bb022c72e3b6dad42775254980ac8d54b593003f6cd15be5795f0479ebbf64d5

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb022c72e3b6dad42775254980ac8d54b593003f6cd15be5795f0479ebbf64d5.exe
Size

315KB
MD5

14cb48c58943fe9d70fcd6749a5984ec
SHA1

41fa686c5dbf7ac0856019a96bdf44aa262e3acb
SHA256

bb022c72e3b6dad42775254980ac8d54b593003f6cd15be5795f0479ebbf64d5
SHA512

0812475ca50e9b88a40caf025f0ec64b55668ea5e1686066c5f28d42ee9c5ee7b7e9b53fd5bf1572466012e5fac55552db035f23aeabc9089b745efc8f0bea2d
SSDEEP

3072:ckJxM50LftoQ8J0/JSEr5gtq749+f4auvZ7LC4ZR4mqmnKBstqBiPXPAPePdfVQ:ckJ+53LrEVgtqI+stesMmG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkoplk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bb022c72e3b6dad42775254980ac8d54b593003f6cd15be5795f0479ebbf64d5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigbmpco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqnjgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehndnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkjmlaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidinqpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgpfbjlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicgpelg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gggmgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fooclapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgkan32.exe

Executes dropped EXE 64 IoCs

pid	Process
1612	Ipoheakj.exe
1132	Jiiicf32.exe
3864	Jilfifme.exe
3524	Jgpfbjlo.exe
3380	Kcidmkpq.exe
3664	Kpmdfonj.exe
3312	Kgiiiidd.exe
3900	Knenkbio.exe
4808	Lgbloglj.exe
1408	Lqmmmmph.exe
4452	Ljeafb32.exe
4572	Lgibpf32.exe
4056	Mcpcdg32.exe
4912	Mmkdcm32.exe
3280	Mjodla32.exe
1604	Mgeakekd.exe
2320	Nclbpf32.exe
3140	Ngjkfd32.exe
2376	Njjdho32.exe
1532	Ngndaccj.exe
3080	Oplfkeob.exe
1376	Ompfej32.exe
4736	Oclkgccf.exe
1588	Oaplqh32.exe
1484	Opeiadfg.exe
4924	Ppgegd32.exe
844	Pjmjdm32.exe
3908	Pnmopk32.exe
1812	Pfiddm32.exe
3740	Qhjmdp32.exe
848	Qpeahb32.exe
984	Adcjop32.exe
4468	Aagkhd32.exe
3268	Akpoaj32.exe
1112	Ahdpjn32.exe
1808	Amqhbe32.exe
1136	Aopemh32.exe
5092	Bhhiemoj.exe
2752	Baannc32.exe
2384	Bgnffj32.exe
3392	Bpfkpp32.exe
608	Bddcenpi.exe
5084	Bnlhncgi.exe
552	Bhblllfo.exe
2968	Chdialdl.exe
1776	Cnaaib32.exe
2356	Cdkifmjq.exe
5164	Cncnob32.exe
5204	Ckgohf32.exe
5244	Cpfcfmlp.exe
5280	Cnjdpaki.exe
5328	Dnmaea32.exe
5368	Dqnjgl32.exe
5412	Dkcndeen.exe
5452	Dhgonidg.exe
5496	Dndgfpbo.exe
5536	Dhikci32.exe
5580	Enhpao32.exe
5620	Ehndnh32.exe
5660	Ehpadhll.exe
5704	Egened32.exe
5744	Eiekog32.exe
5784	Fooclapd.exe
5828	Fqppci32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Oclkgccf.exe
File created	C:\Windows\SysWOW64\Dndhqgbm.dll	Kiphjo32.exe
File opened for modification	C:\Windows\SysWOW64\Mcdeeq32.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Inpoggcb.dll	Qpbnhl32.exe
File created	C:\Windows\SysWOW64\Jhhnfh32.dll	Enlcahgh.exe
File opened for modification	C:\Windows\SysWOW64\Ocgkan32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lqmmmmph.exe
File created	C:\Windows\SysWOW64\Hkfoel32.dll	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Ccegpn32.dll	Egened32.exe
File opened for modification	C:\Windows\SysWOW64\Lcclncbh.exe	Lhnhajba.exe
File created	C:\Windows\SysWOW64\Deiljq32.dll	Bigbmpco.exe
File opened for modification	C:\Windows\SysWOW64\Jiiicf32.exe	Ipoheakj.exe
File created	C:\Windows\SysWOW64\Ngndaccj.exe	Njjdho32.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Baannc32.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Aoibcl32.dll	Dndgfpbo.exe
File opened for modification	C:\Windows\SysWOW64\Gbkkik32.exe	Gicgpelg.exe
File created	C:\Windows\SysWOW64\Mmacdg32.dll	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Mmkdcm32.exe	Mcpcdg32.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Ajmladbl.exe	Apggckbf.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Elkodmbe.dll	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Njjmni32.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Hejeak32.dll	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Qfjjpf32.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Ajmladbl.exe	Apggckbf.exe
File opened for modification	C:\Windows\SysWOW64\Kgiiiidd.exe	Kpmdfonj.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Hhdjkflc.dll	Aimogakj.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbop32.exe	Enhifi32.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Qpeahb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Cpacqg32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Ehblpall.dll	Ehndnh32.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kheekkjl.exe
File opened for modification	C:\Windows\SysWOW64\Mfkkqmiq.exe	Llcghg32.exe
File created	C:\Windows\SysWOW64\Ncpeaoih.exe	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Ebjjgd32.dll	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Khgbqkhj.exe	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Kofljo32.dll	Noppeaed.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Dinael32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjfgf32.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Clahmb32.dll	Ljeafb32.exe
File created	C:\Windows\SysWOW64\Okjpkd32.dll	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Khgbqkhj.exe	Kcjjhdjb.exe
File opened for modification	C:\Windows\SysWOW64\Llcghg32.exe	Lplfcf32.exe
File created	C:\Windows\SysWOW64\Njgqhicg.exe	Ncmhko32.exe
File created	C:\Windows\SysWOW64\Fqikob32.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Ocgeag32.dll	Ompfej32.exe
File opened for modification	C:\Windows\SysWOW64\Fqgedh32.exe	Fkjmlaac.exe
File created	C:\Windows\SysWOW64\Hjcakafa.dll	Lpjjmg32.exe
File created	C:\Windows\SysWOW64\Klhhpb32.dll	Omalpc32.exe
File created	C:\Windows\SysWOW64\Aanpie32.dll	Amfobp32.exe
File created	C:\Windows\SysWOW64\Ckpamabg.exe	Bkmeha32.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Fkfcqb32.exe	Fqppci32.exe
File opened for modification	C:\Windows\SysWOW64\Fgmdec32.exe	Fbplml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7644	7484	WerFault.exe	305

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiiicf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfjjpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajmladbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnjgdn.dll"	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajmladbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadalgj.dll"	Kheekkjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidlo32.dll"	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbegn32.dll"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfobp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glfmgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemghi32.dll"	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohnnkjk.dll"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hehdfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnknop32.dll"	Jppnpjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpb32.dll"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfikmmob.dll"	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkodmbe.dll"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojfj32.dll"	Hlppno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 1612	376	bb022c72e3b6dad42775254980ac8d54b593003f6cd15be5795f0479ebbf64d5.exe	96
PID 376 wrote to memory of 1612	376	bb022c72e3b6dad42775254980ac8d54b593003f6cd15be5795f0479ebbf64d5.exe	96
PID 376 wrote to memory of 1612	376	bb022c72e3b6dad42775254980ac8d54b593003f6cd15be5795f0479ebbf64d5.exe	96
PID 1612 wrote to memory of 1132	1612	Ipoheakj.exe	98
PID 1612 wrote to memory of 1132	1612	Ipoheakj.exe	98
PID 1612 wrote to memory of 1132	1612	Ipoheakj.exe	98
PID 1132 wrote to memory of 3864	1132	Jiiicf32.exe	99
PID 1132 wrote to memory of 3864	1132	Jiiicf32.exe	99
PID 1132 wrote to memory of 3864	1132	Jiiicf32.exe	99
PID 3864 wrote to memory of 3524	3864	Jilfifme.exe	100
PID 3864 wrote to memory of 3524	3864	Jilfifme.exe	100
PID 3864 wrote to memory of 3524	3864	Jilfifme.exe	100
PID 3524 wrote to memory of 3380	3524	Jgpfbjlo.exe	101
PID 3524 wrote to memory of 3380	3524	Jgpfbjlo.exe	101
PID 3524 wrote to memory of 3380	3524	Jgpfbjlo.exe	101
PID 3380 wrote to memory of 3664	3380	Kcidmkpq.exe	102
PID 3380 wrote to memory of 3664	3380	Kcidmkpq.exe	102
PID 3380 wrote to memory of 3664	3380	Kcidmkpq.exe	102
PID 3664 wrote to memory of 3312	3664	Kpmdfonj.exe	103
PID 3664 wrote to memory of 3312	3664	Kpmdfonj.exe	103
PID 3664 wrote to memory of 3312	3664	Kpmdfonj.exe	103
PID 3312 wrote to memory of 3900	3312	Kgiiiidd.exe	104
PID 3312 wrote to memory of 3900	3312	Kgiiiidd.exe	104
PID 3312 wrote to memory of 3900	3312	Kgiiiidd.exe	104
PID 3900 wrote to memory of 4808	3900	Knenkbio.exe	105
PID 3900 wrote to memory of 4808	3900	Knenkbio.exe	105
PID 3900 wrote to memory of 4808	3900	Knenkbio.exe	105
PID 4808 wrote to memory of 1408	4808	Lgbloglj.exe	106
PID 4808 wrote to memory of 1408	4808	Lgbloglj.exe	106
PID 4808 wrote to memory of 1408	4808	Lgbloglj.exe	106
PID 1408 wrote to memory of 4452	1408	Lqmmmmph.exe	107
PID 1408 wrote to memory of 4452	1408	Lqmmmmph.exe	107
PID 1408 wrote to memory of 4452	1408	Lqmmmmph.exe	107
PID 4452 wrote to memory of 4572	4452	Ljeafb32.exe	108
PID 4452 wrote to memory of 4572	4452	Ljeafb32.exe	108
PID 4452 wrote to memory of 4572	4452	Ljeafb32.exe	108
PID 4572 wrote to memory of 4056	4572	Lgibpf32.exe	109
PID 4572 wrote to memory of 4056	4572	Lgibpf32.exe	109
PID 4572 wrote to memory of 4056	4572	Lgibpf32.exe	109
PID 4056 wrote to memory of 4912	4056	Mcpcdg32.exe	110
PID 4056 wrote to memory of 4912	4056	Mcpcdg32.exe	110
PID 4056 wrote to memory of 4912	4056	Mcpcdg32.exe	110
PID 4912 wrote to memory of 3280	4912	Mmkdcm32.exe	111
PID 4912 wrote to memory of 3280	4912	Mmkdcm32.exe	111
PID 4912 wrote to memory of 3280	4912	Mmkdcm32.exe	111
PID 3280 wrote to memory of 1604	3280	Mjodla32.exe	112
PID 3280 wrote to memory of 1604	3280	Mjodla32.exe	112
PID 3280 wrote to memory of 1604	3280	Mjodla32.exe	112
PID 1604 wrote to memory of 2320	1604	Mgeakekd.exe	113
PID 1604 wrote to memory of 2320	1604	Mgeakekd.exe	113
PID 1604 wrote to memory of 2320	1604	Mgeakekd.exe	113
PID 2320 wrote to memory of 3140	2320	Nclbpf32.exe	114
PID 2320 wrote to memory of 3140	2320	Nclbpf32.exe	114
PID 2320 wrote to memory of 3140	2320	Nclbpf32.exe	114
PID 3140 wrote to memory of 2376	3140	Ngjkfd32.exe	115
PID 3140 wrote to memory of 2376	3140	Ngjkfd32.exe	115
PID 3140 wrote to memory of 2376	3140	Ngjkfd32.exe	115
PID 2376 wrote to memory of 1532	2376	Njjdho32.exe	116
PID 2376 wrote to memory of 1532	2376	Njjdho32.exe	116
PID 2376 wrote to memory of 1532	2376	Njjdho32.exe	116
PID 1532 wrote to memory of 3080	1532	Ngndaccj.exe	118
PID 1532 wrote to memory of 3080	1532	Ngndaccj.exe	118
PID 1532 wrote to memory of 3080	1532	Ngndaccj.exe	118
PID 3080 wrote to memory of 1376	3080	Oplfkeob.exe	119

C:\Users\Admin\AppData\Local\Temp\bb022c72e3b6dad42775254980ac8d54b593003f6cd15be5795f0479ebbf64d5.exe
"C:\Users\Admin\AppData\Local\Temp\bb022c72e3b6dad42775254980ac8d54b593003f6cd15be5795f0479ebbf64d5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SysWOW64\Ipoheakj.exe
  C:\Windows\system32\Ipoheakj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\Jiiicf32.exe
    C:\Windows\system32\Jiiicf32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\Jilfifme.exe
      C:\Windows\system32\Jilfifme.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3524
      - C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        26⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        28⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        29⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        30⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:608
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        45⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        46⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5164
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5368
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        55⤵
        Executes dropped EXE
        
        PID:5412
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        56⤵
        Executes dropped EXE
        
        PID:5452
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        59⤵
        Executes dropped EXE
        
        PID:5580
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        61⤵
        Executes dropped EXE
        
        PID:5660
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        63⤵
        Executes dropped EXE
        
        PID:5744
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5784
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        66⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        67⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        68⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        69⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        71⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        74⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        76⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        77⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        78⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        79⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        80⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        81⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        83⤵
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        85⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        86⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        89⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        90⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        91⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        93⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        94⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        97⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        98⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        99⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        100⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        101⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        104⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        105⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        106⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        107⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        109⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        110⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        111⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        112⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        113⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        116⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        117⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        118⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        119⤵
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6868
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        121⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        123⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        124⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        128⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        129⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        130⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        131⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6780
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6988
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        138⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        139⤵
        Drops file in System32 directory
        
        PID:7148
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6268
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        141⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        142⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        144⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        147⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        148⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        149⤵
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        150⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        152⤵
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        154⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        155⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7152
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        157⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        159⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        160⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        163⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        165⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        166⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        167⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7472
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7516
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7556
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        171⤵
        Modifies registry class
        
        PID:7596
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7636
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        173⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        174⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        175⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7812
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7856
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7904
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        179⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8004
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        181⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        182⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8160
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        185⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        186⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        187⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        188⤵
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7480
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7536
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7592
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        192⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        193⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        194⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        195⤵
        Drops file in System32 directory
        
        PID:7884
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        196⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8056
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        198⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        199⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        200⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7396
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        202⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 400
        203⤵
        Program crash
        
        PID:7644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7484 -ip 7484
1⤵
PID:7576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:6188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
315KB

MD5
c8d1ac7eb0d03328e9c65edf360ddc9c

SHA1
a161a736864f6e98d5fb3bb7d74c8703b40fe977

SHA256
88364d4ef7df1c5268abfbd8fdfb47432a0a00cd65dfe34da153666bd6e2ed71

SHA512
19461c1036e635d9f37ee372719c65ec34d54d879e21b719504ba1631ee03862911b9b0919c4eff57464ca0618c84765ce216e994ae752aa227e7fbcec61e6d7

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
256KB

MD5
7e5a93e5072e80b2d63e7e85a48ab900

SHA1
1830ded9a6b4ce41665cf34a2af7965dcad4661c

SHA256
22a1b10104449b715bea5b6e3442d1b126f7475cc116d3bc3d51758bab53bba5

SHA512
fb99fbdcb59a459c631ca146aa4386035f828fbe1fbc7efbd2599735f30c5d81e93884c4800b2e9476230bb0d0698fa73dc905562f6803044f22dffc290f07ff

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
315KB

MD5
2883266b7455b4effd8e6b7c4b13f415

SHA1
59acd3207363573c8deb5f82457da1d59ee6f3e3

SHA256
d2725e143e0af3069d543ef1b7dd9c6e2a3081da9cb949732a2c01c43b73c026

SHA512
4f0e3c103260870cc03b7395965a2e3b484a38505d1c970b0df50b5f9c876cc2fe61f9c814faed34eba00da6cfcc9fed225ad43eee3d02f554c6de04cb875264

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe

Filesize
315KB

MD5
83c1e72c2e96a86d72090de3c78e8f9a

SHA1
4e655fcfb483b527cefe244b8f187db4250563de

SHA256
c63bd13eab6e4962a047eb06b47eda7c102a8c0e355b8042514274a7502745db

SHA512
a1a41340ceecf8991e1e8034d2a29181f4e55adf24ae082faa32b68642cb43e4223763904da4d73f7b5258635e544f9004e85d84c9714eb372985ec9d608083d

Download Submit
C:\Windows\SysWOW64\Gbkkik32.exe

Filesize
315KB

MD5
9278ea482b985306cad6f3ddfb2550b0

SHA1
db7ffd1cc4b1c0354c4e5ea4726a0f9de811c273

SHA256
8e05edec4d20cd7c3d37dde92c501b13d97ef3f293a1680ee65fde8feaeba338

SHA512
a4e03f0430aed6d30e2339ac6d727cb6a13031a38a0030e96f458ea80f724bb0c2e937eaba55c7661ddbf8f36b2ba65b79d7ec970dda8ddeaea74bcfcd66df23

Download Submit
C:\Windows\SysWOW64\Hlkfbocp.exe

Filesize
315KB

MD5
f8bea5790a9bcb9836db86716388d6a4

SHA1
d1dc875d24ba19ac8712fb273f72ba086b019379

SHA256
a10a8873153e0c673e7510f1c9182575491634cce3c1304cc841d22d2cc6ec94

SHA512
1ca90a3857253501fdfeba6eff6137fa225b2fd435499fb00d63552589cbff77edcb32f82c9b78c2fbd96826262662fd6c9560329404ff376e80fae90fe2eb6f

Download Submit
C:\Windows\SysWOW64\Ipoheakj.exe

Filesize
315KB

MD5
fcf0c5cd0122d91501321f2600a066d2

SHA1
6ae4463a2746eebe1761c7067508d7d26e8c4670

SHA256
01a1682d218e50afc51ee1f369f4726349d7b926ccb6ee6104ff29e936c29584

SHA512
75a6637ced53ec17f449dffccf3a85f822886849aed8fb5264ba6f5c739d4b72615869a37c5fd540bd394cf7cade968f1d6c97a67905c22421dfcf6104bd2fc3

Download Submit
C:\Windows\SysWOW64\Jgpfbjlo.exe

Filesize
315KB

MD5
a56c8a93259b954e04415a7776e67f19

SHA1
139d65c1b4f0e3b2df745e131797e956faaba64e

SHA256
17142f400e8a27e6baffa0608994a786aba05599e789c2886e2dc1b81ed14b08

SHA512
7cc78cdd630163b3948f16f31c4ff1ee7af8e8479ac4543ab72385fdf6ea569ed1516f11387cb8d244d33180ad800fbd0d994de961be1722bd3357a7c1f1cdb4

Download Submit
C:\Windows\SysWOW64\Jiiicf32.exe

Filesize
315KB

MD5
e5a16253625e4def56e9b8e6130700d4

SHA1
99b97e73724988674e6612692f6d11715d4b2cf0

SHA256
e679f0b34bb4d623225985295c5e9e97ac94a85bda6eb1e024f693bb395f9aa5

SHA512
cea6d92be3aab64d0ffdb8aa33c8e63657f8d22d0b9aae77910c42aec9889bfcf8285534d41c9537e80776432ae82f1f7f74b8c3e499f30186bb2a57022f0df9

Download Submit
C:\Windows\SysWOW64\Jilfifme.exe

Filesize
315KB

MD5
de2197bf9c308d05b65e321b401c9fdc

SHA1
6c5a9d82645158922daa1ea1b518b2ac1d6de010

SHA256
e4dc870eba8f39675c06de850537bf13501f891f0ea098e5319f48a9dbba91e9

SHA512
aa5a0683fc20de9cd9c3a359302f92555ee825d5a6b836bc55f42229558faf6896a00e8ae9f19969a1e65e25ead9637343b167627c01dd1e4be1983c0c2d4a46

Download Submit
C:\Windows\SysWOW64\Kcidmkpq.exe

Filesize
315KB

MD5
468220e991775e226b7e78fa1844b76d

SHA1
0678684d483b71b94326022e3131d87173e51108

SHA256
24b7847105b51ce0e032aab6c49c0726233eceaa2cf47449bbe70b9e7c61d57e

SHA512
96ae13679a0f0717cbb59ecb6307ff65f48eeca720bdb49266cd4285569ff1b1b3ecced525e6153386037e22fd369a8c0b777999373bb277a122b6921172bda2

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
315KB

MD5
d1ee8b55512a3bd1862dbe48acbb1dd7

SHA1
850d8982acbac1f2d916ed774c5c78337f8a9948

SHA256
85a90a60676975896ee842592d909526cfb2934b111a798078e5d58610c30f24

SHA512
92e07c0afc3774ab87e61b9c24301e1aff0a16e299b8538b80b595b7a3f8d1a7a2f96874c8bf30423c9a5da0fa45969682969c37c27120d7af2fea8c6d718d61

Download Submit
C:\Windows\SysWOW64\Knenkbio.exe

Filesize
315KB

MD5
1e3fe9b1c2f965b1a6de3512b725fa21

SHA1
fbd7f760a9a51be4491df850d0837d4263bf2634

SHA256
d685eb29a244959b981d06092b0330d0c07a0ff7e07bb53443b1f557326fbaa8

SHA512
4f6bb94220129ec33e897b67c5fb53e1bdcc03cf807a2c21ac2feb3e4a72c7ed02d53aad342df2011d335e38680874662865a52252ae6681a3ef5544840e21b5

Download Submit
C:\Windows\SysWOW64\Kpmdfonj.exe

Filesize
315KB

MD5
ce6ccac448a562779f96dc5eb751f0a4

SHA1
4164ab4c62da6ec8f8d35208f97bc3711e9fb7f6

SHA256
b6b62f7d28df9b0afe04543e2010108af9b4165813babab56b3c71c6f7cc4416

SHA512
e1500f230fe7c36ea5cdc776501c4f10305ec132a730f047c1371a41fcf8a39df514f36ab626fe8decbbe4f47e0eec0e3190172cf5350c253cb6d1c68df3c76e

Download Submit
C:\Windows\SysWOW64\Lgbloglj.exe

Filesize
315KB

MD5
61b392dc59115d67f46bc24e4d70354f

SHA1
23ca556f8c1da699d59b45f046edd714d8abbdef

SHA256
9d584042051ec93f425a7a3a216690d894c9e8f5adfbd64cf9441fa0c57d9cc4

SHA512
c512f68516aef4e2598fc991902fc66823746f1295d2276e57e3f61d8594ff0e1f9e39fbd20d6409b64c9c31e8f03806c5b10e1e7a064b91dc5404fb6926b33a

Download Submit
C:\Windows\SysWOW64\Lgibpf32.exe

Filesize
315KB

MD5
bdcd9e7a7f25cec1646b6c1fb55ad9fc

SHA1
c8d021346f99ea75df3fd7a4e170e99ebdb50451

SHA256
f67a61f6f43ec86bdd2a560a87d523021dbecb076d742877f2dda83449ec3920

SHA512
44d7d44bbcf090bf38eedf85013e59954a0d1b17ffd7042cf33c19988c8c0090085c2ef344ea87cc85e0b16d62cd1cc4ceeca76d675fdf4c8e4830c72a373aae

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
315KB

MD5
eea509131955d86a4a6c342d11198da8

SHA1
331a98f8da719234700a4b40ebdd9027c9687f6f

SHA256
c8370dcc3c2fd813307f65b6fc29f55d5e03faa2e99239848ce211a18d950b66

SHA512
17fab481df9bdcd435c91410bac43ed70bc3be6802878e7339fcdbf3a3d85d0f0adc48c04049846d4c14a29e7efe49eec975d8318100af724aa6ee3608a78089

Download Submit
C:\Windows\SysWOW64\Lqmmmmph.exe

Filesize
315KB

MD5
5a628d92929cf63a3d8eca8edc179d3b

SHA1
44c1961d89862986887acdbe6ef43676744cf014

SHA256
8ff3ac275ef6633675c9fd58db2eb6d988c69e3545a46332b12cbf4f342f838c

SHA512
b758a92b5bbd1cdff2d316a4836115d5fc43119bea6b4a64ad06d915b6ca3ef204b144510aae18fbc5e999c581dca0b5032cffed55fd4ca57a9df7612a03a644

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
315KB

MD5
bbb407c09c284b5f59949a2176ad3cbd

SHA1
e3211bcc6283a9f4ec5ab27336faeeb5e0c80d2a

SHA256
064faecde88ae8000eab1a9e268c36e40183caec35deb5bec40ceda28d05c362

SHA512
93aac77553f7ae379897508e386d456cf1bd888d0d0282a197e8b602fe31b6f4e09ff6a3c63b6a913b68f7bc82fde62f2350f474607c8adb879763b4e50752ea

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
315KB

MD5
2d980207f85913807b69eead6abf373b

SHA1
abb4a52dc6bb4302fcc89b5a221bfa82c2a9671a

SHA256
6b75c86cd01dab272c5f47b49b05e5dbc4f4263b4c9731abfc95693206216870

SHA512
f13188e4a278ae9728b0cba81b7d776535c83f36472b08bd4c96909b3afe9fcc8d36a6e96d521d3ad74578440e87a56d76e3174f1e65b865a788e109b3034078

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
82KB

MD5
a5624ab8ac5994a60812c424de3f32fd

SHA1
8e9adcf9c2d1a6d194b53d2d27f6de107e59dff8

SHA256
cd444ee93a361602c9c51a61162c88ba5606bece558cb6d93cc033fde71944ce

SHA512
9321d80b38dc22eeb67cce7c79fefb71f3021326bb0f3b47f3353976db1ad33a7066a7bef6102e858b082b3290d4a195960dc5d31f18e32fc7b219f52a0300a8

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
315KB

MD5
685a679727a27c6d9322ad5887ff1a7f

SHA1
700e25fa11566cb79076e9d52bbc591b5a958450

SHA256
7e4741e1c47b3b2774e3d0c51cc60ff82e5bb814fcd832e7568148a929d2ba99

SHA512
4a5ea9dd607ed32b420871eee8e4e176b9c3dce2a325301c83d038f7162c683709bd03f914600c8a4144606b4d8fe5432b8dfa8e7571c28df51c7038652d5764

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
315KB

MD5
7799310e7d0f673690b07ba2e16add81

SHA1
600ecd0a1e568a8bcd0fba136424025152b807e7

SHA256
7d87ea0d97af5a6e0f4bc09f5e8684c76a16e6bde6a559dc684084f533af522e

SHA512
24ed977c6a36de766df692aaf5d1fc69a4354b69c54c61ce21179c93d8ef33a80b3300f45e895c8a6bc6fd199407b8e90c80a66512874c6f46b8d3eb8b697e0d

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
315KB

MD5
8dd9d7448c16aebd916eb1fee0c4c037

SHA1
07ced0d91e29edecf4e0e42278f867b295e24822

SHA256
3e819b284a8c5d1c0afd79ee3abd8e2416a61cf987191ff7009c2247af9ca185

SHA512
6cf617472e938a033cbf9687e9e25452521648ec227b4d382ff21b1ede2273be02d241ce306544f701d239f65c7b8fbdb8b7cbb64aa74c173092e9f01c2f9f5c

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
315KB

MD5
3783e9fb8448a1310047ebca5418be6e

SHA1
50a2eb2587d3767ebb2bd2dc83cf0ec969ef9a3c

SHA256
f3873095f62d1cbcf8f3587415eb8fef4f32aca33b8f8b22726fb1592aeb9c47

SHA512
3e92ad77feef0930b4605f9c7036925705958048f00590cc15267e64e0c0cd5cd2ad3acb0a9c8594fdc93ad6d8eb6079827d93ecbfcc5f5f7f15630a3521f2bc

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
315KB

MD5
95f66e8b1d38eb5022878819c1f2898d

SHA1
7c1d86beab4af1666450854dcbef4e161541bb31

SHA256
619ba2befba92f93efe44566c01ce4ddc2c49b7e2b52db5ea486a3a1cb814e8b

SHA512
ad6fb57e4a923812e1864f03bf0760fd677b5ff74205f903a91145f07ad546135a726aaa4c8e5bf63da5d2b6258f6543616e8ecbde3120019760976e2673510e

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
315KB

MD5
ab72dfb730211409c23728c41230d2f3

SHA1
ffee812b276b4f93625db0759fc213036d6bd741

SHA256
1c5fa0853d2f8f1d6451d2be99f7ac05d7cabe3b6fed9e36611d3aa6b19642e4

SHA512
fdb7d1b5adf2ac749ce5de59e636f870f809f858a62a0154b0d486e9dd741e4765e8ee90cef000ae8e7c2ad4c0412ed6bbd2fe5ae6c13b440956b51970fb6624

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
315KB

MD5
63bacfa6ec1fddb126f2394caa5554bf

SHA1
705ee9b9097b33f64165d3f361626ca0f9f6e793

SHA256
fc821cd54d8249594290f3aabb4d5d4b0e72e74864066cd0e58fff8afbd91e1f

SHA512
b553f876ea99fac1f462d3b9388ee805caddbca95c2d56911e5022b2dcf151dac2a40d6242d4bf6d0769fabb2b4e7485f42575947ec95afa11aff25066aa4914

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
315KB

MD5
48dc3f9cfee427fdd7b5356b0bc0dd1a

SHA1
ef68f7749760756ed0a4d6abe83093b6fb4f38b1

SHA256
57813eabb94e6eef52673ae76646f6b7baa96b0e15d7517f03aebd9254f84dbc

SHA512
4152abee65071005736f6f93bf8bdb17ff2f262100e30c4dc8ba177b7c91f7b85d489a621873f23a0cf7f976b04a7e58ba27dfe0dae1d6937960883ec25ea895

Download Submit
C:\Windows\SysWOW64\Omalpc32.exe

Filesize
315KB

MD5
762d06fd641eb1ea5905f0b1b0bea4cd

SHA1
86450cb3dfe0bc5f8764fd9ad91fa7ee0814c137

SHA256
a768c3abbdaad4c2d290f0b9e87dc73eae7ac3f869aa84a460d0d797eb384a67

SHA512
27609fe8e8d48acaf02e9dec01babbad9ff09209b15c7124502592f5f0276995dfa80a5b057d031d8fa266a14f30a1bae2cc752b84dff37faea3373e0f7f0604

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
315KB

MD5
29d82bb2b9142beb01c479f9b5bb3873

SHA1
ca4e64c37c4600f9a9c4d98c09412ac75845f453

SHA256
fbe2f444294b46ea8b6aa7f369c8826f54eac01da72e3a27e189d8a496fa2bb6

SHA512
01bb1109d1225f577fdadc57fe89a96a1cc28ede411bc70811f7c4e9b039edbe980c539fb696b5a3dd0ed7876f9bab2b33ed8fdb65dd5d4f06fba2fa0bdbe671

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
315KB

MD5
4b39e09f9002eb979261ed90cb671c54

SHA1
690650e305cc8561631bb8a1ac1a70985e2412c5

SHA256
844c9d0e8cb2051bc925bdb8945555b85ce4e3e867eb8a304cf8754f53cd2122

SHA512
2e9500e8c826525ac76bbb07efe503d185a9a954c1ab81fe8ccac89a6ba034013eed552de253c6987d6cebaa5370147d0cab040a9de1679b32bc271cb680bbd1

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
315KB

MD5
627744a5f959bc740bc365b71727e263

SHA1
7400a07a209d8486d6b1aa9a9b60aae854dc0aab

SHA256
0107b7a03ad7a815936f20b5d6a7275931dc596e103d48cfae52f8d029086058

SHA512
fcc41d48a2041268923f08ae7e4aef70639f4b28dd1571ee846833043c4d958ab2400cbfe67b96189c031ee23a7d501c013ef34cf05abdd8012538231a888a9b

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
81KB

MD5
128fbe5fcd0a9f25719e1729821242e9

SHA1
d4c382e1739cbfb204e768aef90dce27cc6603d2

SHA256
846db43d71d98d4c65f367ffd3b146b0e8d94bafd00aaded5a9669cbf0d6e22c

SHA512
2dc3b6e15e08a20bd25bd5be419d5b2b9b0ddfde2c8fc0c12e31585f588becba98ec273337a3ae61517ff0c3d3e2c0edf111d910f2e33ebad7e0d320e6f4db12

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
315KB

MD5
7a2da5d6b6a133cdb1e26262da5bd915

SHA1
1309b8bac1ece47a4969cfa640d2ec30265934bf

SHA256
c225dc6d08ef18a87358c061112383ac78344f63ab0b0573bdaa5269ce598b30

SHA512
07cad91b33c1786d0ab600e2c0c7473bc6cb3ca773f82f70ac9cd96d69c68b82c841ee3d60639498f595a5efd161b2061814cae203e0817647272d7509499011

Download Submit
C:\Windows\SysWOW64\Pjmjdm32.exe

Filesize
315KB

MD5
639082f4728b2146f029d7ebd541d3d2

SHA1
fb9d148961bd4fe9af6a9bff839e270c45791975

SHA256
3505a9808c76b2d7a8eb4ac4398f1af68a3029587f7682a29c243784327ce79f

SHA512
3e663caeecf30f720f0858b186b38793b3bcc550422b3083c5f9f08143119494bd1e14a8af2d38593e298d51d5bcac6a9cda25652d5667994e3f441a9c016497

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
315KB

MD5
90614b3b179057b472d511f84f94c770

SHA1
f09441606a352ed29f87e85d8495fe53af350ad5

SHA256
2149218939ab7946a66459582fa991c0195d1e8f8bda63db956bdc8b157fa130

SHA512
4b6f6d80ba715a2e0f001d0004681dda1783bbb86adba43370b7b419d6e1fc1a1062890a0c589d4696cedd63d973a858e054346f4e925795774caf0cf1ef90f7

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
64KB

MD5
cad85e6c2dca56f9f888de4210d28ab7

SHA1
6ebecb41fa99d4b2d9c37908148763ad0eea834a

SHA256
c176a120953ab6a7aed485686718def9a5b8ec52deefc46bfae3681d8526df0b

SHA512
dc49d4412cbf52a465ae33743fe4712e60da3d23ca834813391e8dca40e9066dcbf0609885a4b694837b7c4102bd54e6d005bd037115da18001795fadc104c05

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
315KB

MD5
e3fd8cc513584a4acfa75efd90dcb4e7

SHA1
5b48d7276abc6e9b4dc738faee51434cbd37da53

SHA256
f4e53e7b065f66dca10a09e811b691a5f1a42bab30d9055e1de8ee284dfbaa1c

SHA512
7603a58d9e6e207a54567e87124b76f20ff13e25a9f3c708274a6db3a222f64071fdcf25c46137911174aca6ce02726fc05a6bc108941faba58f5579ddba8f96

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
315KB

MD5
3b6f4b53f895db9cc8e14fd654ebc46f

SHA1
586e71d00913fb93926625953d8beeeb532f1a2c

SHA256
fd6a773bcddcec22b0f6c8f6c35fc67fab0057ed41bd982a9521e3c7219dd58b

SHA512
f72033fdd12303bead5d2ae24ed3dffbf310e0f144fba1c7408f79212e9e21f107ad00948a5cab20a08f4342f543102779d236a4c718af1f01d332cf2cec7c32

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
315KB

MD5
7d189a98aab04ccfdfceb1fc23aa01f1

SHA1
14780702472c89d061588d48aaabf12d237c1339

SHA256
f4410395b80c1ba0c775805ae6486d1d1ed6c175e8b406027f6f407a97eacb5a

SHA512
6bb152e3350dd066253ca144014606a8a2b621d963f92b478635ffab802819de30392354f723379cbdbedf16476fcd739be7f53a610722cd066e842864d5400b

Download Submit
memory/376-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/608-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5164-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5244-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5368-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5412-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5496-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5536-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5580-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5620-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5660-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5704-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7104-1416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7180-1401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7220-1415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7336-1413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7412-1412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7480-1411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7536-1410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7592-1409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7708-1408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7732-1407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7808-1406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8004-1420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8016-1404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8056-1403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8104-1418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8148-1402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8160-1417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads