1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa.exe
Size

340KB
MD5

2cd0c1095bd17fa659a1cbcd89739846
SHA1

2706d09aa39f6bdaf1e9d69e99362484ca1f791b
SHA256

1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa
SHA512

6715e7af7ed6345837fbb70e5c097d637c9318abcc1d613d7ad7905576a7e3c9c05369868724bb1a7b21897c10616012185a5bebfbab6c330952b9b1fa76e4e9
SSDEEP

6144:+aNpFgjMIyedZwlNPjLs+H8rtMsQBJyJyymeH:+XyGZwlNPjLYRMsXJvmeH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe

Executes dropped EXE 64 IoCs

pid	Process
4228	Gpnhekgl.exe
2424	Gbldaffp.exe
4592	Gppekj32.exe
4448	Hfjmgdlf.exe
4000	Hihicplj.exe
4572	Hcnnaikp.exe
2088	Hfljmdjc.exe
4464	Hikfip32.exe
3356	Hpenfjad.exe
2472	Hcqjfh32.exe
3676	Hfofbd32.exe
2932	Himcoo32.exe
8	Hadkpm32.exe
2632	Hccglh32.exe
3988	Hmklen32.exe
4320	Hcedaheh.exe
4340	Hfcpncdk.exe
4740	Hmmhjm32.exe
2396	Ipldfi32.exe
4984	Ibjqcd32.exe
3128	Iidipnal.exe
3084	Iakaql32.exe
2680	Icjmmg32.exe
860	Ifhiib32.exe
3584	Iiffen32.exe
3104	Iannfk32.exe
3016	Icljbg32.exe
2032	Ifjfnb32.exe
404	Imdnklfp.exe
2492	Ipckgh32.exe
4724	Ifmcdblq.exe
3736	Iikopmkd.exe
4312	Ipegmg32.exe
872	Ibccic32.exe
2828	Ifopiajn.exe
3968	Imihfl32.exe
4716	Jpgdbg32.exe
3304	Jmkdlkph.exe
2824	Jagqlj32.exe
3512	Jdemhe32.exe
1892	Jfdida32.exe
4584	Jibeql32.exe
4248	Jaimbj32.exe
4892	Jdhine32.exe
5080	Jfffjqdf.exe
1456	Jmpngk32.exe
3536	Jaljgidl.exe
1184	Jdjfcecp.exe
4812	Jbmfoa32.exe
2668	Jkdnpo32.exe
388	Jigollag.exe
5064	Jangmibi.exe
3216	Jdmcidam.exe
4972	Jbocea32.exe
4428	Jiikak32.exe
4084	Kmegbjgn.exe
5012	Kpccnefa.exe
4304	Kbapjafe.exe
896	Kgmlkp32.exe
4200	Kilhgk32.exe
4996	Kmgdgjek.exe
4432	Kpepcedo.exe
3296	Kdaldd32.exe
1932	Kgphpo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Iidipnal.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6432	6340	WerFault.exe	230

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4228	1468	1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa.exe	88
PID 1468 wrote to memory of 4228	1468	1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa.exe	88
PID 1468 wrote to memory of 4228	1468	1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa.exe	88
PID 4228 wrote to memory of 2424	4228	Gpnhekgl.exe	89
PID 4228 wrote to memory of 2424	4228	Gpnhekgl.exe	89
PID 4228 wrote to memory of 2424	4228	Gpnhekgl.exe	89
PID 2424 wrote to memory of 4592	2424	Gbldaffp.exe	90
PID 2424 wrote to memory of 4592	2424	Gbldaffp.exe	90
PID 2424 wrote to memory of 4592	2424	Gbldaffp.exe	90
PID 4592 wrote to memory of 4448	4592	Gppekj32.exe	91
PID 4592 wrote to memory of 4448	4592	Gppekj32.exe	91
PID 4592 wrote to memory of 4448	4592	Gppekj32.exe	91
PID 4448 wrote to memory of 4000	4448	Hfjmgdlf.exe	92
PID 4448 wrote to memory of 4000	4448	Hfjmgdlf.exe	92
PID 4448 wrote to memory of 4000	4448	Hfjmgdlf.exe	92
PID 4000 wrote to memory of 4572	4000	Hihicplj.exe	93
PID 4000 wrote to memory of 4572	4000	Hihicplj.exe	93
PID 4000 wrote to memory of 4572	4000	Hihicplj.exe	93
PID 4572 wrote to memory of 2088	4572	Hcnnaikp.exe	94
PID 4572 wrote to memory of 2088	4572	Hcnnaikp.exe	94
PID 4572 wrote to memory of 2088	4572	Hcnnaikp.exe	94
PID 2088 wrote to memory of 4464	2088	Hfljmdjc.exe	95
PID 2088 wrote to memory of 4464	2088	Hfljmdjc.exe	95
PID 2088 wrote to memory of 4464	2088	Hfljmdjc.exe	95
PID 4464 wrote to memory of 3356	4464	Hikfip32.exe	96
PID 4464 wrote to memory of 3356	4464	Hikfip32.exe	96
PID 4464 wrote to memory of 3356	4464	Hikfip32.exe	96
PID 3356 wrote to memory of 2472	3356	Hpenfjad.exe	97
PID 3356 wrote to memory of 2472	3356	Hpenfjad.exe	97
PID 3356 wrote to memory of 2472	3356	Hpenfjad.exe	97
PID 2472 wrote to memory of 3676	2472	Hcqjfh32.exe	98
PID 2472 wrote to memory of 3676	2472	Hcqjfh32.exe	98
PID 2472 wrote to memory of 3676	2472	Hcqjfh32.exe	98
PID 3676 wrote to memory of 2932	3676	Hfofbd32.exe	99
PID 3676 wrote to memory of 2932	3676	Hfofbd32.exe	99
PID 3676 wrote to memory of 2932	3676	Hfofbd32.exe	99
PID 2932 wrote to memory of 8	2932	Himcoo32.exe	101
PID 2932 wrote to memory of 8	2932	Himcoo32.exe	101
PID 2932 wrote to memory of 8	2932	Himcoo32.exe	101
PID 8 wrote to memory of 2632	8	Hadkpm32.exe	102
PID 8 wrote to memory of 2632	8	Hadkpm32.exe	102
PID 8 wrote to memory of 2632	8	Hadkpm32.exe	102
PID 2632 wrote to memory of 3988	2632	Hccglh32.exe	103
PID 2632 wrote to memory of 3988	2632	Hccglh32.exe	103
PID 2632 wrote to memory of 3988	2632	Hccglh32.exe	103
PID 3988 wrote to memory of 4320	3988	Hmklen32.exe	105
PID 3988 wrote to memory of 4320	3988	Hmklen32.exe	105
PID 3988 wrote to memory of 4320	3988	Hmklen32.exe	105
PID 4320 wrote to memory of 4340	4320	Hcedaheh.exe	106
PID 4320 wrote to memory of 4340	4320	Hcedaheh.exe	106
PID 4320 wrote to memory of 4340	4320	Hcedaheh.exe	106
PID 4340 wrote to memory of 4740	4340	Hfcpncdk.exe	107
PID 4340 wrote to memory of 4740	4340	Hfcpncdk.exe	107
PID 4340 wrote to memory of 4740	4340	Hfcpncdk.exe	107
PID 4740 wrote to memory of 2396	4740	Hmmhjm32.exe	108
PID 4740 wrote to memory of 2396	4740	Hmmhjm32.exe	108
PID 4740 wrote to memory of 2396	4740	Hmmhjm32.exe	108
PID 2396 wrote to memory of 4984	2396	Ipldfi32.exe	110
PID 2396 wrote to memory of 4984	2396	Ipldfi32.exe	110
PID 2396 wrote to memory of 4984	2396	Ipldfi32.exe	110
PID 4984 wrote to memory of 3128	4984	Ibjqcd32.exe	111
PID 4984 wrote to memory of 3128	4984	Ibjqcd32.exe	111
PID 4984 wrote to memory of 3128	4984	Ibjqcd32.exe	111
PID 3128 wrote to memory of 3084	3128	Iidipnal.exe	112

C:\Users\Admin\AppData\Local\Temp\1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa.exe
"C:\Users\Admin\AppData\Local\Temp\1c9cdf6dcd5aee989c503101e4b50f6e2871ee6da916acfbbcf9560630676eaa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\Gpnhekgl.exe
  C:\Windows\system32\Gpnhekgl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\Gbldaffp.exe
    C:\Windows\system32\Gbldaffp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\Gppekj32.exe
      C:\Windows\system32\Gppekj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        23⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        29⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        32⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        38⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        46⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        50⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        51⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        55⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        57⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        60⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        66⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        68⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        71⤵
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        72⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        74⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        78⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        80⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        83⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        85⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        86⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        87⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        91⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        92⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        93⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        94⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        95⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        99⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        100⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4768
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        103⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        104⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        105⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        107⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        108⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        110⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        113⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        116⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        117⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        120⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        121⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        123⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        124⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        129⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        131⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        133⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        134⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        139⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        141⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 408
        142⤵
        Program crash
        
        PID:6432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6340 -ip 6340
1⤵
PID:6408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
340KB

MD5
eecc0a256f108e4271ab1ac1c15d531b

SHA1
f3530b9d50b5c65b341d8f5b373d5c027d77f9d7

SHA256
ccf885d6dbbdc6ed37f0b0b613407c57db301dae01a8b7c2ba6bbfb392186f46

SHA512
b0b44d69d829e805e2de4d2c9c8c8009e713d2d48adfb326aeaa9b378b4f5a2668b47048e3b24abb251be766b94c52be9f208195f72fa08611d54948049ba9d5

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
340KB

MD5
2266db93d71cd540ff250c715fac5bbe

SHA1
9c29f1fc48723be754f6df9b1c5f151faac3682e

SHA256
a9f1bcc035884ccbca46fccafc0b370bd14c6562930f6399f9ebc5f96b1164b5

SHA512
ff6502b3179dcd279b583eb965dbe7b42898dcf6d06e764d93290a9a74e1e41ac516d088065ad40d69abd6a6208c448ec8a3503f0271c80264f7d5fba2dc8e22

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
340KB

MD5
e60eb56060360e5d2e2e5c6535fec776

SHA1
39e37357cce7c86ba7c6941e400811228ada1b29

SHA256
114d5f116810190f8355a32a02b4c3e29b235c4e3dbec6dc3aa2a747c9875be4

SHA512
d0abf8f2bc06f62db04583d92b6108840d46778d24e89c07434ea52f9926b1a00565a30b1209f67153a073b92b17fa2649f48a77750435e85c45548d4da337bb

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
128KB

MD5
a501477724f0a566217eb0b34f8ee376

SHA1
2ef43f7f2aab67788e214de97e3c4392ea0127c7

SHA256
4c9b0f24e8e2adeab65120f942eae0c86d037481a6bd1330fe29f99bc997cb52

SHA512
06e097bbc547b97dbd0572178a96bc8a029056940f272e25c9d30a70d4475ae794b301fccbf7402eee6afee235fad0c57e8ec02f53d3172c1e946181d94534b2

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
110KB

MD5
0b5ca722bf52a7e9ac0f8fe41b473211

SHA1
03a11739516067ec73a34c105ae77bb3a78dd38e

SHA256
893684abb855bba99f03de915f846240e220e8f4d50777786509d2372e150eef

SHA512
e70ca0de194c5a4212a4b89502a7fc402322d956eeaf1dbe797856a595929d82e2ca2209ba304aa1ae7cc696426059fc3d9375e38d74df2168937390e5a30690

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
340KB

MD5
9ddea61c30a2d06e08a2f2dc6da8c70d

SHA1
ce73ea9c738e770ff79201bfa5e173a51af8e63d

SHA256
5558ac05d9289e1aae234576b13e27917e22b4eec6954f973ceea5b9635cd77b

SHA512
437dd2c317378c792ffd616e18cf1b2a83e462b0d3a5fb9201da77087f796cda08a8802f378e1070e0f8bf8206a55953528a16c57c96ea6a196338266a9feb97

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
1KB

MD5
d0d12693b569c78ff9470eac5a4b9583

SHA1
94f8710131425582091e8fef48ae631ca6b967b2

SHA256
7fbcba22bcb67f187288a0ca0f8538843ce55936d2e6cede8409a4888e704b86

SHA512
a3b96457e3a9e06ff324700eaa197479106229eb4ac28b69cee3e2f8bf20554ae2adf5dab2b29a6ddf66d6a554fc4e0f2d62c61d37bff7e7f4d25c0a13b03931

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
340KB

MD5
fdc8e738d1588a8dde34e35899ef3699

SHA1
b758c4af6505d908405fbebe23522725206446cc

SHA256
37f3c6a90bfbf7767c6f42ca62d962f80309fa744ae53de30bfc00894a2b3bcd

SHA512
46c410fddecb9f3d32fac242fe950fb99714338e6cb0c26f8d522408fe1bae96f7f2f000100f94a2b552f68b48a9859046053ce1bc62581529d9837ea4033a34

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
340KB

MD5
ef3b8dff26ba43a4597a7b7153246dd2

SHA1
c03aefa0a7449a4c1dbd152907a18926e9a7ac3d

SHA256
4a5526e1b3d025b17dcbc84a510e7afc60484225f0fa08cd22296290fdc4835e

SHA512
93d4ef7981405bbfdf835710365de89ab032982a79cb62dfc490210c1d4c8a312d30ef0ceb345074d5469c65292e32b0ce2e2e4d16ac63bebd9dad7ecc900ea4

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
340KB

MD5
1364d9c17703f2f2698aaad4fa2be5a5

SHA1
6e068daf3e68cf3d466cbe4dbb8e2e07c741b84b

SHA256
f41244b6a82b2bf33db522110a8a14072172b934a353562bc197c744ba97adae

SHA512
54b6fa151d8c5b88ef1c2416161e656af1100acfd3f35bdd08ebea44e4d4f6a95535b1500283532661dda11c5b9cbf55f34ccfce4a13ad821c716fa4eb72ebb7

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
340KB

MD5
7ef1218a537a278de358ba9fe55c9801

SHA1
5f3cb2541485c46da12758baadbebfea8af50e11

SHA256
f2df3a4307aef37ba8d55f5de9221dfd2eeaf0b58346e357c375063a46d2e6d6

SHA512
9b88f8c2472ffa94ad331f72660b48b30a41a9cbfda2c205986b10cff3e504bad806195ff0e6663316cc7686cd3e6412d1ffab44ef9043e2b3bf1ed57b887bdd

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
340KB

MD5
d8a85bcc141fefd084b22975fcfb91a7

SHA1
7b03e80760b016811087c00663a2987b0f99868a

SHA256
ed469aa77ddc96b532b723d667e2607dce4ea1b37ec01cada19b6dd742069fd9

SHA512
8a086cf7e35735c38c23242953c034e7a9620129203e4dcf93ea65c02ebfe48740165c5c002af9dd2d05bf8f1ed50d75e09f15bb9a10e299f546bdf9a462eed3

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
128KB

MD5
d4b4132accafb1dd5f6fe4319dd44990

SHA1
d1d75776100c8c48f7fd6d5bce07f5fb71c0bd20

SHA256
79da0bd85fdb3e77c40f261d98d4b6f0282af2cfae976067e3263589dd27091e

SHA512
a00010023ec095cc48dfc550e6c44bc8e01a90be62862d812d3448ddde2055387186b4dc2a638cdc74edb0d4f15cb004b34fc3265ff56ceacdc61b9cf4820a8a

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
221KB

MD5
3eb190e40314af63fcb2f74b500a2bb2

SHA1
3f5adc278f29f2d8274824921a74c89a46f1f335

SHA256
7ec807857d0b0af3a4a3e5643560cde2a280e4351247a03051519ab966ba7f72

SHA512
e18dc3657c9949995f6e248ab716d86d1fa489438bcbeb064a036a23c4f8d491a749af9bc263d4697312b3812a1fe6c61dc114910694f075e143ca277311c58a

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
86KB

MD5
6fc5f1f8a7703f0ae4d442b1404d5180

SHA1
a940643a928a7e66a542e6e967308fffec079afa

SHA256
66bb8824291f1bedbfbb2607af90ef82f91bdd7050d4b18feea8d9af0dc71512

SHA512
27e2fe08fd994dd652ea86272066303892cc8aa0b25509b20a28f7222462836d0123e4a3f711a08270303f7aca49d6d5861ea1854a3e783df79d63e5ede4169d

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
129KB

MD5
e5e6cecbb6ea98da202878f7b6994a4b

SHA1
057473b2f00fdd738e02236ecca73754350c299d

SHA256
332e201e3c112a82efd0d6e74edc22086919361d8e2098a731b107b075d37e4b

SHA512
96a1eca7e878889cce83ca590ed22ff9f3cb522ebccdaf95586fbf9772e6c724bfc8056edd41b5cad98926344382dbe919133eaaa0cc94876479848b9d8317bf

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
239KB

MD5
6cd9f9f5a70f8db00bbd36eeecdb3d07

SHA1
cfa4c288205819dd33b7127cc061ed509df94491

SHA256
b5a82e55f13656ea8d5cf4b8042e4d2102bc8c570ef45350f64ef9c32310aa77

SHA512
f9089c8a9cbcccb0ff48bb746381a18c51478059d7a25865df31fb38780376c74a59c9aa7614e9f52b423ffcec74eaa99526bdca6a32c1acb0e057c024cb6fb0

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
231KB

MD5
1ae9bc2906b9cb10f825295eb95230cc

SHA1
d3bd108775173bd4dcdd290187396d7a7bfeccb7

SHA256
1b58a35ac5c4029d193c6052a815f4884026240b6ca4d2c556febd169b348b26

SHA512
0501475e376da5a2acb86e003ebd73c10e7e9d142c494076712d3bf35d3e2677924325503cbd922462c7dfd37ca72dd2316b4a3227243011c3315043c0c89f18

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
188KB

MD5
5e3f681d524d0cfc58d9aea9f5125147

SHA1
c4d0e89b116e78a086b82c9cab12ada290ce2683

SHA256
91dd0f3bd5c9233ee03e5b6cc3159b2752869c3c4cbeb05772d293b18d9d78c3

SHA512
ec0ae7850bc30051115444ab1bee0515a85c8da4df793756a31b6e12f6ff39a16d514a41b538959fc600700f9967c81114411010400d7922496f91744bbd527e

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
340KB

MD5
df111ec2773b7ddbf482706260d1a8c6

SHA1
c0cf9f6947dec76333d6502cdae495899b5eaed7

SHA256
28628073b7d0c5c34ed7ba7cdaed4ebc40ba282bb65f746d12413f6519ec00f7

SHA512
29018f86b0c765c143ee149d6e04f58bbdd36fa3b15d858669cf405ff1479fb2713d05bc1236965e25f73dc85ab8a65dff4563222fce652256e0b95bec4b0131

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
340KB

MD5
7d676916745ed83260db1aa5f88e8410

SHA1
62673a9dca6e0d61e37a80836ae012586780f5fb

SHA256
6152c5d39cc923cbd23a9d1444bd2a0af7ddd3444af829b89f0192ca0cba5571

SHA512
6b8e17b921455d0b36b38e3ecf473924dc32c5ac3f7fc15772df36f13fef0b53a0c5f7b09f99b5f2515e63c5cad5723b2bd635f4778d3b6a3f4759c74ebcb478

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
60KB

MD5
927e0bc6799b1c7a931b5ffa3d4b19af

SHA1
97e056569495be2d35650465eaa53313429f1bc0

SHA256
52029d4c2778893c4fb650290249eaab5cbbb315d10519525c9308786643b026

SHA512
3c294106d01d5677fb7639b899a46685338017ac48034257a2da9f2b046a9c89ef6077f5a644b6de7576b6909e9050ff99610d6bf9f6cc41df4f850feaf08e8b

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
22KB

MD5
f34b6d73dccd4865db9f44faf45d35b6

SHA1
80903e3e276926f888b61a7f5a9fadb9a981f938

SHA256
9644ac82f741a707a2dfc730eb333c633da7ff6880291ba03d77669f41fba27b

SHA512
57590607de0853be954207de5c737750f46a4e3335c89411d3b28e3946f34bfee9bd9e7cda324a0c0871006debcb02ecdd98ee7b118df121536069a6c308a38a

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
1KB

MD5
a2fb342de293b62437775d760ba0473d

SHA1
f7f8a1413766e8c5c73e6cb865d10a2e56e011f5

SHA256
0fab5c88ec928bcfdde9e94c9133315e42f5e18da0568f1f7f3767cee8ced0d0

SHA512
7c93fba1617d795836e4e0e690b0d899eddb40db46c690a56f41e9350d865c544e89300327b292986bd8e15bb70d616cd1d8a1245b385d28ac49a52494947438

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
340KB

MD5
1a4ef74ef97f6cc37cd09d5d10244806

SHA1
eeb373e6227db62537df95b3c3937a7d841e6ee1

SHA256
f8743d91a7fe453f44a1bd2603559d5e808edf7606214052ce28d966e85254d6

SHA512
bd43450f9031220a2c1508b9cf138d256a3b979cb35516cf3b22633f1760a57a014faa555448a4a9c98d13318c72a9b16adc52b2c4b219b44686b14dca679fdc

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
340KB

MD5
c0a56f02b844a642e0a52e051df1f1b6

SHA1
cafefe308031df990b3c9a70f45f990e9c3c69da

SHA256
3e1085bccf48ed4659a53ab9415275f960e41ac606ce0994e45bbf11914edc7d

SHA512
ef319d338b35df45af38533534f8117338cb08213d103e6162e363c6fb46fffd3f37da57a0bafefe16cc87f0b6e64f75e65b60efd984363cada9e71b11f968e8

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
340KB

MD5
a4034da4c426e999541d7caf4736bd96

SHA1
08855530befb77ec52ad3af032f9f752a93c6e0f

SHA256
7c6137ed4dd9b743e300c89923c23ed6f04238b4a1809fa931b41abbb8ac8da9

SHA512
ab99e5717e27183733b9ae9845acfba59147003b7c3fd8d36ad10e69cc2ea525e35b57a09f1531731ddaab9af6fb08dec75a387311ca38323d3a2b4d5a4d8915

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
340KB

MD5
3037a6a58d8c6d34d7c62f2cba7261f1

SHA1
f69407d08fe9dbd9f5d16e5a806c906ec01ac1a5

SHA256
3286ca825152fa2b8b8947df1a11cf7b2a35c4b8ed6d4cb6225b5d2d8f02abc2

SHA512
525a5bf983ca4f5546651d2a4843cd06acf92e194a00b670a6db6700b77422a99d0f2b0377a76a652b9922b8d94c1cbac0adc6ceaa0c7b5e49dd7c9f1ec7dad1

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
340KB

MD5
e1e056e2b40e25ba88fbd614ebb2a855

SHA1
d818fce6974fa7c955619e6a2fe769e0fbb94a83

SHA256
b1240dc71b5c4a5a160bb6b28b983b6db036ade5056509c338773217f68a5c89

SHA512
e66cd389367fee65019a28624aa3b7d339a4a3957f765d1a685e1da3cd6908c24d96058192046795b21f691282c0aa97d4212a61cdd7248cdb0e48f6697a4b32

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
340KB

MD5
53cefd310497982b342e62f276bae922

SHA1
f00920d8a40ed79bb390b82f85a9127dd41564ef

SHA256
8d2d3c624132474775e4f9592cde1eb1ab3adaa53feea52bf9f53deaf85e8736

SHA512
745dee599b6320ddca962cae4734234067b5b9f804b7e673d95c95b142fa6ecbd1cf8c79a2456b98b46b75a69e0ff871129a13f28211f131daca1e386fa57b23

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
314KB

MD5
4f58f7c9e264562ad1de12095de8c29c

SHA1
3921b2a55aff8b2feb635dd904c31230b369664b

SHA256
22e25da601a55a9edf28d2b400f1da8d382bab623a120a694e4c257144918984

SHA512
53462614a1d30047a521fade72e6c7564db2a640889c5b8dd201e522a2369dcb20ff423c8dfa2ded91e5bbd79ec426e415539c06e0c09669675c2e37cc36f88f

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
340KB

MD5
91f6f5826b46099fcf8354fc42538412

SHA1
48bb7a446941b6c8dbc5591493ad0a90e431c82b

SHA256
d0665861506776f38638fa635436f563069779f5dcd34ba64c3db7ed921ed428

SHA512
a192009f93c0b4863db54f214a278ed350791742716f000a084e97d800df3d5f72f5a8d1d46de8a8ca5d651f9f6b0197f075a4fadcbd8714cb510332c271036a

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
278KB

MD5
6cd7380eae67104f109b90916f01f060

SHA1
a9cadd516e881ba57a5dfbb424aeb6804ce87e7c

SHA256
336dafe347fd460525c0591f7b0e812147eeca8d598baa167699ca867332ea61

SHA512
3900c9ad7505a1d52c3783398c1c7ad6279af710e6ceb60d768851f531193f62fb4ae65fc9385d769ac264c0dfef8bbf0c789cdb140ff61dd013ec97b40996d0

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
340KB

MD5
0c222b13ecae4660aba1b7608e725f36

SHA1
88fcb8af3372998304dfd6134c74fa14ec35430a

SHA256
c23093ccdfd8b048efea8b70f4ede47d05fb8a8105559233b00cc7656a2c3722

SHA512
47163a810f3dfa2e9092dcc801e766f3ffab65088467e9c398fd549630e5f714fd7c314502b873180c9019c3524c837e68833ca5c9e617fc696adc3f1162021d

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
340KB

MD5
93af0855f4085548a64ca5a892160eea

SHA1
789802a1bd2935416c306cdf3e039d67b134b5d4

SHA256
a944ae338fca71acc35c6ccac6bff32a4eea5c02134d0a665f3f2a15ad59cf7e

SHA512
5318e6155a0093d6ef8fef3b497cee4cb9ecfcd12e8afb21669a03c6a82f7992d07a3ed390c371bb657110e4314e33fc6b4ed84fb1f9c8122f0fd4de91e1fe62

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
340KB

MD5
9ea75b2197f23b7f1e1fd7a12482618b

SHA1
3b9e1eaff495c8d25bd76292664781ad0e0630f9

SHA256
668ba1a02e131d16583251040b7fb4d83d08375deabe5e9dc98bc529b301b41a

SHA512
99c019be48c998ce1f20b45b81959069ba1590f7518b8f1d43add4fb657a107eac734712130208d6a1b5262b2dca730f6a40ddd1c515d475ee6e48f743e6a0d0

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
340KB

MD5
5be2abd81f27994eb69c39adff63ec2e

SHA1
f53c35f99112aada5f4a1c3ba162efac23eb1e92

SHA256
185af628481749f538c931ed96666213e544e5b9361d462f49f2e4d8efecfc23

SHA512
1cd3f6ea522e613ef82fa89a9dec5f5aa85baa899549b15a28964fbe1b7773000a636b7f104894b2970e40edd19215c43231d19415dc362480abb4c727f668f0

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
340KB

MD5
6f31cf94478e71c7502bf25d6c2f7e12

SHA1
ff4e9cba573ece36bdd8c28afdd9d2b028dd8144

SHA256
e8fc16fbaa13dfa80200e8bd71cb5d25252edab9c1284291862f372b5e37dd29

SHA512
bb2e89dc87a8f6f8aa17fda5f05e8d9d482a784625bd862736468f9f964b6eff52c23d2e0d651da82d44e6f3865a2cf473f2fda97310f9b9e9831a03437239d4

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
340KB

MD5
5e7a8c355eb601c8ad913b1d3b2e79b3

SHA1
7a3be64846ee8011855a39d7a3ed3ee013ef8f04

SHA256
482040bfdb20ce0d50867236789a13cf5c1c1f40ee0c27c731db91b7811c244a

SHA512
04e70d368b1af891b02745119a43029494bc06545970e22a9f8e351d92eb98c26a81f5ac7fa93db6939f660d3537c0343ae56338e78f31fc384322bb8c3e71a7

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
153KB

MD5
24841c7df884a33076748233cc36d5bb

SHA1
5a89b4bef0631eb0c1f01814eb9fe14c7fdd7ad7

SHA256
692bbc444caf5e6cd796ee1f8dff8e5f90e17020c1d76fe350e89d0135459408

SHA512
725e6121bfc2312b8f12b9e42b8458aa5c5341d6f93947bb11966b3bdfc6e42a2db79f3cf5a04bbf1eecd144317a0137ff659577e74496f7d82ed486aa20c867

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
340KB

MD5
b58b9bd759c72c8494416ab71fbcb8c0

SHA1
aa84daafb6f0328669b17d5c8b4d091e96650d91

SHA256
b6175b1be27d6f962f58c52d6fedf771c4b25edb957097b74c60e20479a41117

SHA512
25b159a8649cd2c621155f578d789c39889dbf596ec05bdde7dd278109fd0920267470958d8571f7f95af2399981db5a09bc50300d226a11a758f465cb201c83

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
340KB

MD5
b2cdc5ab12ea8ef8b05c7bec34ebf233

SHA1
c68110c2f761cc140bd8bdba360dac2ff4241174

SHA256
6774b0a33292e5e28ade8e683eb159574e5e94ecd95115a97ed2373a20024659

SHA512
8cb672d72339c40bedfc3f69d16b9d3041ff7e2b189220b377ebf575477e9d9f596b600394c649ee5bb31a66b0214ce3590f6e3dd0f3d3ed4d781c020ca6a72d

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
306KB

MD5
594212900ce7922e56b53ca3e87ca5aa

SHA1
b07aab020ab723d53094f211e6019fe7248d7bd1

SHA256
6e99d5f23c96a55eab7305e49c51510f147394f4e1d61fd99a139dac516a6a38

SHA512
6ab95bdb9a8378b9b53945f5d8f451d8a9d0d6d461439cdeeadc5983076e7c9e307a9daf2b3b470173a2f76a94e2b14d37163366e28793da04116f3b4f8d846e

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
340KB

MD5
665b8dd963fe2f9171ed2a3c2dabb07e

SHA1
78e617389c230144b9ac7cfc23543e134d3a11c3

SHA256
c0f579631701d402901dff0ccb2570991045a2353d0428b117f9034787b0beb8

SHA512
441c31d8fced24790fc89cd1a141c13965ddcc35f4dd9f7600aecfa2167304e94c51bcb66023479ebbbbb7c0c745095f0a80fb4c1aee7f0d1b5bd5b8c4f7236f

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
340KB

MD5
5b9d970c3bc8b985c5cc5342b5eb9999

SHA1
13e7550d094024e9b4fc3ddee76f9b9d1e6ab4b4

SHA256
f4cfc657496843da389be8b7a2ed8b8a7b51757c64f1c1263273b1d323dbda2b

SHA512
ca3cd219fad09c1b39957aa32f0eeee31affdabe7089978b0703e29334fee3f3ade83d138196a3a3f8a1c2a0c3195ffb60aa0972db185f92c8b34f0bdec779ab

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
340KB

MD5
1f1eb11a5d21a324bcf1d3e9592768bc

SHA1
6a82bd15f424045fb25c77d015aaa9ee8f8ebf1e

SHA256
b84ded277d03ff3c414c117d3bca8acd87f82f243080e0c36d763af5f067afe4

SHA512
393a6df56e01a7db2edc2286cefecb0d4a4d7876bfe37609212b6e28612f5b87ff0e1788105b66512e36ad589a3305bcc2d11bdcd2f53a5c822de24dbf61e494

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
340KB

MD5
cb0e53ee6a9a4b7b67306f11367bdbff

SHA1
4b8ed43037ace58402ca80ca218b88490d36b88f

SHA256
7aee3c4b7184cbbcb70d9d0adb840143ece7b86a82fa63c31f8f6a33a1c13e7e

SHA512
041e8304e8f10f522a4e6bc85c76a9a67a6ffe76f89f270bec839d4759a095fafa51d60810ded269cb181d5e43142092bdeaaf6ab3db34d8b2fe0f7a4e240fb6

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
173KB

MD5
22bbc8d0f5e32912bee3928b5d9a02b1

SHA1
5e21e7cfe6a464ea8b0df3a3a997afab908b9196

SHA256
db8129a006bd305c426af6644502a07ac879666f2a839edf725c7336de002b52

SHA512
d20f22c3ffd7cf9a08503a9e69da5d4744b58530eada6b83b5c276d5f45e9c77e3a42b47511c3493f2d66613e8e6843d63aa58e50c1678dddbce17818cde3656

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
340KB

MD5
14cc10bd4b3b2a81f35c7a2a0c8afe9f

SHA1
0b5da0f9ce94b55b9f35c65d50121e56c0f7d3ca

SHA256
9a94d816105dcfb41b67acea4dabcaa2c764357c585f34e72d49ca446352da5c

SHA512
db8426270a944494a0839e3025b300650201f067343c28d8f3d722aac86356ccdfa211c3b154c2518cd13e477d01c139487b1c5bbd483f5cd8e59b9c47a9e29e

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
340KB

MD5
a9a7cdbbd9fddc62bd6246d11f2971bd

SHA1
51e668a31d7dd164eafc7a841320de0162a0be3e

SHA256
1a3efced1e5b6f3afe74fc8b54a6fcd0074aa6847f2853d3348ad2e3935f18ad

SHA512
bd26df54c4189e2de772fc457fdab6e699d745370acedb49fe25d02c6466a5e000dcff5765c35bed21787a4dd99e9734f313adfdc941a5e0cccc59bb938723fb

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
340KB

MD5
65b78b7777bc595d0490eee3094e9955

SHA1
56212d9c95f3d0a176284855872514dc4964a3da

SHA256
72df07284b4d49993785de61c490eed5999adfb4ef5a3af1f49cf3f72f7cf6c9

SHA512
971e34917235ccebcd12fa4e5221ce5735d7742f4f6aa64321231f3175be45d20c63df7f726e135b718a71940fba32358b6ecbdc4328b353c6973ef3bed02a4b

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
340KB

MD5
f1dcc0d79471b77030c316101492929f

SHA1
ab3fb98c0c15288898f6ecb6dda14db69d3abc64

SHA256
9cece1e5d1456ba60d265dc7520db75c1869ef49188dc03cd2756b5c1c42dd08

SHA512
8d306926639be2313b82623f078f45dc36c803192d540e3c0d9d0662e55db5eed6003e049c2efcc36f0b9b2623c34b53ffc8c674adf54d927c8ad96f0b73ba3f

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
340KB

MD5
796d0bd851f4f06d9718b0a295154545

SHA1
0fe78db2e57e5b24573434f14fa7a45bb3f83474

SHA256
ca5dd3ec506bac901ce03fdc32fee1183b9600a5471ebc5969bdcded30a80504

SHA512
81308dfd6b440240ec2e218073549dd4ec3ca3498117d3eaeb3edf7f00d97cb9d49dcf3b2d71aec835199c08c31c89b299c199374c74c04783971c53fc2f5f4f

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
340KB

MD5
a58d0c1a6bb3a5fe0bdb4a96a0cb420a

SHA1
d92a9351257d631d7ebdad9ae704c625c1cd0e09

SHA256
27fae4aaa4bf506626cb006724ad506482e17cf61351af5e341cc3de5709ff42

SHA512
29671166c370797fa0a579e355ba3f9dcaa61113270fde5d7d5f050b48895b941474c58cafae40d7a447850838e9d5fcd5f0ee439d95c1b3a6c47a574dd5bfe3

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
340KB

MD5
60845583c32dcb597219c8dd6a44a551

SHA1
92ef6ab97a0a96d55aecc0532a54a5cfad5eefc7

SHA256
305440a1f45c9c90f59ad83a21f062b8494cc432c8cbff0d6a096daa099e84af

SHA512
a7124ec440e46e05b26925aecde038e45e3d9750af4576af3287d36699c842de0fee7ed3f28dfd843475ffb7f5b42cb0727222b76f71040eb7c60b0f10ce7454

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
340KB

MD5
44456f2f5a5d86b6cbd07d29fb6ace8f

SHA1
a8bf798cf30e456eb96b4f1ebad769a842b30880

SHA256
aa8996183aa85fe1483abba62f57e571b1e17b4dd59fa35bcd4925940e4b681a

SHA512
a7b2e3dbe177c874e1432711d9d38d5d465522e16f5bd6abb5e7f04411918336e4225de2d5f4da1d74abc45f4cc38af1c1878419af7825caebffc3af4d8c285f

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
340KB

MD5
c6f36b24647569934809acdb78f868ea

SHA1
2804f438476a99c189c18d1e89fb1fff438679e1

SHA256
b865115f4046672f72b83150e2ef60f62811498d2ffec214a52ebf90470306e2

SHA512
caa5e1f930f8c2e4f264fc86df20eb8db48537e0720e71dd63bbd7e3bcc7e9402214c09fd38aac13890e50741884009030bba7eeaff046b17037e6d5f7ec57ec

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
340KB

MD5
e6b32fbd71f34964bf43ecf28ffc4954

SHA1
22f8b8a8880099c07a0c5922b49bf49f629ba9e3

SHA256
e453b443a01b88e1bca367fed5aaf23f86fbea22323a60765046bdc782bb055f

SHA512
05c3cce1544734525de415e536c00a3f2a5414b30a117ff0c2a5aee3dbf105a9671a439361d96158073cb7f1b60366f077c98c0afbf3031434540b127cd9defe

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
340KB

MD5
c23011845ddca80b47b0bbd6d4c6bb64

SHA1
e7f4aa4dd1b2c67403a885f56f4b642693cc8a71

SHA256
563cd56f2cde6101582ff6d8138178195ac31bed3c4055b7f529cb9e1fd5595d

SHA512
9d4ba7b53df518d5a5cce10b2f3cf41dba98a4762e9646217af497ccace1e67d87db768e36df12e9e44ee9ba9907802e0e4904dcf73a03609f9a755f2ce1665a

Download Submit
memory/8-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/388-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/404-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/872-273-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/896-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1184-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1456-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1468-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1468-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1892-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2032-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2088-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-155-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2424-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2472-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2632-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2824-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2828-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3016-217-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3084-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3104-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3128-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3304-297-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3512-305-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3536-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3584-201-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3676-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3736-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3968-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4000-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4084-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4200-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4228-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4248-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4304-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4312-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4340-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4428-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4448-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4464-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4572-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4584-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4592-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4716-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4724-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4812-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4972-390-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4996-432-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5012-408-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5064-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5080-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5092-336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads