

SHA1
5dca4dd58f776c083d8a673c5de456371f3ea146

SHA256
3271aa87f69c543844dda049595d869f0b3299dfb72da5a752437932d4ec373d

SHA512
fe29cabf76d3982d5a036572f52dd1bd716dda0d66c0a87f1e026ccf52b8c26d85c829b0f7589ad04eaf44dcc14cdc2cde960885dee483e609b57270defdabc4

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
704KB

MD5
a834c90a7753a531c79678f9c257eb48

SHA1
17d50b5fb52a077578ddc377fd432e563ba5f5c8

SHA256
a0fbdcdaf7385996ecb1678fcd7a86e0b042c04b26bb35c0da9ace1d70109e4c

SHA512
d16273dcc401f46e06ba3b07ad0144f0eae34a7d51681774aba7380eef4d2df60c138003b2cdcad64bad9befcfefefe196b46e9dce6f23f891f73c6901938b94

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
704KB

MD5
ef6b6f3ce8ea10633dbbfe3e592ea611

SHA1
1442b36622560bbb88bf959843f139b88fbcd5f6

SHA256
94146aac7a6aca4bd2b088d5dfe7c747b116648871af6c2990eb24b3cba19142

SHA512
80c91efbe0e24efcf5e047996e35bb22c69b2eab535a2779b5d723bf062db999113a6c99f817d7b5a8e364bc06a90bed441003edff90e29a8e2b5bf349a35308

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
704KB

MD5
a7bcca5f71561d43bdbaea2932192ddc

SHA1
cebd15e9c0abb7f879c9985a5e2a1a2c5f9cb235

SHA256
8812f0350aeff6f3292b7cf9b9349f01c31d375fa14b51683bcadc6ce805b7f6

SHA512
c8c9947b677ac4e7a4e06b1e51e1df0b05688817486e2443de77071e5808ad5110fc4c50c09448623bbb79e89564e8b2f0914cf8d39953c571180b4c1d6dbbfe

Download Submit
C:\Windows\SysWOW64\Pcpnhl32.exe

Filesize
704KB

MD5
6261d725d02982eb1ee94fafb7b76f50

SHA1
ae73cc4c8794210f92a50205f1f53e754b5a2a32

SHA256
c31a57fe654d01536d7aec76245250c029eb3524a4940b231f8e3f972664927e

SHA512
06323d90d9efd3a7bc86e68e37b1a18825af0bd14639ecd923614e4bfb8ae16074da4b6dc63b70a4d34bea5877bd2721260c9e879a524337dddca1944f4adc08

Download Submit
C:\Windows\SysWOW64\Piaiqlak.exe

Filesize
576KB

MD5
a63c76e1d628b5064f1a388c6c213118

SHA1
62793e992e3b44742843de27014cced07c156954

SHA256
5e0cf9a2be62d47b5ac2b1e47d563284e798591c68d81e06ddef7dea072ee128

SHA512
48cf6fd18ac557976ffae9c4c5a7c38de8b6b5a30e5ed84e3c1a00459e6743974735d3e501b95ee22fec8969888f48cf822fcffbe3f4706061fb76a533d963be

Download Submit
C:\Windows\SysWOW64\Qapnmopa.exe

Filesize
704KB

MD5
e3828f50fb8df6849a52871f638ee1b7

SHA1
612fce83c567d58e012f8192652521bd3e6b4eb9

SHA256
4c6781cde619cd7305ca8e514c4ef0740a998fbc6215d01eabd4e3001fb65506

SHA512
4a36bc8ec4126237e06f82656c0065b0648a2697b66a230e3b00182f4f5403447c957b240cff1109639166dbba3b66f94c595aecc45f3bd1bcaa771acac3d5d6

Download Submit
C:\Windows\SysWOW64\Qpbgnecp.exe

Filesize
704KB

MD5
555ac1ebbdcd48be33983c6f5142d034

SHA1
d2ff9da54d691836afe618b4ebdf4594ec5eab9a

SHA256
03584143b3ead7f8bab4724412886c1762dd990bfb4f8f8653c1d0b226231ce7

SHA512
15a6590819690c0782378d877346ee22f89db55b208b1e634ecf560203162906552e4ebd4279c0a010bf9c0238f4d21716d610b4d81b24048fc08e5e5e2ce3db

Download Submit
memory/228-195-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/228-280-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/364-302-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/880-272-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/880-187-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-167-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1132-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1132-230-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1332-211-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1332-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1336-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1336-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1456-90-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1456-169-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1624-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1624-141-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1736-249-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1736-321-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2120-315-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2184-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2184-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2540-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2540-88-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2732-151-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2732-238-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2800-236-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2816-178-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2816-99-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2832-274-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2860-322-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2896-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2896-221-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3168-240-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3168-314-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3252-113-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3296-287-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3384-174-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3504-294-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3504-213-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3632-40-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3632-123-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3640-161-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3640-248-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3768-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3768-203-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3796-295-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3852-208-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3860-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4132-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4132-132-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4156-281-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4192-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4192-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4196-308-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4392-256-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4392-328-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4456-301-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4456-222-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4532-69-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4932-98-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4932-25-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-265-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5000-183-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads