fc643d75fd98d2e7ea97841e877ecd104ac9a359ed9e4190acaad5c3a9cdb39d

Analysis

max time kernel
71s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc643d75fd98d2e7ea97841e877ecd104ac9a359ed9e4190acaad5c3a9cdb39d.exe
Size

136KB
MD5

ef1a0a6a527ae08d74071d869e06c781
SHA1

5ea3761c8c66d7a125aacff0d43b15b87943a5fe
SHA256

fc643d75fd98d2e7ea97841e877ecd104ac9a359ed9e4190acaad5c3a9cdb39d
SHA512

fc1de5fed484276d41da2134c62300441ec8212ff20e666b16419911a7b1c4a9dd7d2740910bdc4a8f0e175404bf532961f65a059fa8a2bef2c144aa165972eb
SSDEEP

3072:JuDURnsVHrCN9m3sUFr3xzdH13+EE+RaZ6r+GDZnBc:JuDU2VHuN9m3bFr3xzd5IF6rfBBc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffoejkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijjnpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgbhdkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohgopgfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpjelibg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpqklh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhiphi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liifnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pndhhnda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hqjcgbbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgjjoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkonbamc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbbblhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akgjnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdgolq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apimodmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fc643d75fd98d2e7ea97841e877ecd104ac9a359ed9e4190acaad5c3a9cdb39d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkled32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Malefbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhgccijm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flfbcndo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpobmca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhceh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfcae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbpnjdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqjcgbbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giboijgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgbhdkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgnlmdcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohgopgfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmlafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkghqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalkek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdagbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbblhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iqaiga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbpnjdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgccijm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgkimn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khonkogj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacbpccn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdeffgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eedmlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nandhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libido32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjlqd32.exe

Executes dropped EXE 64 IoCs

pid	Process
3092	Gbpnjdkg.exe
1400	Hejjanpm.exe
2136	Iapjgo32.exe
2152	Ijkled32.exe
4580	Ibgmaqfl.exe
1516	Jjnaaa32.exe
1376	Klpjad32.exe
3984	Kopcbo32.exe
3040	Kbnlim32.exe
2204	Lbebilli.exe
3560	Lhdggb32.exe
2688	Lhgdmb32.exe
3424	Mlgjhp32.exe
5064	Mhpgca32.exe
2752	Ndidna32.exe
696	Ndpjnq32.exe
1652	Ochamg32.exe
2376	Pmhkflnj.exe
4156	Pkmhgh32.exe
3348	Pkabbgol.exe
3392	Aimhmkgn.exe
4632	Apimodmh.exe
4228	Abjfqpji.exe
1528	Bmkjig32.exe
620	Cdgolq32.exe
4472	Cehlcikj.exe
1052	Cbmlmmjd.exe
4212	Cmgjee32.exe
4924	Dedkogqm.exe
1136	Defheg32.exe
1172	Eennefib.exe
4504	Egpgehnb.exe
4468	Fnqebaog.exe
2260	Fcmnkh32.exe
3452	Flfbcndo.exe
2156	Gqagkjne.exe
4340	Hmhhpkcj.exe
2488	Hgnlmdcp.exe
1996	Hmkeekag.exe
4428	Idkpmgjo.exe
4460	Jaefne32.exe
3796	Khonkogj.exe
4672	Kmlgcf32.exe
2088	Kjpgmj32.exe
5172	Knmpbi32.exe
5224	Lacbpccn.exe
5264	Lkbmih32.exe
5320	Malefbkc.exe
5368	Meljappg.exe
5412	Mdagbl32.exe
5456	Nhdicjfp.exe
5500	Ndkjik32.exe
5544	Nkjlqd32.exe
5588	Oogdfc32.exe
5632	Oahnhncc.exe
5668	Oakjnnap.exe
5720	Ofhcdlgg.exe
5760	Ohgopgfj.exe
5800	Pndhhnda.exe
5848	Phlikg32.exe
5900	Pfpidk32.exe
5964	Pdeffgff.exe
6008	Pkonbamc.exe
6056	Pdgckg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Knmpbi32.exe	Kjpgmj32.exe
File created	C:\Windows\SysWOW64\Ndkjik32.exe	Nhdicjfp.exe
File created	C:\Windows\SysWOW64\Mpedgghj.exe	Mpqklh32.exe
File created	C:\Windows\SysWOW64\Oidodncg.dll	Phpklp32.exe
File opened for modification	C:\Windows\SysWOW64\Klpjad32.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Jkiigchm.dll	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Defheg32.exe	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Lnnkldlf.dll	Mffjnc32.exe
File opened for modification	C:\Windows\SysWOW64\Hgnlmdcp.exe	Hmhhpkcj.exe
File opened for modification	C:\Windows\SysWOW64\Meljappg.exe	Malefbkc.exe
File opened for modification	C:\Windows\SysWOW64\Jjjggede.exe	Jcpojk32.exe
File opened for modification	C:\Windows\SysWOW64\Dajnol32.exe	Dlmegd32.exe
File created	C:\Windows\SysWOW64\Inogbj32.dll	Lkbmih32.exe
File created	C:\Windows\SysWOW64\Hqjcgbbo.exe	Hgkimn32.exe
File created	C:\Windows\SysWOW64\Cehlcikj.exe	Cdgolq32.exe
File opened for modification	C:\Windows\SysWOW64\Phpklp32.exe	Pafcofcg.exe
File opened for modification	C:\Windows\SysWOW64\Defheg32.exe	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Egpgehnb.exe	Eennefib.exe
File created	C:\Windows\SysWOW64\Oahnhncc.exe	Oogdfc32.exe
File created	C:\Windows\SysWOW64\Pgpobmca.exe	Pgnblm32.exe
File created	C:\Windows\SysWOW64\Bdannb32.dll	Hmhhpkcj.exe
File created	C:\Windows\SysWOW64\Fjemge32.dll	Ofhcdlgg.exe
File created	C:\Windows\SysWOW64\Ijedehgm.exe	Hqjcgbbo.exe
File opened for modification	C:\Windows\SysWOW64\Eflceb32.exe	Epbkhhel.exe
File opened for modification	C:\Windows\SysWOW64\Cehlcikj.exe	Cdgolq32.exe
File opened for modification	C:\Windows\SysWOW64\Pndhhnda.exe	Ohgopgfj.exe
File opened for modification	C:\Windows\SysWOW64\Jcpojk32.exe	Jjemle32.exe
File created	C:\Windows\SysWOW64\Oakjnnap.exe	Oahnhncc.exe
File opened for modification	C:\Windows\SysWOW64\Lpjelibg.exe	Lfaqcclf.exe
File opened for modification	C:\Windows\SysWOW64\Nhafcd32.exe	Nmlafk32.exe
File created	C:\Windows\SysWOW64\Ifcdpf32.dll	Pgnblm32.exe
File opened for modification	C:\Windows\SysWOW64\Pafcofcg.exe	Pgpobmca.exe
File opened for modification	C:\Windows\SysWOW64\Bgjjoi32.exe	Bjfjee32.exe
File created	C:\Windows\SysWOW64\Ljcihc32.dll	Flfbcndo.exe
File opened for modification	C:\Windows\SysWOW64\Mpedgghj.exe	Mpqklh32.exe
File created	C:\Windows\SysWOW64\Onqdhh32.exe	Opmcod32.exe
File created	C:\Windows\SysWOW64\Nmkgdlkh.dll	Onqdhh32.exe
File opened for modification	C:\Windows\SysWOW64\Dhcfleff.exe	Dajnol32.exe
File created	C:\Windows\SysWOW64\Agmhfepq.dll	Kjpgmj32.exe
File opened for modification	C:\Windows\SysWOW64\Epbkhhel.exe	Dpnbmi32.exe
File created	C:\Windows\SysWOW64\Fpkpgaob.dll	Jjemle32.exe
File opened for modification	C:\Windows\SysWOW64\Jjnaaa32.exe	Ibgmaqfl.exe
File created	C:\Windows\SysWOW64\Cdomkjem.dll	Eedmlo32.exe
File created	C:\Windows\SysWOW64\Kmbniiil.dll	Mpedgghj.exe
File created	C:\Windows\SysWOW64\Dhcfleff.exe	Dajnol32.exe
File created	C:\Windows\SysWOW64\Apckeggh.dll	Eennefib.exe
File created	C:\Windows\SysWOW64\Nhafcd32.exe	Nmlafk32.exe
File opened for modification	C:\Windows\SysWOW64\Ochamg32.exe	Ndpjnq32.exe
File created	C:\Windows\SysWOW64\Elomej32.dll	Kmlgcf32.exe
File created	C:\Windows\SysWOW64\Bilflj32.dll	Dhcfleff.exe
File created	C:\Windows\SysWOW64\Pgnblm32.exe	Phiekaql.exe
File created	C:\Windows\SysWOW64\Pafcofcg.exe	Pgpobmca.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Lkbmih32.exe	Lacbpccn.exe
File created	C:\Windows\SysWOW64\Chkjpm32.exe	Bgokdomj.exe
File created	C:\Windows\SysWOW64\Fhiphi32.exe	Fhgccijm.exe
File opened for modification	C:\Windows\SysWOW64\Cnkilbni.exe	Bkhceh32.exe
File created	C:\Windows\SysWOW64\Pndhhnda.exe	Ohgopgfj.exe
File opened for modification	C:\Windows\SysWOW64\Mffjnc32.exe	Libido32.exe
File created	C:\Windows\SysWOW64\Ahafcp32.dll	Qdihfq32.exe
File created	C:\Windows\SysWOW64\Opedqiad.dll	Jaefne32.exe
File created	C:\Windows\SysWOW64\Effdbcbq.dll	Khonkogj.exe
File opened for modification	C:\Windows\SysWOW64\Nkjlqd32.exe	Ndkjik32.exe
File created	C:\Windows\SysWOW64\Eedmlo32.exe	Eflceb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6968	6600	WerFault.exe	243

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igehifaa.dll"	Nhafcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfeckiie.dll"	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbeqlcg.dll"	Dedkogqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkakfm32.dll"	Hgnlmdcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knmpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjlqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohoibbd.dll"	Giboijgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldam32.dll"	Fcmnkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phiekaql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhgdmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhghiic.dll"	Mdagbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leahbp32.dll"	Ohgopgfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpnbmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfimpdb.dll"	Hqjcgbbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjemle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmbniiil.dll"	Mpedgghj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flfbcndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkjpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pahpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijkj32.dll"	Bkhceh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdgckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmfaf32.dll"	Jcpojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkgdlkh.dll"	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polnbakm.dll"	Ababkdij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oakjnnap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdeffgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apckeggh.dll"	Eennefib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfgkjnai.dll"	Nieoal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgnlmdcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjjggede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chkjpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khonkogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epbkhhel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eflceb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflcpb32.dll"	Lfaqcclf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcpojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Likcdpop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pahpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbbdip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effdbcbq.dll"	Khonkogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndkjik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfchkio.dll"	Cdgolq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdagbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgokdomj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijedehgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijlkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgbhdkml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfdkj32.dll"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjemge32.dll"	Ofhcdlgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjemgpnb.dll"	Pkonbamc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpnhp32.dll"	Libido32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbiicqa.dll"	Opmcod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopfdc32.dll"	Pafcofcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lacbpccn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmiealgc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 3092	3800	fc643d75fd98d2e7ea97841e877ecd104ac9a359ed9e4190acaad5c3a9cdb39d.exe	97
PID 3800 wrote to memory of 3092	3800	fc643d75fd98d2e7ea97841e877ecd104ac9a359ed9e4190acaad5c3a9cdb39d.exe	97
PID 3800 wrote to memory of 3092	3800	fc643d75fd98d2e7ea97841e877ecd104ac9a359ed9e4190acaad5c3a9cdb39d.exe	97
PID 3092 wrote to memory of 1400	3092	Gbpnjdkg.exe	98
PID 3092 wrote to memory of 1400	3092	Gbpnjdkg.exe	98
PID 3092 wrote to memory of 1400	3092	Gbpnjdkg.exe	98
PID 1400 wrote to memory of 2136	1400	Hejjanpm.exe	99
PID 1400 wrote to memory of 2136	1400	Hejjanpm.exe	99
PID 1400 wrote to memory of 2136	1400	Hejjanpm.exe	99
PID 2136 wrote to memory of 2152	2136	Iapjgo32.exe	100
PID 2136 wrote to memory of 2152	2136	Iapjgo32.exe	100
PID 2136 wrote to memory of 2152	2136	Iapjgo32.exe	100
PID 2152 wrote to memory of 4580	2152	Ijkled32.exe	101
PID 2152 wrote to memory of 4580	2152	Ijkled32.exe	101
PID 2152 wrote to memory of 4580	2152	Ijkled32.exe	101
PID 4580 wrote to memory of 1516	4580	Ibgmaqfl.exe	102
PID 4580 wrote to memory of 1516	4580	Ibgmaqfl.exe	102
PID 4580 wrote to memory of 1516	4580	Ibgmaqfl.exe	102
PID 1516 wrote to memory of 1376	1516	Jjnaaa32.exe	103
PID 1516 wrote to memory of 1376	1516	Jjnaaa32.exe	103
PID 1516 wrote to memory of 1376	1516	Jjnaaa32.exe	103
PID 1376 wrote to memory of 3984	1376	Klpjad32.exe	104
PID 1376 wrote to memory of 3984	1376	Klpjad32.exe	104
PID 1376 wrote to memory of 3984	1376	Klpjad32.exe	104
PID 3984 wrote to memory of 3040	3984	Kopcbo32.exe	105
PID 3984 wrote to memory of 3040	3984	Kopcbo32.exe	105
PID 3984 wrote to memory of 3040	3984	Kopcbo32.exe	105
PID 3040 wrote to memory of 2204	3040	Kbnlim32.exe	106
PID 3040 wrote to memory of 2204	3040	Kbnlim32.exe	106
PID 3040 wrote to memory of 2204	3040	Kbnlim32.exe	106
PID 2204 wrote to memory of 3560	2204	Lbebilli.exe	107
PID 2204 wrote to memory of 3560	2204	Lbebilli.exe	107
PID 2204 wrote to memory of 3560	2204	Lbebilli.exe	107
PID 3560 wrote to memory of 2688	3560	Lhdggb32.exe	108
PID 3560 wrote to memory of 2688	3560	Lhdggb32.exe	108
PID 3560 wrote to memory of 2688	3560	Lhdggb32.exe	108
PID 2688 wrote to memory of 3424	2688	Lhgdmb32.exe	109
PID 2688 wrote to memory of 3424	2688	Lhgdmb32.exe	109
PID 2688 wrote to memory of 3424	2688	Lhgdmb32.exe	109
PID 3424 wrote to memory of 5064	3424	Mlgjhp32.exe	110
PID 3424 wrote to memory of 5064	3424	Mlgjhp32.exe	110
PID 3424 wrote to memory of 5064	3424	Mlgjhp32.exe	110
PID 5064 wrote to memory of 2752	5064	Mhpgca32.exe	111
PID 5064 wrote to memory of 2752	5064	Mhpgca32.exe	111
PID 5064 wrote to memory of 2752	5064	Mhpgca32.exe	111
PID 2752 wrote to memory of 696	2752	Ndidna32.exe	112
PID 2752 wrote to memory of 696	2752	Ndidna32.exe	112
PID 2752 wrote to memory of 696	2752	Ndidna32.exe	112
PID 696 wrote to memory of 1652	696	Ndpjnq32.exe	113
PID 696 wrote to memory of 1652	696	Ndpjnq32.exe	113
PID 696 wrote to memory of 1652	696	Ndpjnq32.exe	113
PID 1652 wrote to memory of 2376	1652	Ochamg32.exe	114
PID 1652 wrote to memory of 2376	1652	Ochamg32.exe	114
PID 1652 wrote to memory of 2376	1652	Ochamg32.exe	114
PID 2376 wrote to memory of 4156	2376	Pmhkflnj.exe	115
PID 2376 wrote to memory of 4156	2376	Pmhkflnj.exe	115
PID 2376 wrote to memory of 4156	2376	Pmhkflnj.exe	115
PID 4156 wrote to memory of 3348	4156	Pkmhgh32.exe	116
PID 4156 wrote to memory of 3348	4156	Pkmhgh32.exe	116
PID 4156 wrote to memory of 3348	4156	Pkmhgh32.exe	116
PID 3348 wrote to memory of 3392	3348	Pkabbgol.exe	117
PID 3348 wrote to memory of 3392	3348	Pkabbgol.exe	117
PID 3348 wrote to memory of 3392	3348	Pkabbgol.exe	117
PID 3392 wrote to memory of 4632	3392	Aimhmkgn.exe	118

C:\Users\Admin\AppData\Local\Temp\fc643d75fd98d2e7ea97841e877ecd104ac9a359ed9e4190acaad5c3a9cdb39d.exe
"C:\Users\Admin\AppData\Local\Temp\fc643d75fd98d2e7ea97841e877ecd104ac9a359ed9e4190acaad5c3a9cdb39d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\SysWOW64\Gbpnjdkg.exe
  C:\Windows\system32\Gbpnjdkg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\Hejjanpm.exe
    C:\Windows\system32\Hejjanpm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\SysWOW64\Iapjgo32.exe
      C:\Windows\system32\Iapjgo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        24⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        25⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        27⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        31⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Eennefib.exe
        
        C:\Windows\system32\Eennefib.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Egpgehnb.exe
        
        C:\Windows\system32\Egpgehnb.exe
        33⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Fnqebaog.exe
        
        C:\Windows\system32\Fnqebaog.exe
        34⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Fcmnkh32.exe
        
        C:\Windows\system32\Fcmnkh32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Flfbcndo.exe
        
        C:\Windows\system32\Flfbcndo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Gqagkjne.exe
        
        C:\Windows\system32\Gqagkjne.exe
        37⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Hmhhpkcj.exe
        
        C:\Windows\system32\Hmhhpkcj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Hgnlmdcp.exe
        
        C:\Windows\system32\Hgnlmdcp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Hmkeekag.exe
        
        C:\Windows\system32\Hmkeekag.exe
        40⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Idkpmgjo.exe
        
        C:\Windows\system32\Idkpmgjo.exe
        41⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Jaefne32.exe
        
        C:\Windows\system32\Jaefne32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Khonkogj.exe
        
        C:\Windows\system32\Khonkogj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Kmlgcf32.exe
        
        C:\Windows\system32\Kmlgcf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Kjpgmj32.exe
        
        C:\Windows\system32\Kjpgmj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Knmpbi32.exe
        
        C:\Windows\system32\Knmpbi32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Lacbpccn.exe
        
        C:\Windows\system32\Lacbpccn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Lkbmih32.exe
        
        C:\Windows\system32\Lkbmih32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Malefbkc.exe
        
        C:\Windows\system32\Malefbkc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Meljappg.exe
        
        C:\Windows\system32\Meljappg.exe
        50⤵
        Executes dropped EXE
        
        PID:5368
        
        C:\Windows\SysWOW64\Mdagbl32.exe
        
        C:\Windows\system32\Mdagbl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Nhdicjfp.exe
        
        C:\Windows\system32\Nhdicjfp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Ndkjik32.exe
        
        C:\Windows\system32\Ndkjik32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Nkjlqd32.exe
        
        C:\Windows\system32\Nkjlqd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Oogdfc32.exe
        
        C:\Windows\system32\Oogdfc32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Oahnhncc.exe
        
        C:\Windows\system32\Oahnhncc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Oakjnnap.exe
        
        C:\Windows\system32\Oakjnnap.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Ofhcdlgg.exe
        
        C:\Windows\system32\Ofhcdlgg.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Ohgopgfj.exe
        
        C:\Windows\system32\Ohgopgfj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Pndhhnda.exe
        
        C:\Windows\system32\Pndhhnda.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5800
        
        C:\Windows\SysWOW64\Phlikg32.exe
        
        C:\Windows\system32\Phlikg32.exe
        61⤵
        Executes dropped EXE
        
        PID:5848
        
        C:\Windows\SysWOW64\Pfpidk32.exe
        
        C:\Windows\system32\Pfpidk32.exe
        62⤵
        Executes dropped EXE
        
        PID:5900
        
        C:\Windows\SysWOW64\Pdeffgff.exe
        
        C:\Windows\system32\Pdeffgff.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Pkonbamc.exe
        
        C:\Windows\system32\Pkonbamc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Pdgckg32.exe
        
        C:\Windows\system32\Pdgckg32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Qffoejkg.exe
        
        C:\Windows\system32\Qffoejkg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Agmehamp.exe
        
        C:\Windows\system32\Agmehamp.exe
        67⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Bbbblhnc.exe
        
        C:\Windows\system32\Bbbblhnc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Bgokdomj.exe
        
        C:\Windows\system32\Bgokdomj.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Chkjpm32.exe
        
        C:\Windows\system32\Chkjpm32.exe
        70⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Deagoa32.exe
        
        C:\Windows\system32\Deagoa32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Dpnbmi32.exe
        
        C:\Windows\system32\Dpnbmi32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Epbkhhel.exe
        
        C:\Windows\system32\Epbkhhel.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Eflceb32.exe
        
        C:\Windows\system32\Eflceb32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Eedmlo32.exe
        
        C:\Windows\system32\Eedmlo32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Fhgccijm.exe
        
        C:\Windows\system32\Fhgccijm.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Fhiphi32.exe
        
        C:\Windows\system32\Fhiphi32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Giboijgb.exe
        
        C:\Windows\system32\Giboijgb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Hgkimn32.exe
        
        C:\Windows\system32\Hgkimn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Hqjcgbbo.exe
        
        C:\Windows\system32\Hqjcgbbo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Ijedehgm.exe
        
        C:\Windows\system32\Ijedehgm.exe
        81⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Iqaiga32.exe
        
        C:\Windows\system32\Iqaiga32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Ijjnpg32.exe
        
        C:\Windows\system32\Ijjnpg32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Ijlkfg32.exe
        
        C:\Windows\system32\Ijlkfg32.exe
        84⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Jmmcgbnf.exe
        
        C:\Windows\system32\Jmmcgbnf.exe
        85⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Jgbhdkml.exe
        
        C:\Windows\system32\Jgbhdkml.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Jfgefg32.exe
        
        C:\Windows\system32\Jfgefg32.exe
        87⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Jjemle32.exe
        
        C:\Windows\system32\Jjemle32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Jcpojk32.exe
        
        C:\Windows\system32\Jcpojk32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Jjjggede.exe
        
        C:\Windows\system32\Jjjggede.exe
        90⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Kmpido32.exe
        
        C:\Windows\system32\Kmpido32.exe
        91⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Kciaqi32.exe
        
        C:\Windows\system32\Kciaqi32.exe
        92⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Liifnp32.exe
        
        C:\Windows\system32\Liifnp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Lpbokjho.exe
        
        C:\Windows\system32\Lpbokjho.exe
        94⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Likcdpop.exe
        
        C:\Windows\system32\Likcdpop.exe
        95⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Lpghfi32.exe
        
        C:\Windows\system32\Lpghfi32.exe
        96⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Lfaqcclf.exe
        
        C:\Windows\system32\Lfaqcclf.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Lpjelibg.exe
        
        C:\Windows\system32\Lpjelibg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Libido32.exe
        
        C:\Windows\system32\Libido32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Mffjnc32.exe
        
        C:\Windows\system32\Mffjnc32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Malnklgg.exe
        
        C:\Windows\system32\Malnklgg.exe
        101⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Mpqklh32.exe
        
        C:\Windows\system32\Mpqklh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Mpedgghj.exe
        
        C:\Windows\system32\Mpedgghj.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Mmiealgc.exe
        
        C:\Windows\system32\Mmiealgc.exe
        104⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Nmlafk32.exe
        
        C:\Windows\system32\Nmlafk32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:552
        
        C:\Windows\SysWOW64\Nhafcd32.exe
        
        C:\Windows\system32\Nhafcd32.exe
        106⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Nmnnlk32.exe
        
        C:\Windows\system32\Nmnnlk32.exe
        107⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Nieoal32.exe
        
        C:\Windows\system32\Nieoal32.exe
        108⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Npognfpo.exe
        
        C:\Windows\system32\Npognfpo.exe
        109⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Ngipjp32.exe
        
        C:\Windows\system32\Ngipjp32.exe
        110⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Nandhi32.exe
        
        C:\Windows\system32\Nandhi32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4320
        
        C:\Windows\SysWOW64\Nkghqo32.exe
        
        C:\Windows\system32\Nkghqo32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Opmcod32.exe
        
        C:\Windows\system32\Opmcod32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Onqdhh32.exe
        
        C:\Windows\system32\Onqdhh32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Paomog32.exe
        
        C:\Windows\system32\Paomog32.exe
        115⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Phiekaql.exe
        
        C:\Windows\system32\Phiekaql.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Pgnblm32.exe
        
        C:\Windows\system32\Pgnblm32.exe
        117⤵
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\Pgpobmca.exe
        
        C:\Windows\system32\Pgpobmca.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Pafcofcg.exe
        
        C:\Windows\system32\Pafcofcg.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Phpklp32.exe
        
        C:\Windows\system32\Phpklp32.exe
        120⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Pahpee32.exe
        
        C:\Windows\system32\Pahpee32.exe
        121⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Qjcdih32.exe
        
        C:\Windows\system32\Qjcdih32.exe
        122⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Qdihfq32.exe
        
        C:\Windows\system32\Qdihfq32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Akgjnj32.exe
        
        C:\Windows\system32\Akgjnj32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6588
        
        C:\Windows\SysWOW64\Ababkdij.exe
        
        C:\Windows\system32\Ababkdij.exe
        125⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Ajmgof32.exe
        
        C:\Windows\system32\Ajmgof32.exe
        126⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Bjfjee32.exe
        
        C:\Windows\system32\Bjfjee32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Bkhceh32.exe
        
        C:\Windows\system32\Bkhceh32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Cnkilbni.exe
        
        C:\Windows\system32\Cnkilbni.exe
        130⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        131⤵
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Dgomaf32.exe
        
        C:\Windows\system32\Dgomaf32.exe
        132⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Dagajlal.exe
        
        C:\Windows\system32\Dagajlal.exe
        133⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Dlmegd32.exe
        
        C:\Windows\system32\Dlmegd32.exe
        134⤵
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Dajnol32.exe
        
        C:\Windows\system32\Dajnol32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Dhcfleff.exe
        
        C:\Windows\system32\Dhcfleff.exe
        136⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Dalkek32.exe
        
        C:\Windows\system32\Dalkek32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Dhfcae32.exe
        
        C:\Windows\system32\Dhfcae32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Eblgon32.exe
        
        C:\Windows\system32\Eblgon32.exe
        139⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        140⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 416
        141⤵
        Program crash
        
        PID:6968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:6612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6600 -ip 6600
1⤵
PID:6672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjfqpji.exe

Filesize
136KB

MD5
1dc4220a4fe62781bce4da7a78e459cd

SHA1
579cdccc14760cd5d90758c0f16092612d8a5f06

SHA256
25bd8984d4e422cd7d3cbea2d0599052119da914d4892ec8de8800c51537fc35

SHA512
e47d7fc5b082c623bdfdb1c26926a2fef5a1a90faa5a0265cdbe3d1df61f630d3488295c02c88739dd3665bf132dd328a189f06792c1ee737ceba9f69f1bce19

Download Submit
C:\Windows\SysWOW64\Aimhmkgn.exe

Filesize
136KB

MD5
6e8755c82360311f402ffd14e913860f

SHA1
030071e0b30a35b2192c21fd06565cb4ee45dffc

SHA256
c8df2b205ab6e44c2d5591c1c655367772d8db7ed5650a8331c44649c3ba0e1e

SHA512
5192828ace52673ab65a693efdc11af3dee33d95bbe7952a8caf66eeeb7129c2772b8c2cd78c9b7769c9cfbe1c1f40c9612980a23a1398f3a165c5f3fed73244

Download Submit
C:\Windows\SysWOW64\Ajmgof32.exe

Filesize
136KB

MD5
f1c1f03b0b5fe87c5b016c9222c80dc4

SHA1
2af079f2c5426b2270a6850497adeb3cc3c594b7

SHA256
e1f1314c735d83a60c82365e185aa68fdac7acf7249ff8f1e6a34e19a675f3ec

SHA512
1ddf32c1fbd9d4bd32c7dd050f7b8ac0971ea897b6c6ceed83544cdbe7db8bec291105dc5ec2fdb139c0665d99f39cbdff333bb75a1a699df5f7ec5807ddb5e3

Download Submit
C:\Windows\SysWOW64\Apimodmh.exe

Filesize
136KB

MD5
3f538c74b29ded020ce2c2b7aa119ab9

SHA1
fedc6645f2dde35831351ca65dbb82dbf7793f82

SHA256
96364ff04d30fa9c34ae2d4ec6450af0beb32a83e9f38243a3731332c3dc1060

SHA512
a89d7ee5d856855e8761d6027e9a09edc7a85e2b32c555ea0a87b14b53a8ccfc07161e30b12395b6e965b2b4101296eea9c4e3091ab91913a13f5153d3ca561a

Download Submit
C:\Windows\SysWOW64\Bmkjig32.exe

Filesize
136KB

MD5
1b65399d392d6c16f2073a877d323f6b

SHA1
919a787de106516adff19579443d55b734699a07

SHA256
22849aeec0dbdc34fa5c1e74962a01e358c77966494a42ac00f66bc469288ad7

SHA512
53db8af4088fac47003cedfbe0674e68e8a725705b27b6980a9a25094eb5190d16ddd27af1f830daf0d29f4b6cf19c59a83d4317f7496dca8cd59a88560a47e3

Download Submit
C:\Windows\SysWOW64\Cbmlmmjd.exe

Filesize
136KB

MD5
4c5eb8d5fc01a930273e066f8ba866b7

SHA1
5cc63c550d716a53bbd1ea036647ad7e8b4899b6

SHA256
b8653883b0867f0662ca95234ac68a44518ba79fd3bbfb1a8c6e924fd5d525cd

SHA512
618a7b259624a8ce402f8e2b014cd40ef1e09777595bf45e0e227f447fe38c222321aa84576be58e4ab834ec8bd226cf01d944808a743b315e08bbd3dec51aa9

Download Submit
C:\Windows\SysWOW64\Cdgolq32.exe

Filesize
136KB

MD5
916078e0dbbfef8bb82dd2436735bd42

SHA1
4a2bb813d6542d12f7f5a2d7c4f527ed597818f2

SHA256
2c47256eec2822de52272a414a72b551e315d64ad4797362392cbd36b22e9204

SHA512
0d18c4cffada94aea372b57590e9583186d005b9efef92b6422ca620db7c31936cdf2dbc97b445bce4eb4a8ac0d248483f3eca915bc12f29c77b0e1e9ca83b8a

Download Submit
C:\Windows\SysWOW64\Cehlcikj.exe

Filesize
136KB

MD5
afd85037d27c700409e92c048beca5b7

SHA1
28dc02cfde26c2a53bf91c71e0086b224207e37e

SHA256
8324b4cd6ad4d92d2f6574ab92976cbd3eb54898a52f8f69044da5dc71fec81e

SHA512
531761a700bd558036152b55cd019390549a0bc039cfb072743985dd83ce7de1bf2bd8b35fa7b02e56c65829dff35b7711ef98f3d9d0b48021aa0f36289a49c9

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
136KB

MD5
bff1bfeed69509009ee55c4c13bc2904

SHA1
68dd3d6c1f9b0c5636d529a0a5bbce5f47fc103d

SHA256
8607ee3280f030b8e550bf6beb084e12768986e1b32c25d6a5b8d1f53e20cfc6

SHA512
18bdb720466f93030f3d0170bffb287f01d02f0119938e72e49682fca4cc6bf538e2f1c5a23153069c66bfd1225ffa98a72553b00f5a3de329019a11e0cb0163

Download Submit
C:\Windows\SysWOW64\Cnkilbni.exe

Filesize
136KB

MD5
e5d34a897c79e04052ac0d70f2674bed

SHA1
451616294c43a59ea4e99baf60f2cfb721e9c9a4

SHA256
095eb920ca610c7b81f8daa589d83493bcd81976fe342eea8abe27d363bd9222

SHA512
8b26194548fdf05d1bba41f0a26c14e8c1bab06f4e260901e0fe8a1e9e25294531a872e4bdbe072dcbbd9ccccaad552579d8ae60ff6437ffe2306ab94164313f

Download Submit
C:\Windows\SysWOW64\Dedkogqm.exe

Filesize
136KB

MD5
96ea36e94caff3c8db730597595a0ec1

SHA1
038d7eab0b9b1a53dcdd26a57f05e9fc0245b6b2

SHA256
53d25555e77fbc316efeeef83e5f6a1972414f795bb62586b562525832713a66

SHA512
598a9a38905a322edeaebc216635aa8c91cb7cf9f8193b77d55fb7e354a2ffbeb5981ef92f94183ad1b3f67f25a26443185d2c679ad7c553c52a827b52ba6fe4

Download Submit
C:\Windows\SysWOW64\Defheg32.exe

Filesize
136KB

MD5
183c9b11dbe3b435fcd182a8a4c25b4f

SHA1
677a10a7801240848250937199fd9771d5b06dfa

SHA256
e9933e0a9b698e10390338e1fe6949b175d52159282e48a86b1661f2e54e493d

SHA512
5919e578d502b9c91bee79bb204356051a4d87d25fd97684b27e85316a8a3218d6a227c90c329d4fb7771230028e97d7b19a5bed067be022c45443629fad4b5d

Download Submit
C:\Windows\SysWOW64\Dmehgibj.dll

Filesize
7KB

MD5
7c8597ec6707b23ea15fee3505cef2f4

SHA1
93612bef373161c7c3ab81c865679421627ae2cd

SHA256
1f5331f6f4909f0424f72ef6a7b4270cf396e854eb0b99ddb1e77492a466eb21

SHA512
f1ae647d5441018ed681b09d751340da01d64361a86826fff9e3952720b6e07351975a6fb4f12895f308be04250cd8d9230bd1983f8a29ab92e102ea0cbf7d8a

Download Submit
C:\Windows\SysWOW64\Eennefib.exe

Filesize
126KB

MD5
bf7e6eac6525221b2074c5a5b4821f6b

SHA1
0b36f12eb56c474fcb2d3c5d0076d74a472fe24a

SHA256
49c96fa83553b799ca9e90303f71f07c8f6f047ed1a9c8f1386d7d33e799a03b

SHA512
c41cef9c02804e13a8c721cd2186ed35a6a8be1bf053989c7c1966923005cea7857b7959b02a86848bf24a797b310fc4e6769e14cedcddbd913bdef170fb8081

Download Submit
C:\Windows\SysWOW64\Eennefib.exe

Filesize
136KB

MD5
e58a9eca234ad7469bd6283c64c0ae36

SHA1
1cfc1ff4bd4485375a400c634f2952505b3ba23f

SHA256
4782001d480049cd440cb10123a31845d5bc8ba7aad705751bfe89fedba9a54a

SHA512
e3ce5dea65eddc8063b1204f902162f01a5f14943992d7e68c09adfc9d9f3037603d8eef5b3d5ff8bee8f505bfd70b3b5bcba4035837096230cabb66e9e31565

Download Submit
C:\Windows\SysWOW64\Egpgehnb.exe

Filesize
136KB

MD5
494e6c83f4d52a2541ee7444d0ebf73c

SHA1
a8d330f141e42af719f1ab883669ececb2065b47

SHA256
7a5a3d5c0202b8ec803722fa73ab9776404454f2cb46fca2ebc0b21ac4640dcf

SHA512
532b99c4552f14419df9147f2a8cb51829af81f1a300ecda58e712b684698605adfea022662ef63c8799acdfab0aef91683755e11bc24e855db4ebf1aa412346

Download Submit
C:\Windows\SysWOW64\Fnqebaog.exe

Filesize
136KB

MD5
c7de71ae1fbfeb5de02f3ac08be1e67d

SHA1
e80889f6f95f68b148287dd87f4bf42594faf3cc

SHA256
d5db9732bba2c1085f1f8ad6aabfa69bdc1f5be8f5ef2dd35dfadd415ccea27b

SHA512
aca324bed39db6e6046b950bbc6318961b82933375148481fbca7c73c61b54f6055a260bf753a2f11e1217afcd421293a40041de97cc88f7475913c8f6084f3e

Download Submit
C:\Windows\SysWOW64\Gbpnjdkg.exe

Filesize
136KB

MD5
1f6f179f4edd5cb15503f6ba6a33447f

SHA1
db5151f112409ab3e99a5b54c70713d721a22ee8

SHA256
5803fb34f13672429f2fee830ac80e6aa60557fdf4b7294a80d049e69b6eb293

SHA512
9c06d51b513cae30ecdf4fbf98d3aff8f26f072ab6445eeea655403aae41641779ce9826caa5b999d32c28f9b28345c6a3a7fe7f8ee95dc27c460155682225e6

Download Submit
C:\Windows\SysWOW64\Gqagkjne.exe

Filesize
136KB

MD5
7b9fc16ff4e9765f68a9b664c42e0efb

SHA1
6311b0ace41b000f3a046b8714cea815292243fd

SHA256
7b92e5ed4136707d3e39176de0cec36464c424eccfdeb922f211da67b7a68208

SHA512
2f350b3d4449e2bc8e9d927c6e587620ec1e729fd27f49c106ab7c81204e6d3c11dd5b3e0cd6e12997db5e36ca54c117614c4128a23fa649a5f07d75309119d3

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
136KB

MD5
bad6edc1df64ad0472abc71086f4e08b

SHA1
6179bb1a91aafb841690107ab4e23c1af2813b02

SHA256
52019b1a6a7facc2bc05ba32391aab9153566ade8002004f551d0b474da1c990

SHA512
4ee3dbfaa29bad443f64e4cde31eafc3c47cd3b25d87a3ea5995b9e6da0a46b092067802833b3d3ec9cabb3a4550f99761a0985f21a4c4d849770a98237e8cf8

Download Submit
C:\Windows\SysWOW64\Iapjgo32.exe

Filesize
136KB

MD5
326021daf5c3c0b34b6341d508ee7bcd

SHA1
80cd3819ca415db42e11f62f2729a608b72e97a2

SHA256
14a1f06ed70eb43f9724812eac23ceeb32e609317f4782987158e74e23936789

SHA512
94458e319b780a466d764b884097fd8650a894cfd350dd91609f00ce17fb1f7f4b55b08a96ea11e5f85f5841c99770dbd3a1d1492a17d3c5d5ef60fd7d7a0291

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
136KB

MD5
a5173002f43e5f9f7e15b2164ed7d194

SHA1
12ace729dc1d3efe88fbbdaf461e2e08d5d8d9e3

SHA256
2c2e1892b02647248e13c8291424e09487268c77998d7451d395a202db558b25

SHA512
7a24b3f7bd2e2a9c84d4596bcf02294d4df9789485efb13c517639f9ac9f32a6729a40165a5f6c172a4a64f55df56010b37b77f8911b8a3d309ad7ffec16a7cd

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
64KB

MD5
7259ff54e2ec17455c81b042cf97a6ce

SHA1
5de3f9c068b76fb407a57afb47a442791d6ca23a

SHA256
396dc425d4b3e545fe3d38ab892e1ea1af888ce3c8f6329881d9c76466d2a7e5

SHA512
ecd3d4afe86c915654045bcf84e56919fb16c98db10cc96d8565750e698c98e7868f5d5eb07db28f22c5b7211e09a700fe28342d5598b00b1c6e753ac6cfde75

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
136KB

MD5
2db0834df6ccceafb4e18a234ce6ae66

SHA1
f91a6eebe119821df661281d2a205aa5aa5ddfb7

SHA256
186200841916649dd44cec7785ab4ec689612ad952aeb06d75a6f996d229b612

SHA512
4560b3638a136405925f4d476c1d7a38a2f2b19222e195655d073795da78a67a7618f3630e780877a3aa72b362cf679823560a326e97558c23cc1b5bff729436

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
136KB

MD5
72e1b29a38c2ebe65e8a4cfc4784641a

SHA1
010f28171b63acdaf1d66d3880391f1445e4d97f

SHA256
f0c9b8a9e3ab26fd9941968945b69b29e269d33340b295f5ac6adf4c2f9a4679

SHA512
fa2fa18ac30aef1abba9ac246b28b81508ef68613bd56dd3bcf196902f5528e9b920b08b2620b3441574f22ec43660d1f52baaebf8ed01a137e87bad5bb66d60

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
136KB

MD5
0fa1de2e3f0f473c398358053089b987

SHA1
494e6e8f5127048168acb4196e18a5df687acfae

SHA256
42963cfec8aa6dc1066bd48b4fd31d19047fb46d30d4774e69a7c77618963674

SHA512
3ef2f5409a503128c7c09b52b552f724dcbda66c68e21e6cd62f8a9af21b031e37e373064f4577d9ef15d07dbfb8da6a1ca067ab13bae71251ab62317f4244af

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
136KB

MD5
8edb3afff3c283b22341c07500f00333

SHA1
35baa3b44589ea1bc82341a32466f8597ce114ef

SHA256
314a0b5e0080706511c68e97b5f0b7ce80cadce630a143a068d98af5904f10f5

SHA512
44843523a19e1a03a1d451947c2cd6d5482d658a547ce2b639662a15ddce562bfdbf8f9f49327fb7b19b84813d0f973b361867511b9aca93638bba4a71da705a

Download Submit
C:\Windows\SysWOW64\Kopcbo32.exe

Filesize
136KB

MD5
752ce99fd45a71a7aea64272ad495440

SHA1
8091e5b553f01af4c7da5b07b735bdb5a2f99de4

SHA256
031f5efba3f748751c7fb3af44de3718903af2b1f293f99de68db57e4a8d6f59

SHA512
89a12a27d020352247a689ea878848c0cbda4fcb095eac9b0000d1a4a3bde77b14f490bf9081f16a4c07e16d146869f84858b2b2321fc3797630e78fc5c0dd62

Download Submit
C:\Windows\SysWOW64\Kopcbo32.exe

Filesize
78KB

MD5
b88a677ef810d167205388390720f59b

SHA1
936f1eaa6275c09532b5aaf65ec294a645392c3a

SHA256
234763515ae19c0d5d43182cb34f12530f058573cbc8a23bd7a2c12da6b52b02

SHA512
2c603e6075845f91f4a1fde191344ab79f969a7bd93aad81baf3992ee3df401250b4fa397f35cd3553fca8cfe8f05d069957d4c26392104e5e5662fbff47716c

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
136KB

MD5
cd12cc35fff11c9c3b4059ba30a0a2f3

SHA1
1aa5e15c25701c0fb978baf4bde403787a5f2932

SHA256
58eeb2d0841e61429aac245f67b124c8b41d116ec85e8ad888cb4fae99dcc0c3

SHA512
4dd4c6b35a9022713f879972df659b20eea32bf246aadc9403e72bcce709de0f5d3db68146eed6ab5a7e966bb6af7c8ca46170dd3063fa20af7384e9c39a755d

Download Submit
C:\Windows\SysWOW64\Lhdggb32.exe

Filesize
136KB

MD5
7043c5f9b6049d3b3d13b6d4bbf5cf7e

SHA1
a629f2a00d9c5c5e52cc7e26f4ed4fc83ba13bcd

SHA256
a5a71c3c07430791c8d33bf5ab1feaebacfda74e33b52d30b3b5f03100f1d847

SHA512
4ebbbf6a02641697bdf7557481e0d4d6f39aaea5670369845404b2b7c20efae4dcb882a6bdc69bf9c6b272f8cb2f1dbe49a1a815823181fcec120826ba17df77

Download Submit
C:\Windows\SysWOW64\Lhgdmb32.exe

Filesize
136KB

MD5
8e1756c6cbd114dae75669b3dceacf0c

SHA1
e35d0ae87c883fa418db88d20ac4360d56542168

SHA256
370f666e852dd8c2eeb28d103992c72657f2eb906d466eef87e3fa921df6ca44

SHA512
90acca8e937900e8c1d6fa57dd79053339a2ee71d1c6d05a8edc6d237926e2c98470128284b123e665eda549bf86ac4873f9691a74e13bef8f1fe9c04929fe04

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
136KB

MD5
d934a02f155289578e1027d3e9996d89

SHA1
bd67e7527d40a0fbd99676da112e83fcb13562c6

SHA256
79fe98095d7d410d50f0c9e217c87b48a66c3e2f51a1be796e65bbaa05814eeb

SHA512
3d6c8cfc02739888990568d7715ca8ac07044317ab3bf2d95a96d6a2ecaf579f167b618d56523c1a9f6c8de51644b696c8a5c25b6b0ae0c088e3ad36b42320fc

Download Submit
C:\Windows\SysWOW64\Mlgjhp32.exe

Filesize
136KB

MD5
0d37d1b9dad67997570455920697cbf5

SHA1
ded8fca7a08c98bb06f886b7fbd8b1ba701852d8

SHA256
40e3f2c8c7f7ac1644df9cc94a8ebebce0d2f1e33b51bb3299fe0ed0fc7170f6

SHA512
db39ea8edbd13c05e8780acfe1f8ff8864af2574fe56c34a57c7d77dc890b8336c6633ed8c450c7daab4ffcb0ff84494851e5b4d497b42112269fe732a8e6599

Download Submit
C:\Windows\SysWOW64\Nandhi32.exe

Filesize
136KB

MD5
47fa0b5ee7e9f6ede255a04ce848a1f5

SHA1
32006bdff8b3eb65cc2fdc6041cb01f24a94ea36

SHA256
53ee6ef1d8e869e76493e2cc63045d75344d73252829ce8b7c835230c1405b12

SHA512
02143aeb684aceadb6ae631207f19776835eb1a64ca9ad58af3221b9aa50d9304bd365d6bf2917fda5e3b99d17626f59c4892b4791f57cc4cdca4ee80ded54a8

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
136KB

MD5
7d42a7d1e166b10bdcb792fcf4bb938c

SHA1
b55ed56cbf42be78d85f810bc65fd504b8242fb6

SHA256
24bbe0bbc707ce9ff099bfb2376370f896c2739186fac6ea50121376ec7b4cea

SHA512
cd30bd07adce2c59e869829295cb9ce6632ae8e690a1d090b9723ad7071cddd7b65d36c8cad59199b0a5d1211e915df2811f8991a9b0d26c71c290e148e1851b

Download Submit
C:\Windows\SysWOW64\Ndkjik32.exe

Filesize
136KB

MD5
c3ad064ebf0bab3def95ca872cbe6e4f

SHA1
9d5d41dfb49e139e53cf387268abd5f67bfc4219

SHA256
baa11bdc2390ee6250ee1652976d0889f8c7dccb02d801c9f1aa665889a079ec

SHA512
fabd11ad2bfce2a5ed13b00100b509abc85e54579d8e12886acc2833bc5bfe1442c97dc1d3fc2569e51753184a7e269e0ec98c446dfde253d890aaa48591c36c

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
136KB

MD5
c6fd20ed975fe20cdbf815e339470336

SHA1
678f2573d07b5041da8112d5aa3e7fe285f33cd6

SHA256
3ba99c400255d69bcd53709aecc9ab87ad70d2cf5a0bacddcc9853f94b278540

SHA512
6cb1f6e684fb1ebb596f3e4140bd14aaa5789d6f1086eca06c5302cb2372fea8eaecae5a20847f113267374e8bd31b36e41c57e2be6877d576ab45340d1b9672

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
136KB

MD5
bd3c1c5e01fbd7af33a9e035a96359b9

SHA1
f404dab9b00b666de79d9a2bbdd4b8456300ba7e

SHA256
82d72a229130248f5fca3b9a3cad0d24e1724188ed801ec342f364276bf39fe9

SHA512
732a5ce2642c09478dbb80c3c7474946dd5554fb6c0102f4e50bca01b7f6ca24cda3c5956d29e0ae89388d7e864e35044315441014efe49b0d72319901b5595c

Download Submit
C:\Windows\SysWOW64\Pahpee32.exe

Filesize
136KB

MD5
ab1fff94f548a83ca0fc438a8f56d0b8

SHA1
b89f880e41ffcc60c3361da3093a2fb84bf7d449

SHA256
28c6e83ecf874a7449b98ebd14ac9a514124ed9c350fc8f296942f88492086e9

SHA512
f6d779b25da3a5967860487fcd6b2a2cfecd8e154050e7a3687524e1d4f5ce9ecf48ecc868820dd7c12b96147f11bf53da3944e15cb7bc0878a8c64681f3aaa8

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
136KB

MD5
a7e0078ac90bc1ba61e3da947e6a509d

SHA1
2b94664aa62b64f61f7a74b9d4261d8b8a848d21

SHA256
f71483165b7d3969866b57b4aae3ea171681ad7e57d4ab9c33e75f66ad03d716

SHA512
92119aec693a7a631b2c6070fbb6a74cbe14d19b744cb720d2a023e7c2bf02634d5047aeb24a551c2b2a34e4e470e2ebca8561fc002332de6481fe2c72d60a93

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
136KB

MD5
5f1bf3fe888df13aa035d7e11f516654

SHA1
1a85cc39e150acf7924ef690a61c2ff9fec3d68d

SHA256
67c5aadb918716b664884cefcfd9e40b6d628876f63494204bbde99453d1c1f9

SHA512
5f7383964fbada070f0647cfc040a0ee3e8d3236a7b8dbf31c3b095c686479333084b201835f89eb60a909b250fa1fcdb3f89f38e1c84bdc020c07729b440784

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
136KB

MD5
e24eeb0b60270a5aaed90fd68b699438

SHA1
dc7e01eb842323726b3a655b7c950103a524feec

SHA256
a11772b339cf51a429f13e0ff3c89f252db97958688a813ce851f494155dffac

SHA512
f9891148f6cd599fd74147b3cb7275bb09cfedbec922991689ded4838f05cbb1b3bb8efac92c68e809a6fc8716a426a45ece7f8e2615e04237a0a350559d4c01

Download Submit
memory/620-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/620-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5172-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5224-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5264-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5368-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5412-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5456-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5500-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5544-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5588-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5632-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5668-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5720-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5760-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5800-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5848-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5900-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5964-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6008-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads