6b7e004fa41ea108f018329b70286610645e1491e8ae19976dd6931163d02227

Analysis

max time kernel
37s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b7e004fa41ea108f018329b70286610645e1491e8ae19976dd6931163d02227.exe
Size

75KB
MD5

0176b2b9343c924fbe8ae06f28456892
SHA1

01668e6cad0ebbc522ccb829db0e5c2a2e77609b
SHA256

6b7e004fa41ea108f018329b70286610645e1491e8ae19976dd6931163d02227
SHA512

7f2c2996c3d7e0fc8f52d2426de3c4e4bb839a02469bc924030e4e5be34722b26f85474b23f0005aaf5b79db4943a1339e177047932b71df8cf5d47d07193960
SSDEEP

1536:n3taHvysZgurjWk/OguBhK5rAJ81cgCe8uvQGYQzlV:dAvsuuituXPJ8ugCe8uvQa

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchppmij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakikoom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chlflabp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eecphp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogopi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Illfdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqppci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggfglb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckpamabg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgifbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfgipd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfipef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcoaglhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbanbmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dakikoom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfjkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glkmmefl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jepjhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhplpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abhqefpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geoapenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6b7e004fa41ea108f018329b70286610645e1491e8ae19976dd6931163d02227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbanbmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfeaopqo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihbponja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihdldn32.exe

Executes dropped EXE 64 IoCs

pid	Process
4664	Mmkkmc32.exe
1232	Mchppmij.exe
888	Mcjmel32.exe
1060	Mmbanbmg.exe
3576	Nmenca32.exe
4496	Njinmf32.exe
4216	Aefjii32.exe
900	Blgifbil.exe
2532	Bnkbcj32.exe
1960	Bomkcm32.exe
2988	Cfipef32.exe
2544	Cndeii32.exe
4800	Chlflabp.exe
264	Cbdjeg32.exe
4440	Cdecgbfa.exe
4904	Dbicpfdk.exe
548	Dfglfdkb.exe
3644	Dbnmke32.exe
568	Ddnfmqng.exe
3824	Emhkdmlg.exe
4172	Eecphp32.exe
4976	Eeelnp32.exe
3548	Efgemb32.exe
1864	Ekdnei32.exe
556	Fealin32.exe
2948	Fbelcblk.exe
3948	Fnlmhc32.exe
4392	Gfeaopqo.exe
4176	Gldglf32.exe
3272	Gfjkjo32.exe
3356	Gnepna32.exe
2556	Gbchdp32.exe
2680	Glkmmefl.exe
2788	Hmkigh32.exe
2284	Hfcnpn32.exe
1264	Hffken32.exe
2724	Hekgfj32.exe
2524	Hoclopne.exe
2784	Hlglidlo.exe
3996	Imgicgca.exe
2208	Illfdc32.exe
4272	Ibfnqmpf.exe
5148	Iomoenej.exe
5196	Ipoheakj.exe
5236	Jiglnf32.exe
5276	Jcoaglhk.exe
5316	Jepjhg32.exe
5356	Johnamkm.exe
5396	Jniood32.exe
5428	Jedccfqg.exe
5480	Kgflcifg.exe
5536	Kflide32.exe
5580	Kngkqbgl.exe
5624	Lnldla32.exe
5664	Lfgipd32.exe
5708	Lggejg32.exe
5752	Mcpcdg32.exe
5792	Mqdcnl32.exe
5844	Mjlhgaqp.exe
5884	Mjodla32.exe
5924	Mfeeabda.exe
5964	Mfhbga32.exe
6004	Nggnadib.exe
6052	Ncnofeof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pdmdnadc.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Boenhgdd.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Eqlfhjig.exe	Eojiqb32.exe
File created	C:\Windows\SysWOW64\Cfipef32.exe	Bomkcm32.exe
File opened for modification	C:\Windows\SysWOW64\Hmkigh32.exe	Glkmmefl.exe
File opened for modification	C:\Windows\SysWOW64\Iomoenej.exe	Ibfnqmpf.exe
File opened for modification	C:\Windows\SysWOW64\Ogekbb32.exe	Onmfimga.exe
File opened for modification	C:\Windows\SysWOW64\Njedbjej.exe	Noppeaed.exe
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Glkmmefl.exe	Gbchdp32.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Mfhbga32.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Gpolbo32.exe	Gbkkik32.exe
File created	C:\Windows\SysWOW64\Labnlj32.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Dfglfdkb.exe	Dbicpfdk.exe
File created	C:\Windows\SysWOW64\Llnnmhfe.exe	Laiipofp.exe
File created	C:\Windows\SysWOW64\Maenpfhk.dll	Oqhoeb32.exe
File created	C:\Windows\SysWOW64\Bdlfjh32.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Mfbaalbi.exe	Mljmhflh.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bmggingc.exe
File created	C:\Windows\SysWOW64\Dafmjm32.dll	Illfdc32.exe
File created	C:\Windows\SysWOW64\Qodeajbg.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Fbgdmb32.dll	Dakikoom.exe
File created	C:\Windows\SysWOW64\Hlglnp32.dll	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Ihbponja.exe	Ilkoim32.exe
File opened for modification	C:\Windows\SysWOW64\Mapppn32.exe	Llcghg32.exe
File created	C:\Windows\SysWOW64\Kajefoog.dll	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Bgfeip32.dll	Cbdjeg32.exe
File created	C:\Windows\SysWOW64\Lnldla32.exe	Kngkqbgl.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Aaldccip.exe
File opened for modification	C:\Windows\SysWOW64\Ddnfmqng.exe	Dbnmke32.exe
File created	C:\Windows\SysWOW64\Fealin32.exe	Ekdnei32.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Adhdjpjf.exe
File opened for modification	C:\Windows\SysWOW64\Pimfpc32.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Lggejg32.exe	Lfgipd32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmjdm32.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Ihdldn32.exe	Ihbponja.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Ehcplf32.dll	Dbicpfdk.exe
File created	C:\Windows\SysWOW64\Jepjhg32.exe	Jcoaglhk.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Phajna32.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bdcmkgmm.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Apggckbf.exe	Aabkbono.exe
File created	C:\Windows\SysWOW64\Chkolm32.dll	Mmkkmc32.exe
File opened for modification	C:\Windows\SysWOW64\Fealin32.exe	Ekdnei32.exe
File opened for modification	C:\Windows\SysWOW64\Jedccfqg.exe	Jniood32.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Imgicgca.exe	Hlglidlo.exe
File created	C:\Windows\SysWOW64\Qgjamboa.dll	Imgicgca.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Jadgnb32.exe	Joekag32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Bajqda32.exe
File created	C:\Windows\SysWOW64\Jpecpo32.dll	Keifdpif.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Jaonbc32.exe	Jlbejloe.exe
File created	C:\Windows\SysWOW64\Cgiohbfi.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Eecphp32.exe	Emhkdmlg.exe
File created	C:\Windows\SysWOW64\Kgflcifg.exe	Jedccfqg.exe
File created	C:\Windows\SysWOW64\Ipbaol32.exe	Hnbeeiji.exe
File opened for modification	C:\Windows\SysWOW64\Lebijnak.exe	Lpepbgbd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7604	8060	WerFault.exe	307

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekajec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmcfjdp.dll"	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll"	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njinmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknkchkd.dll"	Gfjkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogmlp32.dll"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onmfimga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimngjie.dll"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfipef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmkigh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eojiqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll"	Ekdnei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfgko32.dll"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chlflabp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipoheakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdbkbbn.dll"	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekdnei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglkdbfn.dll"	Fbelcblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbchdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcnla32.dll"	Hoclopne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmenca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbnmke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll"	Imgicgca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcnpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lggejg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenigce.dll"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqcejcha.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 4664	2448	6b7e004fa41ea108f018329b70286610645e1491e8ae19976dd6931163d02227.exe	95
PID 2448 wrote to memory of 4664	2448	6b7e004fa41ea108f018329b70286610645e1491e8ae19976dd6931163d02227.exe	95
PID 2448 wrote to memory of 4664	2448	6b7e004fa41ea108f018329b70286610645e1491e8ae19976dd6931163d02227.exe	95
PID 4664 wrote to memory of 1232	4664	Mmkkmc32.exe	96
PID 4664 wrote to memory of 1232	4664	Mmkkmc32.exe	96
PID 4664 wrote to memory of 1232	4664	Mmkkmc32.exe	96
PID 1232 wrote to memory of 888	1232	Mchppmij.exe	97
PID 1232 wrote to memory of 888	1232	Mchppmij.exe	97
PID 1232 wrote to memory of 888	1232	Mchppmij.exe	97
PID 888 wrote to memory of 1060	888	Mcjmel32.exe	99
PID 888 wrote to memory of 1060	888	Mcjmel32.exe	99
PID 888 wrote to memory of 1060	888	Mcjmel32.exe	99
PID 1060 wrote to memory of 3576	1060	Mmbanbmg.exe	100
PID 1060 wrote to memory of 3576	1060	Mmbanbmg.exe	100
PID 1060 wrote to memory of 3576	1060	Mmbanbmg.exe	100
PID 3576 wrote to memory of 4496	3576	Nmenca32.exe	101
PID 3576 wrote to memory of 4496	3576	Nmenca32.exe	101
PID 3576 wrote to memory of 4496	3576	Nmenca32.exe	101
PID 4496 wrote to memory of 4216	4496	Njinmf32.exe	102
PID 4496 wrote to memory of 4216	4496	Njinmf32.exe	102
PID 4496 wrote to memory of 4216	4496	Njinmf32.exe	102
PID 4216 wrote to memory of 900	4216	Aefjii32.exe	103
PID 4216 wrote to memory of 900	4216	Aefjii32.exe	103
PID 4216 wrote to memory of 900	4216	Aefjii32.exe	103
PID 900 wrote to memory of 2532	900	Blgifbil.exe	104
PID 900 wrote to memory of 2532	900	Blgifbil.exe	104
PID 900 wrote to memory of 2532	900	Blgifbil.exe	104
PID 2532 wrote to memory of 1960	2532	Bnkbcj32.exe	105
PID 2532 wrote to memory of 1960	2532	Bnkbcj32.exe	105
PID 2532 wrote to memory of 1960	2532	Bnkbcj32.exe	105
PID 1960 wrote to memory of 2988	1960	Bomkcm32.exe	107
PID 1960 wrote to memory of 2988	1960	Bomkcm32.exe	107
PID 1960 wrote to memory of 2988	1960	Bomkcm32.exe	107
PID 2988 wrote to memory of 2544	2988	Cfipef32.exe	108
PID 2988 wrote to memory of 2544	2988	Cfipef32.exe	108
PID 2988 wrote to memory of 2544	2988	Cfipef32.exe	108
PID 2544 wrote to memory of 4800	2544	Cndeii32.exe	109
PID 2544 wrote to memory of 4800	2544	Cndeii32.exe	109
PID 2544 wrote to memory of 4800	2544	Cndeii32.exe	109
PID 4800 wrote to memory of 264	4800	Chlflabp.exe	110
PID 4800 wrote to memory of 264	4800	Chlflabp.exe	110
PID 4800 wrote to memory of 264	4800	Chlflabp.exe	110
PID 264 wrote to memory of 4440	264	Cbdjeg32.exe	111
PID 264 wrote to memory of 4440	264	Cbdjeg32.exe	111
PID 264 wrote to memory of 4440	264	Cbdjeg32.exe	111
PID 4440 wrote to memory of 4904	4440	Cdecgbfa.exe	112
PID 4440 wrote to memory of 4904	4440	Cdecgbfa.exe	112
PID 4440 wrote to memory of 4904	4440	Cdecgbfa.exe	112
PID 4904 wrote to memory of 548	4904	Dbicpfdk.exe	114
PID 4904 wrote to memory of 548	4904	Dbicpfdk.exe	114
PID 4904 wrote to memory of 548	4904	Dbicpfdk.exe	114
PID 548 wrote to memory of 3644	548	Dfglfdkb.exe	115
PID 548 wrote to memory of 3644	548	Dfglfdkb.exe	115
PID 548 wrote to memory of 3644	548	Dfglfdkb.exe	115
PID 3644 wrote to memory of 568	3644	Dbnmke32.exe	116
PID 3644 wrote to memory of 568	3644	Dbnmke32.exe	116
PID 3644 wrote to memory of 568	3644	Dbnmke32.exe	116
PID 568 wrote to memory of 3824	568	Ddnfmqng.exe	117
PID 568 wrote to memory of 3824	568	Ddnfmqng.exe	117
PID 568 wrote to memory of 3824	568	Ddnfmqng.exe	117
PID 3824 wrote to memory of 4172	3824	Emhkdmlg.exe	118
PID 3824 wrote to memory of 4172	3824	Emhkdmlg.exe	118
PID 3824 wrote to memory of 4172	3824	Emhkdmlg.exe	118
PID 4172 wrote to memory of 4976	4172	Eecphp32.exe	119

C:\Users\Admin\AppData\Local\Temp\6b7e004fa41ea108f018329b70286610645e1491e8ae19976dd6931163d02227.exe
"C:\Users\Admin\AppData\Local\Temp\6b7e004fa41ea108f018329b70286610645e1491e8ae19976dd6931163d02227.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\Mmkkmc32.exe
  C:\Windows\system32\Mmkkmc32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\Mchppmij.exe
    C:\Windows\system32\Mchppmij.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\SysWOW64\Mcjmel32.exe
      C:\Windows\system32\Mcjmel32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Njinmf32.exe
        
        C:\Windows\system32\Njinmf32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        23⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        26⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        28⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        30⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        32⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        37⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        44⤵
        Executes dropped EXE
        
        PID:5148
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        46⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5316
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5356
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        55⤵
        Executes dropped EXE
        
        PID:5624
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        58⤵
        Executes dropped EXE
        
        PID:5752
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        59⤵
        Executes dropped EXE
        
        PID:5792
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5884
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        64⤵
        Executes dropped EXE
        
        PID:6004
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6052
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        67⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        68⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        69⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        70⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        74⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        79⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        80⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        81⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        82⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        83⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        84⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        85⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        87⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        91⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        92⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        97⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        98⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        100⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        101⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        102⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        104⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        105⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6288
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        107⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        108⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        110⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        111⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        112⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        113⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        114⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        115⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        116⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        117⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        118⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        119⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7160
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        124⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        125⤵
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        126⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        127⤵
        Drops file in System32 directory
        
        PID:6256
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        128⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        130⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        131⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        133⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        134⤵
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        135⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        136⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        137⤵
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        139⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        140⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        141⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        142⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        143⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        144⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        145⤵
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        146⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        148⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        150⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        151⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        152⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        153⤵
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        154⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        155⤵
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        156⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        159⤵
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        160⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        161⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        163⤵
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        164⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7388
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        166⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        167⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        169⤵
        Drops file in System32 directory
        
        PID:7572
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        170⤵
        Modifies registry class
        
        PID:7620
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        171⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7704
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7740
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        174⤵
        Drops file in System32 directory
        
        PID:7784
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        176⤵
        Modifies registry class
        
        PID:7868
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7908
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7948
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        179⤵
        Modifies registry class
        
        PID:7988
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        180⤵
        Modifies registry class
        
        PID:8032
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        181⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8128
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        183⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        184⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7288
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        186⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        187⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        188⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        189⤵
        Drops file in System32 directory
        
        PID:7560
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7748
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        192⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        193⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        194⤵
        Drops file in System32 directory
        
        PID:8012
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        195⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8084
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7184
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7244
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        198⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7424
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        199⤵
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        200⤵
        Modifies registry class
        
        PID:7672
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        201⤵
        Modifies registry class
        
        PID:7780
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7940
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        203⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8060 -s 400
        204⤵
        Program crash
        
        PID:7604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8060 -ip 8060
1⤵
PID:8092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aefjii32.exe

Filesize
75KB

MD5
b8ac05da0b1f2539ebd1d0c0b412413d

SHA1
c48a6500d6da59686eea0eb7ab87639ad99a5f3e

SHA256
7f607f8f3c339cf85b26e8f800e07c52f24f5a0b3975aad430bf2578dd1b7af5

SHA512
ea5299f96063608a0421bd772fe1f05bc5647b647200a1a2a6fbccf9f13275a5e13c813f855a509bb55654a176b8689a075cdab185d1962b3d8f14535d6fa6d9

Download Submit
C:\Windows\SysWOW64\Blgifbil.exe

Filesize
75KB

MD5
da452b7041b1948a1d62c5fb15ee0c56

SHA1
bf9c281439fb7d8870885e53d708672a14262a1a

SHA256
1beefbb719e6d02bbdf17f885185dd300457ab14b115ed1cffc4a989d60dba2d

SHA512
e7247494c3c9d9c59beb2c79ccb29b4e5a6805b5e73c2a780d9b1ae78b5b7bbc4beddd75ead99e94617bc5a73b87279669db2eda6df35a09e1ff0cb3979a3a56

Download Submit
C:\Windows\SysWOW64\Bmjkic32.exe

Filesize
75KB

MD5
616bf2502b1acf63bae8a92aa3c8ba1a

SHA1
9b28d88f9ea49a6b2a08ce2d1f29dffc8235573a

SHA256
bc4fe1bc30fe274fa5f959186cb4ebfe15560cfa78d20d1883a06960f5636e85

SHA512
bcb61fadf480b01c5932d93eda259086f3c86b978f8e195f4ffeab3a644de5277dc175c4ed86268a705dbcc08b6bec956dcb5a8ecb1bdd432482f99f187d3937

Download Submit
C:\Windows\SysWOW64\Bnkbcj32.exe

Filesize
75KB

MD5
ec364361877abaae335f3d5664c4206d

SHA1
bcbce5167fe5d6f556d6f98d7172ea320240845b

SHA256
c2ac15a8e6a33a1dd2035eed513518689ce341f2bf15e882b85889563830547c

SHA512
ce923f9bc8a60d1e8d1a0ae55087d4b7292f10c4c6a1acc4b887c2d4ca1504bf7edce4601668320375ed695a881675ea6d5f8cf8581687e87172ef2f6a2c3aa9

Download Submit
C:\Windows\SysWOW64\Bomkcm32.exe

Filesize
75KB

MD5
7412530ec11e920b6938a20da92c83e3

SHA1
968c5579da388a697aa175b73dbe5f282d0213e8

SHA256
4f2bfd13c52bdd7cf624d4c01d3caf228c564f9793be155140e077a047f611a9

SHA512
2db248f94ecfc0b692539a712f00a2f90dc7d96d4db508fca271c960886ed0b0e63726967cca8b9c09b4457a6438f7b3d87c93507d90eb264d552461ee0d8c59

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
75KB

MD5
7bb1a984f3db5a6e3b83f389c8d52df8

SHA1
ccf43541077bed23f432307b40c7a957ac82a250

SHA256
2f373ec6a5e4551c0651b901e87a14d6c18d012c90de6b49a35fc96c8716c4c8

SHA512
a66136b8f67143f9d05dba208ca352d89c51f6e38409d60eb6a453a98f221ec7f4fafcd2ac1ce0a015d652f017b7f94eaaaf2aa5e05314485ff646a1bdb4aa1d

Download Submit
C:\Windows\SysWOW64\Cdecgbfa.exe

Filesize
75KB

MD5
6b7b0511991f5a803d79c402000fa6fe

SHA1
7c696395ed432510bb10ecd654478c5d6e9d3905

SHA256
b946c299aa146cba70627ee19c7bd7c774636e0ce2d7d2b48ec80b8155b15b68

SHA512
9e7d27c797a0510f2d2417ed1891cf6339916061e2687a6c2298123c89f6ba22ac07d296ef72e56e53e94ff5e3ec88f8d14ef004f20412cf48c1640e7a0dd525

Download Submit
C:\Windows\SysWOW64\Cfipef32.exe

Filesize
75KB

MD5
4ca3bef5241bbdfc95d3b98d96c0cae6

SHA1
a5d6120a2c95672fdbf0c7823732a73749552af1

SHA256
2a34edf5be6361ca460c0428d3df864dd8798e6ff5f7219e46855d4f87c7dcf3

SHA512
01f78fadd9e798a5a5817cbad77c7244a983b808b54a3b32a6adc92998f719a08be4e33e5b5fda46ee53b5955d2cb6b3052d9f3a0a7d3b95d2e467893a7dab7b

Download Submit
C:\Windows\SysWOW64\Chlflabp.exe

Filesize
75KB

MD5
510a2355edf6baeb320eba38a192804b

SHA1
69d058da0ac1afc9012dc84eb4f5442ec73aea7a

SHA256
bd7817fb6e1e4986e2ae63e59c01596dd2831e494cbd28f13248a5c7a1ba36ec

SHA512
7fcd41b1e03296f9a59a952496e63db245c8cf46163740267bbf26c6c7c58b417c196d2b7e7aa2d301dd1824a3c0a22298ce78b41bed7e740696d56e7b747b03

Download Submit
C:\Windows\SysWOW64\Cndeii32.exe

Filesize
75KB

MD5
d491bb2cf5444df9634913e042749560

SHA1
c3d1b7c5abfa738766c2cedf0e754e005e5eac5f

SHA256
b0e94ab7b07adfd4d9113ff2a93b2380e64f32cdc55fecd7a47fbb676a911448

SHA512
ae34347afd0227c6fe7cf2783b90615c2ef23e978a06e9f70346a7e422b495da46ece91f5c7718a225ff49b855e8337efcec7b4c14b7f1a8f4e7d9d64b2b9837

Download Submit
C:\Windows\SysWOW64\Dbicpfdk.exe

Filesize
75KB

MD5
7c6d83053f9c1deed5cd1dbe6e7e7eb6

SHA1
2794313f22083f3e33b95820016af64b8ec08f5a

SHA256
8269dffa75c7749b2f679240d2e6f2e73db26e23abbc63d85bb8ce02f107e5f2

SHA512
0189f1d7c35700d02afc790f2d16b39612b30f47f32c29fe13c9a9c164b64dec1c9eabffe1237e4508db08289f32eae8d657aeb9e3ed5eeeba2ffb1b5d2be876

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
75KB

MD5
24eaa7f105b519b151d2ecbe9f4ec968

SHA1
f3d2cbaa5487cc8eeffbdbb9ee379cb540a404b9

SHA256
185a03cd87c21864c28a89ceecb060d483cabf68332c14a4688e3649113c1934

SHA512
480df253d1f88ce0c8f9060b97514bed3a3dc832f8aecc2ef668281832ce67e51e90901d4e9f47ed911500d150d2ee9d495386035106c2ff7c1b15ddf5e89fc0

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
75KB

MD5
dbf715ba4a5d04c5c2b6155ff9e2905c

SHA1
c73a24ae90c57acb113af7b9e99aa391b9c0d318

SHA256
b54aa65069955123364a160bf71593d1e746a9114fbc06f622e6d8f2e271fc29

SHA512
12c5c4a00e28d6d8d9dce09d7194e4886e0fbe38d4410fef0a1c52dc9bff19d20deccc51cb8a99d75b32e2f84653d8c902b40469d8df78dc67da0536c9a9eb59

Download Submit
C:\Windows\SysWOW64\Dfglfdkb.exe

Filesize
75KB

MD5
1dacb9031e074b5654fe6516add08d02

SHA1
c555e6f79bef58b8fa9ab04fb66f771fb0865029

SHA256
17c6005bac34308fafd1eefed085a93566737a6d01e4b605850135dbed60344b

SHA512
11fd467e0b01d1212592549262465654da4da44a8f092d1bdc601eaad414c86b250ec1c95f5197460cdd0b5c7af5f78ba2c483fe53445cdef46de01523372c36

Download Submit
C:\Windows\SysWOW64\Eecphp32.exe

Filesize
75KB

MD5
6ac355b960231788eebbff608912e05d

SHA1
f50dabafef52f65c50722d4db09ee78df70007d8

SHA256
c9f3afa8bb02c04fbc71111dec176a0f90c31df0ced6c59547128e15643cf289

SHA512
7591036eea20d8d11f9a77461eb92eb9eeebc0fdd6638f6d2ffc589b0385c244d619bd7c67740289278d6ca3d2025383eb06a2cbe81cad969bc879bfc14e62db

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
75KB

MD5
2e3cb6548badaed93a5f23b877b3ca41

SHA1
625f0186dc232869df46babb2a5a13f459628384

SHA256
4ddb79fa1106e224155bcdb7a3f70454398a97675d4aef86802e11123676fc1c

SHA512
6b3a59d4f87670d00691e7e9f5c6d335a2333f388846318e8a4889c431e03507eba012b5ed7b8cee5eaab6d0f65e9a38be4a82d8dee1ad0ab91e8855dab7c078

Download Submit
C:\Windows\SysWOW64\Efgemb32.exe

Filesize
75KB

MD5
4474a33cf78a18f2dd0d88e6c9693d43

SHA1
7f25499cd505f9908d45232390e5346fdf04b0c0

SHA256
19b59c7f49e46868444f5b3e6874b38b2e4fa9ad24a24d454fa003a3aaefec67

SHA512
8c87e267f7a7d70227fde18b1ec588147612377ca8ff5af39932bb9c4ebd1d6374dc885c4f1fe1d361650a4fcbbfe2716a18406b8435b8f5be710af12f2656fd

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
75KB

MD5
22fcc57430ce45d329a9bf75d30ef8ca

SHA1
854a931d27155881ace06a37be479ed88a8039ca

SHA256
8caf7ebd4b2116469e13c38b9e1e5a56059904c564f8d01679fa303736f9bccb

SHA512
efd080687088fe4d7db980bb79be4f4d3c88b913af525897b633f0a74d16f87a58a63687f53761fc31379d95fc4472f08bb9390bab0ff56d442bb41b490d329b

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
75KB

MD5
00a62288f67cd361475621efcac31576

SHA1
4cec5b1979da124de6eccb38872bdc81a310bc83

SHA256
e35c4f787ebcb8a2a1267d0281eb8f831d2f74271199a09b7e3e96f32ad65e37

SHA512
6c69d4a03e2e847ee7071c445e2be3699a95e45b238be1da6ac10df2a73b55981e1117536fbf1d4ee1d7077e7b2519d298099ef7976bdcdbd5e98fee13fc9e95

Download Submit
C:\Windows\SysWOW64\Fbelcblk.exe

Filesize
75KB

MD5
c4b34c76853ac25b5e5547b9ba7a8807

SHA1
e3e3259b83d5724f8d05790caac7c1bb03454e98

SHA256
0faedc92459af47d7ba8e0dabd1683252cfa6f01ab075752c164e6da5659e272

SHA512
46be013404b2975b5fff9c48386bd305544e21eaccc8b5bffd05e1bf2c46e7ef98eff5d9fd7154dbf4e498ed50c7b7f6d393c939f16fe34474abb8ad96006d27

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
75KB

MD5
08e1f3224b979162f7472757071f4a84

SHA1
22bad8c2927e6ddf45d478dd4e502a8d3f295159

SHA256
4199854efef0abfd1ae44f35e8dc8c00391ace168b8a17deb9f1219fc42734e7

SHA512
8b738ce6e5969d15fa4653d01abbacd717dc0a06614490cc5c8a6b8f80d082faa9a25f98d927110d31ecf011584aa731030589e1211ffe8dee5eebae1b9a674b

Download Submit
C:\Windows\SysWOW64\Fnlmhc32.exe

Filesize
75KB

MD5
abcea5354fc3a9c029fb9b5ccb0dcaca

SHA1
7ed5bb709145b540a74b2afdf3d2335177657197

SHA256
1fcf67fddf7230889c14cc2f0dd8272aaed12e8ee0cd1fd43ff53b4222f6a4b9

SHA512
e76bae2d577dfa7b1a3388b2eea99f8381d337f3a4119503416d5d970eae41e8321b6024b30f37fe8d7a3b13f2978478031721d09d4988893f808b0f6a891df6

Download Submit
C:\Windows\SysWOW64\Gbchdp32.exe

Filesize
75KB

MD5
5eb4b2775998364fd10ef11f1b357677

SHA1
6f6b9ed763ecb0ec6c94a004384bafd761d8133b

SHA256
b05ace0daeb3ead737995d416f7d6e7a6e8da86ec0d1a28f6fdf94e8e5a75dd9

SHA512
72ea952b8ed64617a5471929bcce6f7462f2cfc51a9391b989827e40f20ef53db78cfebd50e6521da18003fde257d96fb6001b0b35fccaf90938d3206b486f44

Download Submit
C:\Windows\SysWOW64\Gfeaopqo.exe

Filesize
75KB

MD5
fef7079e27051111cbcebc54fcf1a6c4

SHA1
3e7191557c3be69da008dfab3dcb2a552b89148b

SHA256
7a0ee3da04e647d90b7bb63821002b7ad60d89e877ee9d2b1cfd6e566be60309

SHA512
1b9b6c5fedadf8ee3a66ce94d95caa96bf8a7d1161ee8197f8805bb76d489a3af13c9035e0a16b5127e75ebf204014d552364795e4921c5f53daa08139c7765d

Download Submit
C:\Windows\SysWOW64\Gfjkjo32.exe

Filesize
75KB

MD5
62af67012d7b76ddaf87ee065121413b

SHA1
6803b167e1fa0e5a8e2087755cbe9d9391612081

SHA256
2f402923f26e9374e338bb7369b0ab92edef10a5395668333dc3b5ce750eb3c9

SHA512
9ee6cf76681fabb54bdbb47cc5dcc85eed5a29cee69200e0bfed394c37854a48025e890d6ab873ba4a2689da8fb23b7abf33b0411d7ac1745af15a35adb576c7

Download Submit
C:\Windows\SysWOW64\Gldglf32.exe

Filesize
75KB

MD5
92e7ef34353e39ecc558e6d92658776d

SHA1
c4524844e8af5ea1fa366c4e7e9301f0c3c05e39

SHA256
167d94ababe0bb883994bab388c7a88f655470b6c25fdb6e993a411eaba02151

SHA512
f825ee5f040393af29c8c77474e548efc456d952b1fa05b24f7db067eaea59be4dc0eada91ac33d116fa8f87996a278f35ecba0cfcde6c1f14633215eba7f4e4

Download Submit
C:\Windows\SysWOW64\Gnepna32.exe

Filesize
75KB

MD5
b6fd5b6a216d664c0185bf43234aca99

SHA1
66e16770136219667b2d23960ecb9daea1d4ba02

SHA256
4019c085284888f1a745e3fd85d8f371c510428271d8d561347d2ef7e281f0e4

SHA512
3903df32386322b00f9c85f3205578a2c6a9ef75154a1378775ed1208062c8558ff8ba08b6fd6df0c366cf709e95ce41a14b6e16003ee08b48c82e69b7a09f36

Download Submit
C:\Windows\SysWOW64\Hekgfj32.exe

Filesize
75KB

MD5
21fc14dc8ca40dae42b68509b24cac86

SHA1
009bfab7f00307be8e7f84a49624d185ad623eee

SHA256
6e322922e1689566937b3028498d8d12b59a67b15a767ecba817abccdb4c9358

SHA512
1d277883969656946d506278eff9095bd62d1b8eb4c075c8db12745d84dce24b87735fbcea2de0b408c0bb689b744c93e64cf66a19f044465c67884803fc902a

Download Submit
C:\Windows\SysWOW64\Mchppmij.exe

Filesize
75KB

MD5
cafb89534b903df999eddbbbff8aa611

SHA1
a73cd06aa511c4892dbc7c2273d2da12b422fe6e

SHA256
e8d9a7a79d9793df42b2cd2fa93ad590e2d0a4f65bde9ab073217fe1b23cb31a

SHA512
b09fe4d03253a8159c8a7e07c7abdd93d29b6ca1c6a07731ddddb272f095f639411735a0cefc0a2a3dd07dce9b20aba105f855c35a77d1dee1c2e8ec21eb13fb

Download Submit
C:\Windows\SysWOW64\Mcjmel32.exe

Filesize
75KB

MD5
e9f5f75eae562b4a5fdb4e199a97a5f4

SHA1
bc10ff92f4b98f470e2e29507dfc8ec3b0071a54

SHA256
e8b97727d17002b3a59bf928990cd9b89ca53e96063529bbd248f10898cab49a

SHA512
a1b50d884aafecbe1d62afa1a2365d1d4665bf12a840a11acd21d06a2d8872abd44b52cc82d53fe248cffddac79ca5f2130915084046e9fda5fd5ce6b3bea44b

Download Submit
C:\Windows\SysWOW64\Mmbanbmg.exe

Filesize
75KB

MD5
9d5c15d9c18d2061da101b132d8ef32f

SHA1
5de393fbc61be6f35849ea721886cda2d10377d2

SHA256
bdaed691cc7890afdda79e0413cc8fcccb274bc1f44759dc581bdcb36f0e287c

SHA512
6bd4ecd1990a4d64a6d88a44969d01111b538f2ea00d18291a6eeb2004ebdbb389006c70b0689f8189ed93f890ee8dc3fcf752e1091c7b4c1fc3aa6bffbb3585

Download Submit
C:\Windows\SysWOW64\Mmkkmc32.exe

Filesize
75KB

MD5
55b0ca19c2ec2bbeb9e4a48b70f7d04f

SHA1
9e9de471095b82e5b3442b09a37f032aa22fa593

SHA256
e3921e75968f0edf216aac51234492628da3f94a1760467b88373d9368d28818

SHA512
898cf5fc055a79421e0eb0a2ff298115ff30b719e528579cbed1165bf6f3c58a09952718873d1fc5d8070b9408b2437838abf238d9c6c4197cc7eade2a07d9a2

Download Submit
C:\Windows\SysWOW64\Njinmf32.exe

Filesize
75KB

MD5
6f9d7c425be514e87b301cbe838685a6

SHA1
9d14347f2af63ad0f95c0316fdb5e3d12e8ebd98

SHA256
69844c4f03f482bac3c7932d21eff670cb40f007f8f32df93f06633c58a616b9

SHA512
9a61eadf78c875aeac9b6d9324938b93cde6f399b78f696f0bbd5597c4a5e82b59d4a7152e002fdbeffc8c52caa49c4772afea5d53017ff48040fb57d9456758

Download Submit
C:\Windows\SysWOW64\Nmenca32.exe

Filesize
75KB

MD5
a3281edc7a56c973fea905fa2083d2a8

SHA1
22f3293eb5f1fab9051b82b140da82c95b4b62de

SHA256
2fa3ee1eb14f6f14da77cc02c7bfc69b577804159e6f670752dd692dd7018bf6

SHA512
29a758f9a3096f66601aa9c0f2a3d6145068ede2adc17bc8a4e38cea22194079138cabdc9a85305dd17663c7d85bbf11210bb33c68c5fc4615aba2a84bc6f03f

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
75KB

MD5
915d4563c3ffafebcaa27fbf27260cf8

SHA1
b1a9b11f386864d60303e709ed6472c6801f41cc

SHA256
a55c48e3c52af4aa06024d651edba1e8fb12c6ef82e41a62af839e0863d41207

SHA512
2966cf8fe3f40384758cb034305105919647826c7883130fc0cc92e42c4ac55bc901d0df5d579010ee15fdcb5b701ce51fae216a7bc14aacfd9ee7fc55a5c3ee

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
75KB

MD5
e1ff3e07ca13eb86314cff2c06695cf5

SHA1
4a612fb2a9455924b73809a58d36f6d6c00c7532

SHA256
60e9cfb051ddf60e4048d636cac00c317f8f7e385dfffc994863c4a9e97cdadc

SHA512
ec95529c6158a3a4016f644179a06969dc9e52b5c6ffa79fe660d66114c1c3a790f5ce8e1face7109527b81362b28a776d4b1a21c3619ce0a47677ee521af683

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
75KB

MD5
c9efd5c72063b2b3eab13ac5d2a86f9b

SHA1
c3fdecf68465ad4848a95d41520ce6fb47ff4783

SHA256
4ae0fd69e7d645b13fcba8a55ad537667726633b30418ac29cbdd58f622905b0

SHA512
22534d5906e47cb33396abe4cbfa5727de4baf65ee1addb49a6ff52f75dbfa418f7d540a8304c8b2f04cf358018f4bfe9d414158b4d7c98865b1b3877aa050e3

Download Submit
memory/264-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/548-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/556-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/568-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/888-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1232-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1264-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1864-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1960-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2524-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2532-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2544-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2680-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2724-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2784-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2788-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2948-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2988-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3272-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3356-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3548-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3948-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4172-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4176-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4216-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4440-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4976-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5148-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5196-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5236-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5276-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5316-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5356-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5396-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5428-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5480-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5536-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5580-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5624-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5664-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5708-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5752-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5792-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5844-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5884-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5924-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads