3711363a8fd0f30bd7a640f63f181c16f9cc32a1bae90f4fec46b71d8b73e3b9

Analysis

max time kernel
100s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3711363a8fd0f30bd7a640f63f181c16f9cc32a1bae90f4fec46b71d8b73e3b9.exe
Size

1.6MB
MD5

e88a5732948bdfc29c3b8e6e08b5974b
SHA1

b0dc3af55c3e249d4381c9ae7a571c04056f8d6a
SHA256

3711363a8fd0f30bd7a640f63f181c16f9cc32a1bae90f4fec46b71d8b73e3b9
SHA512

8f8e1e298d6bfb1d005f85416a834e58580f00d559806bc91b482d7c795442017e7665e8277f96068e26668fb5ec7cd46000ab5f982479402721577a99361225
SSDEEP

24576:l5h3q5hrq5h3q5hFw75h3q5hrq5h3q5hs:Z

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohfami32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okgaijaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknifq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haafcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmadco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fineoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nimbkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnooan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklfgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnonkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiopca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ealkjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oeoblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oldjcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejdocm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkgje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjdebfnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akglloai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcejco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlgoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipihpkkd.exe

Executes dropped EXE 64 IoCs

pid	Process
3800	Dmbbhkjf.exe
4400	Ealkjh32.exe
4756	Ejdocm32.exe
4452	Fineoi32.exe
4076	Fhabbp32.exe
4084	Fdhcgaic.exe
2912	Fielph32.exe
4136	Fdkpma32.exe
1020	Haafcb32.exe
624	Liqihglg.exe
888	Lgffic32.exe
3484	Mbbagk32.exe
4972	Mlkepaam.exe
5000	Miofjepg.exe
4652	Njiegl32.exe
4532	Nimbkc32.exe
4884	Nahgoe32.exe
4928	Okgaijaj.exe
1776	Oeoblb32.exe
3136	Ffmfchle.exe
1820	Hgkkkcbc.exe
5104	Kcejco32.exe
3272	Lndagg32.exe
2468	Mebcop32.exe
3724	Maiccajf.exe
3220	Mjahlgpf.exe
4612	Mjdebfnd.exe
3268	Ohfami32.exe
4876	Oldjcg32.exe
2268	Aknifq32.exe
2532	Adkgje32.exe
4064	Anclbkbp.exe
1004	Akglloai.exe
4412	Badanigc.exe
1812	Bklfgo32.exe
4356	Camddhoi.exe
4072	Cdbfab32.exe
3128	Dbicpfdk.exe
64	Dmadco32.exe
4488	Dbnmke32.exe
3408	Dflfac32.exe
4340	Ncqlkemc.exe
2944	Njjdho32.exe
5056	Npgmpf32.exe
1656	Ngndaccj.exe
4592	Oakbehfe.exe
4768	Ofhknodl.exe
4384	Oanokhdb.exe
3276	Onapdl32.exe
4380	Opclldhj.exe
2472	Ofmdio32.exe
4392	Opeiadfg.exe
3692	Phcgcqab.exe
3628	Qfkqjmdg.exe
2808	Cogddd32.exe
3592	Dddllkbf.exe
220	Dojqjdbl.exe
3316	Dhbebj32.exe
3584	Dnonkq32.exe
3256	Dhdbhifj.exe
2600	Doojec32.exe
2968	Ddkbmj32.exe
4560	Ebaplnie.exe
4648	Eohmkb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jeapcq32.exe	Jlikkkhn.exe
File created	C:\Windows\SysWOW64\Ejdocm32.exe	Ealkjh32.exe
File opened for modification	C:\Windows\SysWOW64\Fineoi32.exe	Ejdocm32.exe
File created	C:\Windows\SysWOW64\Mjhjimfo.dll	Dhdbhifj.exe
File created	C:\Windows\SysWOW64\Kdding32.dll	Edionhpn.exe
File created	C:\Windows\SysWOW64\Caaimlpo.dll	Bpqjjjjl.exe
File opened for modification	C:\Windows\SysWOW64\Adkgje32.exe	Aknifq32.exe
File created	C:\Windows\SysWOW64\Hfibla32.dll	Jblmgf32.exe
File opened for modification	C:\Windows\SysWOW64\Oifppdpd.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Pqfkck32.dll	Fielph32.exe
File created	C:\Windows\SysWOW64\Klekfinp.exe	Kekbjo32.exe
File created	C:\Windows\SysWOW64\Fhabbp32.exe	Fineoi32.exe
File created	C:\Windows\SysWOW64\Jabphdjm.dll	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Pgdhilkd.dll	Jlikkkhn.exe
File created	C:\Windows\SysWOW64\Kjejmalo.dll	Kaaldjil.exe
File opened for modification	C:\Windows\SysWOW64\Ffmfchle.exe	Oeoblb32.exe
File created	C:\Windows\SysWOW64\Elcgieob.dll	Miofjepg.exe
File created	C:\Windows\SysWOW64\Jblmgf32.exe	Jhgiim32.exe
File opened for modification	C:\Windows\SysWOW64\Cienon32.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Ekgqennl.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Liqihglg.exe	Haafcb32.exe
File opened for modification	C:\Windows\SysWOW64\Ckidcpjl.exe	Cmedjl32.exe
File opened for modification	C:\Windows\SysWOW64\Eaceghcg.exe	Egnajocq.exe
File created	C:\Windows\SysWOW64\Pakfglam.dll	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Damlpgkc.dll	Nfgklkoc.exe
File opened for modification	C:\Windows\SysWOW64\Njedbjej.exe	Nckkfp32.exe
File opened for modification	C:\Windows\SysWOW64\Ajmladbl.exe	Apggckbf.exe
File created	C:\Windows\SysWOW64\Ajgflp32.dll	Oeoblb32.exe
File created	C:\Windows\SysWOW64\Hgkkkcbc.exe	Ffmfchle.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Ibegfglj.exe	Ilkoim32.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ejdocm32.exe	Ealkjh32.exe
File created	C:\Windows\SysWOW64\Haafcb32.exe	Fdkpma32.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Mnfooh32.dll	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Qbajeg32.exe	Qmdblp32.exe
File created	C:\Windows\SysWOW64\Leeigm32.dll	Qbajeg32.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Ekgqennl.exe
File created	C:\Windows\SysWOW64\Nimbkc32.exe	Njiegl32.exe
File opened for modification	C:\Windows\SysWOW64\Mebcop32.exe	Lndagg32.exe
File created	C:\Windows\SysWOW64\Kjiqkhgo.dll	Iiopca32.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Njedbjej.exe
File created	C:\Windows\SysWOW64\Hhdjkflc.dll	Aimogakj.exe
File created	C:\Windows\SysWOW64\Ampaho32.exe	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Hiikaj32.dll	Njiegl32.exe
File created	C:\Windows\SysWOW64\Lpamfo32.dll	Anclbkbp.exe
File opened for modification	C:\Windows\SysWOW64\Bklfgo32.exe	Badanigc.exe
File created	C:\Windows\SysWOW64\Bmaioi32.dll	Dbnmke32.exe
File created	C:\Windows\SysWOW64\Ekonpckp.exe	Edeeci32.exe
File created	C:\Windows\SysWOW64\Mleggmck.dll	Likhem32.exe
File created	C:\Windows\SysWOW64\Bklfgo32.exe	Badanigc.exe
File opened for modification	C:\Windows\SysWOW64\Dflfac32.exe	Dbnmke32.exe
File created	C:\Windows\SysWOW64\Adfnba32.dll	Npgmpf32.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Lacaea32.dll	Doojec32.exe
File created	C:\Windows\SysWOW64\Fqeioiam.exe	Foclgq32.exe
File opened for modification	C:\Windows\SysWOW64\Bpqjjjjl.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Lbebilli.exe	Llkjmb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7056	6952	WerFault.exe	262

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjkg32.dll"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllinoed.dll"	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlkepaam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddkbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leeigm32.dll"	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haafcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dflfac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liqihglg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll"	Ncqlkemc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edionhpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll"	Jblmgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edeeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibegfglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbbdk.dll"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglmllpq.dll"	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcmcm32.dll"	Dbicpfdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doojec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffchaq32.dll"	Aknifq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Camddhoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdhilkd.dll"	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mebcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Finnef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll"	Oldjcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khkdad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjliff32.dll"	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfqhkbn.dll"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ealkjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffkclmbd.dll"	Fdkpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bionkjfo.dll"	Mlkepaam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eohmkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll"	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhabbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okgaijaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckidcpjl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 3800	3636	3711363a8fd0f30bd7a640f63f181c16f9cc32a1bae90f4fec46b71d8b73e3b9.exe	89
PID 3636 wrote to memory of 3800	3636	3711363a8fd0f30bd7a640f63f181c16f9cc32a1bae90f4fec46b71d8b73e3b9.exe	89
PID 3636 wrote to memory of 3800	3636	3711363a8fd0f30bd7a640f63f181c16f9cc32a1bae90f4fec46b71d8b73e3b9.exe	89
PID 3800 wrote to memory of 4400	3800	Dmbbhkjf.exe	90
PID 3800 wrote to memory of 4400	3800	Dmbbhkjf.exe	90
PID 3800 wrote to memory of 4400	3800	Dmbbhkjf.exe	90
PID 4400 wrote to memory of 4756	4400	Ealkjh32.exe	91
PID 4400 wrote to memory of 4756	4400	Ealkjh32.exe	91
PID 4400 wrote to memory of 4756	4400	Ealkjh32.exe	91
PID 4756 wrote to memory of 4452	4756	Ejdocm32.exe	93
PID 4756 wrote to memory of 4452	4756	Ejdocm32.exe	93
PID 4756 wrote to memory of 4452	4756	Ejdocm32.exe	93
PID 4452 wrote to memory of 4076	4452	Fineoi32.exe	94
PID 4452 wrote to memory of 4076	4452	Fineoi32.exe	94
PID 4452 wrote to memory of 4076	4452	Fineoi32.exe	94
PID 4076 wrote to memory of 4084	4076	Fhabbp32.exe	95
PID 4076 wrote to memory of 4084	4076	Fhabbp32.exe	95
PID 4076 wrote to memory of 4084	4076	Fhabbp32.exe	95
PID 4084 wrote to memory of 2912	4084	Fdhcgaic.exe	96
PID 4084 wrote to memory of 2912	4084	Fdhcgaic.exe	96
PID 4084 wrote to memory of 2912	4084	Fdhcgaic.exe	96
PID 2912 wrote to memory of 4136	2912	Fielph32.exe	97
PID 2912 wrote to memory of 4136	2912	Fielph32.exe	97
PID 2912 wrote to memory of 4136	2912	Fielph32.exe	97
PID 4136 wrote to memory of 1020	4136	Fdkpma32.exe	98
PID 4136 wrote to memory of 1020	4136	Fdkpma32.exe	98
PID 4136 wrote to memory of 1020	4136	Fdkpma32.exe	98
PID 1020 wrote to memory of 624	1020	Haafcb32.exe	99
PID 1020 wrote to memory of 624	1020	Haafcb32.exe	99
PID 1020 wrote to memory of 624	1020	Haafcb32.exe	99
PID 624 wrote to memory of 888	624	Liqihglg.exe	100
PID 624 wrote to memory of 888	624	Liqihglg.exe	100
PID 624 wrote to memory of 888	624	Liqihglg.exe	100
PID 888 wrote to memory of 3484	888	Lgffic32.exe	101
PID 888 wrote to memory of 3484	888	Lgffic32.exe	101
PID 888 wrote to memory of 3484	888	Lgffic32.exe	101
PID 3484 wrote to memory of 4972	3484	Mbbagk32.exe	102
PID 3484 wrote to memory of 4972	3484	Mbbagk32.exe	102
PID 3484 wrote to memory of 4972	3484	Mbbagk32.exe	102
PID 4972 wrote to memory of 5000	4972	Mlkepaam.exe	103
PID 4972 wrote to memory of 5000	4972	Mlkepaam.exe	103
PID 4972 wrote to memory of 5000	4972	Mlkepaam.exe	103
PID 5000 wrote to memory of 4652	5000	Miofjepg.exe	104
PID 5000 wrote to memory of 4652	5000	Miofjepg.exe	104
PID 5000 wrote to memory of 4652	5000	Miofjepg.exe	104
PID 4652 wrote to memory of 4532	4652	Njiegl32.exe	105
PID 4652 wrote to memory of 4532	4652	Njiegl32.exe	105
PID 4652 wrote to memory of 4532	4652	Njiegl32.exe	105
PID 4532 wrote to memory of 4884	4532	Nimbkc32.exe	106
PID 4532 wrote to memory of 4884	4532	Nimbkc32.exe	106
PID 4532 wrote to memory of 4884	4532	Nimbkc32.exe	106
PID 4884 wrote to memory of 4928	4884	Nahgoe32.exe	107
PID 4884 wrote to memory of 4928	4884	Nahgoe32.exe	107
PID 4884 wrote to memory of 4928	4884	Nahgoe32.exe	107
PID 4928 wrote to memory of 1776	4928	Okgaijaj.exe	108
PID 4928 wrote to memory of 1776	4928	Okgaijaj.exe	108
PID 4928 wrote to memory of 1776	4928	Okgaijaj.exe	108
PID 1776 wrote to memory of 3136	1776	Oeoblb32.exe	109
PID 1776 wrote to memory of 3136	1776	Oeoblb32.exe	109
PID 1776 wrote to memory of 3136	1776	Oeoblb32.exe	109
PID 3136 wrote to memory of 1820	3136	Ffmfchle.exe	111
PID 3136 wrote to memory of 1820	3136	Ffmfchle.exe	111
PID 3136 wrote to memory of 1820	3136	Ffmfchle.exe	111
PID 1820 wrote to memory of 5104	1820	Hgkkkcbc.exe	113

C:\Users\Admin\AppData\Local\Temp\3711363a8fd0f30bd7a640f63f181c16f9cc32a1bae90f4fec46b71d8b73e3b9.exe
"C:\Users\Admin\AppData\Local\Temp\3711363a8fd0f30bd7a640f63f181c16f9cc32a1bae90f4fec46b71d8b73e3b9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\SysWOW64\Dmbbhkjf.exe
  C:\Windows\system32\Dmbbhkjf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\Ealkjh32.exe
    C:\Windows\system32\Ealkjh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\SysWOW64\Ejdocm32.exe
      C:\Windows\system32\Ejdocm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Windows\SysWOW64\Fineoi32.exe
        
        C:\Windows\system32\Fineoi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\SysWOW64\Fhabbp32.exe
        
        C:\Windows\system32\Fhabbp32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Fdhcgaic.exe
        
        C:\Windows\system32\Fdhcgaic.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Fielph32.exe
        
        C:\Windows\system32\Fielph32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Fdkpma32.exe
        
        C:\Windows\system32\Fdkpma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Haafcb32.exe
        
        C:\Windows\system32\Haafcb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Liqihglg.exe
        
        C:\Windows\system32\Liqihglg.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Lgffic32.exe
        
        C:\Windows\system32\Lgffic32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Mbbagk32.exe
        
        C:\Windows\system32\Mbbagk32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Mlkepaam.exe
        
        C:\Windows\system32\Mlkepaam.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Miofjepg.exe
        
        C:\Windows\system32\Miofjepg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Njiegl32.exe
        
        C:\Windows\system32\Njiegl32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Nimbkc32.exe
        
        C:\Windows\system32\Nimbkc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Okgaijaj.exe
        
        C:\Windows\system32\Okgaijaj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Oeoblb32.exe
        
        C:\Windows\system32\Oeoblb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Ffmfchle.exe
        
        C:\Windows\system32\Ffmfchle.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Hgkkkcbc.exe
        
        C:\Windows\system32\Hgkkkcbc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Kcejco32.exe
        
        C:\Windows\system32\Kcejco32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Lndagg32.exe
        
        C:\Windows\system32\Lndagg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Maiccajf.exe
        
        C:\Windows\system32\Maiccajf.exe
        26⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        27⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Ohfami32.exe
        
        C:\Windows\system32\Ohfami32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Oldjcg32.exe
        
        C:\Windows\system32\Oldjcg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        38⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        48⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        50⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        52⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        53⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        67⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        69⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        70⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        71⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        73⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        74⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        75⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        76⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        82⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        83⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        87⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        90⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        93⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        94⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        95⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        96⤵
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        97⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        99⤵
        
        PID:376
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        100⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        102⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        103⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        106⤵
        Drops file in System32 directory
        
        PID:520
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3704
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        109⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        114⤵
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        115⤵
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        116⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        117⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1752
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        120⤵
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        122⤵
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        123⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4828
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        125⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:648
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        128⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        132⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        135⤵
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        136⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        137⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3664
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        139⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        140⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2248
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        144⤵
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        145⤵
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        146⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        148⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        151⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        154⤵
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        156⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        159⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        161⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        162⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 408
        163⤵
        Program crash
        
        PID:7056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6952 -ip 6952
1⤵
PID:6988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adepji32.exe

Filesize
1.6MB

MD5
fed28c15182c33ba08fe6833ddc4d52b

SHA1
b5c02535a41697fd2b56f5285f8211b667361fdc

SHA256
33c0edec8bb0217bc2ad37cd626727f536ae395ae08e367c9b8d8f4b69b2434f

SHA512
04b7ede59f861acf78e5bf3dc4e21b9854895a1dab8981a7b3967d9e20ca6f6625aabe94f52ec1c93948fb4fea494eb5d770ccd04ab1eb3c12a3229dbf70fbe6

Download Submit
C:\Windows\SysWOW64\Adkgje32.exe

Filesize
1.6MB

MD5
8c34168d8aad1560699ad0bfce29d9b2

SHA1
302b90d784e17ce89093f7564a8eceb3be308a91

SHA256
cce62f6623392e17831d20862a17afd2fc2a93c3d9198e1769c168fd0c31ed8b

SHA512
e47a088df39078c5398b8685f8ceeb4e041a138f37d258a0cdaf873bb367033b284566b25bc81693cc4bb0249540a5edb85e575c51e155750a8d510358e60cde

Download Submit
C:\Windows\SysWOW64\Aknifq32.exe

Filesize
1.6MB

MD5
17a6fded778c6b579a7504a54c848e92

SHA1
bfef9ff987541849a0ab17a6a0d9b035fff87b8b

SHA256
e529a9aa6dc18fdb74c7c5330091843fb281a65ff859d5da25b1549776dd7586

SHA512
da891595e623cd11c3c0c7f19ed7a6550e35e4e31b6a700fec88d3347098d36d12ba5d7e660d92bb264e8000ef11898137fed6b614b718a705159d71c83ccf25

Download Submit
C:\Windows\SysWOW64\Anclbkbp.exe

Filesize
1.6MB

MD5
f80d3779f9fc9a956d38ff81d8afc88c

SHA1
800c16958a77e4119b51572c2f7954051c42a443

SHA256
02e880775ab3f4daaa63d78b6659a29032f85ce8f411b74bd5f45d51a0190192

SHA512
4349ce87d586d37ea49316787cdcd54d92457f247d0de13ff4f5c5129bd61817708781ed5c5d536c01bfe0f89f7ffcec5b19e8de9e9a233beb462e0e1e402ac5

Download Submit
C:\Windows\SysWOW64\Bkkhbb32.exe

Filesize
1.6MB

MD5
66defc2b782ba924dafd4efcb7bd727b

SHA1
23ef038d8eda8a10cea430a56796abaf8753cda4

SHA256
63b735a7fe398682b01b53f4a117a1159b51c0263bd0f04858b670b0e6f12182

SHA512
fe23298ef47af708149536a191749d62c9ce8799cf3b2d40980edc73d07f7c6b9b906d5aaf7a79a5772355b4baf6c859a9f2a969c06d0f231904481a1fbc53e9

Download Submit
C:\Windows\SysWOW64\Dbicpfdk.exe

Filesize
320KB

MD5
f8baa8d5d78c9e1f09b067a440d2fd82

SHA1
31e875e05ce9607de065cfce5eb2390dc52530b2

SHA256
47e80988e6c3ec722e111c63f53b860620c6edfcda05acd0bb5775c11eb9e44e

SHA512
213d1abf4b200b05fffeda269ef6052ed2df3edab50efbeb4137e28eff44d77c2e026098d56c4d71cb56bd82069b031de1d7af137815c129c7d35d091b1e6517

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
1.6MB

MD5
52b2342d6accaf9f7ea5302dc150c8d9

SHA1
64b40f3ef16e9cb63f38b36e3565e06d97e9e2a6

SHA256
79036bb893bc935b30f0966dba1fc095542d16f6f6f4746bbedfd47ed3f96d23

SHA512
cbaa9a2d8f34d9a1e67ec8855b1d754ce65f1395858000316f1dd02a66120dfb9ad5c5299f5b661be90baf10945788b07706791ad804cda975b502d0c827e6c8

Download Submit
C:\Windows\SysWOW64\Dmbbhkjf.exe

Filesize
1.6MB

MD5
3007c953c0d0e79fb0a08b7e43a41c82

SHA1
cfa5fc5edb0838e95e8ffc9d66399864d917d859

SHA256
c90ce7c036048a39c1b866888e191599707e3fe7f42299888cee819bc297dae6

SHA512
f6f8005e4d4fc80ed15a9de996af4c17fce3be86849b3e34148d4bc16a7addef70aa152e41278309399056cd9c85e521a0b9644db3eedd6fa9b59fcd4a17dfbd

Download Submit
C:\Windows\SysWOW64\Ealkjh32.exe

Filesize
1.6MB

MD5
e56c9be82ab363569c146eb3c2c5ebaa

SHA1
9a38ba6b6190d226a4674bc2526cb13089e18bfb

SHA256
7ca0a3171851c259a68a423f7826c3f4d9fbb978b8c2dfb8c9229a88e8a6ad2d

SHA512
6bd71a82b88a1a5071e6386f538008aa3bc8146e61c5e438b0d7ead6ccd4ad1f91c323c2aa7e4f01ec452bff6432a53e6cfae79f31503e034f5368cd37c49711

Download Submit
C:\Windows\SysWOW64\Edionhpn.exe

Filesize
1.6MB

MD5
461b3a1ea626c2b99c10186df11d3acb

SHA1
3b44e72fc6206af751a6b7b51b8de894d27f61ed

SHA256
27bd00da3243dd9f2ae70682999ab573ed00f26006d046b16dd2cb21bc505575

SHA512
05c90f52dc10052ea1af1f0a117d074d80a513e581e138fab9125ed26810dbfec7f8e5c2e3a1edb5a7609d78bf0225458dd51b9d2ce6c40e6fb298784965bfcd

Download Submit
C:\Windows\SysWOW64\Ejdocm32.exe

Filesize
1.2MB

MD5
659bbd0c2348641d866f62fbb79290cc

SHA1
479001ff3055fa6d4c30431a0a4d46e135916aa5

SHA256
773c293d2bf8c82505771fd3f7df3935c6a9c055726a0e814ac8e31c1ca065c5

SHA512
8d5558b5962d6418dbc813585247e97e457c928f766503d0fbabac5cb64fb461e4bbc20aeb8c06a0138c5c921e3c6dbd5d2d7acb7887e263992e1feb20276ae8

Download Submit
C:\Windows\SysWOW64\Ejdocm32.exe

Filesize
768KB

MD5
6a30323671e2199fd43eb5f46a115e9f

SHA1
2cd8b0b9b7eff1c8829b7d896c7243c6fec82e65

SHA256
35d656900bea3566db797d4225c596486a9b394fec44959de82e9517b9bb0cf0

SHA512
48c88728614d050714d8ee07d3944e549833d51721b12a1c94f84934b193cd2b6defc358c3b378e1eb099a1721f3802803d88126fcff83a98ac7826398397c4b

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
1.6MB

MD5
a8225b9362dcff86e0947aa39ada4f72

SHA1
095eefaca67eb68534c5d248505c1ae509f0cd0d

SHA256
b8e0f6844fdc1b519b4da3dc4cfe728f404506ecc8b6d7ccfd18076d609ab683

SHA512
6170eca9b009d02c0882affa0c70ac3f4a5b22703b3bd260232d70e8048c012d3b7de83fc89bb72c7572e895a123da47b5159e27d6cbe01a456e01c1f8e6f4ae

Download Submit
C:\Windows\SysWOW64\Fdhcgaic.exe

Filesize
1.6MB

MD5
2e2a087a7dd87a17be4ba47ad9683746

SHA1
2bf267845741f95b4a4e3e91084903a428ac4d29

SHA256
f30b937cb18e8a3da58b51895656000fec6fb10ee5f567b1ef97a2d0b9fdd56a

SHA512
84c75db4961c62a2256bba37f059deecdef84491b080220d41e154dc2347cfbbd49736d7173a94aca3d9c922f0dc9e6f94a8c3d042fdf2afbaf41abcb89395b7

Download Submit
C:\Windows\SysWOW64\Fdkpma32.exe

Filesize
1.6MB

MD5
6000b64d56c2ebc32a1254bc8165efdb

SHA1
3db4a92844a530da3a479e6ae13bf38f2e89b84f

SHA256
f25853249993570d8ce35c85bc82d30df5f0a4624111d7235bcf7447163aec9e

SHA512
63b7489aeae631e5bb81a3bcfc0188413e481125ba9fd9d7a632dd4077638fcfe1aa06f4770443055b7cc45fd48c03c5c1c2d9a6f77b0e696f241210fb18e9d0

Download Submit
C:\Windows\SysWOW64\Ffmfchle.exe

Filesize
1.6MB

MD5
e88979b67833bba2295962cd2e104e22

SHA1
094dda2cf62b92ada835235649eeabfe2ef56eb3

SHA256
9063ca1b3381f954eb9f285639af3ea10d891a28a84dc1b8fe6175fd863e8eaf

SHA512
6c7107e9438c7d99bbfa7b5086328306698f161c7406bcf8bab52605409f4547e4be63de6a4d5b9f1a66eb2d45d1f1082eac80d9c1bd4c56ecddd28e9abecc8d

Download Submit
C:\Windows\SysWOW64\Fhabbp32.exe

Filesize
1.6MB

MD5
830726c7d2bde00144f154091929eefa

SHA1
a80c19cbb8abd619ecb9d19c23bc99061693bcea

SHA256
df96203c504a2f0dd6b09935a72f60b5e62489c2198844775fc72acb0b14f5d3

SHA512
96309b088652fc0791744840b1464b1885d7205fe3cf623c4fb9f1942aa078b35c97c5b25fd1abaf7dc8863d3bd63abb7adcc8799136490dbd51774d940cb719

Download Submit
C:\Windows\SysWOW64\Fielph32.exe

Filesize
1.6MB

MD5
083e3042db54573c8f25ed7452a3d6d5

SHA1
05a81a1f625297633815c54e39ff0192c2a53205

SHA256
eca5c38f0c35429240deab535fb388b4efce990ab26af805ae6c4ddf317a9bf0

SHA512
6be74be04f9c23dcd2355918efd4e45122174596cab52aa9dff158499096b494d5f91f6f127cf66257a55ec3cd00d3f1e124e8f9f92da633a1afbec7c8ad9d82

Download Submit
C:\Windows\SysWOW64\Fineoi32.exe

Filesize
1.6MB

MD5
e0281ff327c758b3783248af70a53340

SHA1
2b6b829a928879286fb7335b985bc890ffdc1ec9

SHA256
00dfda38dcaddcca70dd71ae0c040eecca281771c5da170d6b4d49a6109ae4c7

SHA512
5f0c48ed9ea4181c234403f56faa1f2d6e5d716943849ae75a837db13184a200110bba40d465984450ae0944b8a32c6f1e61ae2d249db8895a5512db6e0c013f

Download Submit
C:\Windows\SysWOW64\Haafcb32.exe

Filesize
1.6MB

MD5
90973b6a1b04243c4399fb7ae0566421

SHA1
dfd63fffbc07a8eb5b4f881d8b182b0c58a73e17

SHA256
47419d48ea47959b1fd7423c404775ca06b488bbd58f9e6625d7d41c95f5e56a

SHA512
6a483fc98b96bd771d3e2c401a69b64b072d5fb9c74f6e33661e86bcbeaa48e55903a58c6b1b0dafd26529511b1aa006c0a79e2455262726f33c11960ccf79c8

Download Submit
C:\Windows\SysWOW64\Hgkkkcbc.exe

Filesize
1.6MB

MD5
e7f04365ba19a99d92a88cfea3067616

SHA1
97b023543f50e032b74255dee0d84363ae4be979

SHA256
6e35661305ef0b1cc53707f0ae360e2aec5d1509b568abfb8dbda22ddcee045e

SHA512
ae538f42e91ecf42233e2548933efd560df0d20d3408d351df83cdb2033a341e9c0618c551a73b1d5a5c89f6cb0d1c514b210c4121010dd98f87fb671d3495b0

Download Submit
C:\Windows\SysWOW64\Jlikkkhn.exe

Filesize
1.6MB

MD5
676659635c59f8105548d1d39fd04013

SHA1
5a12f2880fb6cb9e40f7fcea97d68929997c88f4

SHA256
728e976cd0a356a275695e426a030a89949669962a375c508e7705593515c476

SHA512
17d5ed84fb645a7f991cad06239c24531dd644219765a69531841f9d4201b91e61fa9384f10cc0178b38622646b30f871d4d3011f8522b813644fa84e345a066

Download Submit
C:\Windows\SysWOW64\Kcejco32.exe

Filesize
1.6MB

MD5
d42084c4abb1d2ac293d759df1994d8b

SHA1
bafad5702c46299bd8782f65c6a0166b5512782f

SHA256
f970742b0abcc794353711796f6c1ec922c1046faace1ede05bf2f981450f22b

SHA512
a4c72271ba84e6241472299f40f4c22d9a5de7f1fa4c6015dc2698566f6676ee1961489015fcca8ff30d1db146c6e259c017307c777beb6c08aa97c58b325397

Download Submit
C:\Windows\SysWOW64\Khkdad32.exe

Filesize
1.6MB

MD5
bca3e1ea65a39a0334861405ea9884d4

SHA1
404cf1aad91967ef55c106f089e676d30d2e0231

SHA256
bd90885ed2d7affdd0ae0786d60112a9fa52eb06900bf57daa15d466854689d9

SHA512
a8424166eb40e7f9f69fd3fcd33c94146d101d4a29c3aa6f7927d1b4348a616965d163f3e1347dcb517efefe13e2ce60146b636c164f2ba61e246729a3a9872b

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
1.6MB

MD5
6768711ea969dfb19a43657ca5e37413

SHA1
195e61e5472fe1389e523fcd61d749379cef8a3d

SHA256
f356383d285861d71d7a12a11bb7f271a990fb1cc9a568528666d3dc50ce8a25

SHA512
1a8cc38d99dd5d552411c02b71e3c503496ce88671bde4de5b1754e3cc7e176f95886302faf9f311c4a5e92335d2e13f195eb112aefaf382fad782234e11aa90

Download Submit
C:\Windows\SysWOW64\Lgffic32.exe

Filesize
448KB

MD5
181a3d231ba9d47b445a6021581eeed9

SHA1
3b2dd5bea554837cad3aa95ef423e53eec4fa684

SHA256
8303cdbe6358dfdfe916a35b0593adf7d1b12b5bb087fcb339c66038fc2f364f

SHA512
d08d5aaceff65571fb0e4367ffceefc833780e4785d0aa3d8c024a2f917cb5d626dd08f19bd97a0870e0b21d64ab746282c37dd70df5b8e771d20c4c9744101d

Download Submit
C:\Windows\SysWOW64\Lgffic32.exe

Filesize
192KB

MD5
50fd8339e95c691a43f0a78386580fd9

SHA1
ce81fa0ec0196b4217994b53c5edafcb53f2e8c4

SHA256
d260182bd5282c385c7962baa912db1e1c2bfdabd2b8b04aaccdbe31d55a8836

SHA512
9bf32dd4e9575be03378ede1ea20f28de09670363af7e63a2923e9c7571084d12aedc8177be90f1b64b26e3e10588d864e0d4cf9e6246979e2f4ddb7c9e007e2

Download Submit
C:\Windows\SysWOW64\Lgffic32.exe

Filesize
1.6MB

MD5
ea8409d20c338e296cf649b88b892d87

SHA1
bd99336b23c2fd49423221315ab490c611d96eac

SHA256
cf551029679e1db1cdb2dc8c4b39f62048d480567a7f316787bac3e95067548a

SHA512
f8cd5edd26186c5b57de818b154a3a94acbae2b89ce3f4c712f2cf5a8ab7bea1ec3e912f45fadc1362ccfa1b899466333d8950f5b86292c0548e3eb96ce825cb

Download Submit
C:\Windows\SysWOW64\Liqihglg.exe

Filesize
1.6MB

MD5
62591698dda69d1b426d9fe126dc6498

SHA1
7326b8a789404770fa5a7ac266d4c9531e29c1a9

SHA256
1be613a33650105425011af21f39a0ce3600695c033a193ad8eceeaa192395b5

SHA512
9c86db37687c9dbb70f9172c05d773e5298ed26905dd9b03925ab514397032877b44b043a5d508b671176541b1a55356c67bed0d094d934678cacf0986f0163a

Download Submit
C:\Windows\SysWOW64\Lndagg32.exe

Filesize
1.6MB

MD5
3012e8fac6e65b9343634ac93c87c2d0

SHA1
406574176f72c3dbaa25fb8b67af2fbca4f2e0c6

SHA256
49fb6054ffb7579003f3c85d656feeea33cc5f142e9f77ac3a1576db512a85d5

SHA512
796d3239a043516a8e4914d3b8b1f431c3ceabd2a44ac8c9c7e79fee43bbb081b817f1966ff8b6f29964c3e0789ce9b7c84cc3ca764544ed6772e7ed342f2634

Download Submit
C:\Windows\SysWOW64\Lpgmhg32.exe

Filesize
1.6MB

MD5
bb3ebb49cecfa36198fe7cfcf2c6444f

SHA1
532a3f43354b67303a4b5ce917932aa35660846f

SHA256
7e79b5a3028ca830b7e1cbc2777cd5e10a4d7dfc9f9568296f4cc7a06a8febd6

SHA512
bb06c68b118d9635aacc57daecb63c9496e0e533ed53d11709f66e17934512dca31f42ba2cc2b6da80b07ff959e1534d6cbe6079af0b0f622326fdfcdba8cb8c

Download Submit
C:\Windows\SysWOW64\Maiccajf.exe

Filesize
1.6MB

MD5
149e420eb3d74a9c8b25e3653347baa6

SHA1
c870f649f2d36581768c7189f4991b246b4768b8

SHA256
a66c275dca10974764e63d2cce33e47143a39facad2ad6e73fbb5b74709d7504

SHA512
fcd177cd5a47e1bbf281c423f7e159e7304f2e4386840c9dc0512576c38d92a740da47d38ea3d4bd38bba6f995084c9536239b614239c0a664f58a4297dbb385

Download Submit
C:\Windows\SysWOW64\Mbbagk32.exe

Filesize
1.6MB

MD5
855943d530a6a50f40cf4dbf02686e1a

SHA1
186e1cdbf61a47df12969da45020c5bf1d7ff587

SHA256
4f0359064b01c4d1fb1ec5e28493d376c3647b0382e710a8889371b755d1b52e

SHA512
ccf2286a3d385bbfac4eb97ca55226d9ce9e12d46aa7209f3fc1f9e362f25b5b26b6ab1d04f99ecfbf8dcc328db4ff51cae700ecd703ac4e0e0aefa02a6f15b7

Download Submit
C:\Windows\SysWOW64\Mebcop32.exe

Filesize
1.6MB

MD5
bb628d19ae16ee1b6f08730e07ce514f

SHA1
ffea8e4de6aab37434264eb447591f3d4912a58c

SHA256
0677dd5cabca1ed20dc8cc59042986a56c9ca21ce3ac466003490a2d396fa88c

SHA512
40266fbc040eff400438427dd1db45f6f74ac85152533e6798d7989baf6e9043b6c42afaf6131f68b7607aff5226094688d794900c69bcfad5b32609486770ef

Download Submit
C:\Windows\SysWOW64\Miofjepg.exe

Filesize
1.6MB

MD5
cf3e7c81b8e7963e4e92529a751568b2

SHA1
5089443d60a6eacef401c20094a839faf958eb1f

SHA256
313f86ef749749e4509ade96b0c58e418233e80ec22b575c9db3d4fd046ae838

SHA512
3a0165262b30490e0f9bf4418da4491ba048390fe44901124c13876419340e177acf9e320b957df6479ed1b19eed10b64d70b0e8c7422fa588d01d9c9d266d1d

Download Submit
C:\Windows\SysWOW64\Mjahlgpf.exe

Filesize
1.6MB

MD5
208c30921895c1ed1eafe3d1206a3f75

SHA1
c722155562a02ecf7ce1e7a54c6fa24ced438838

SHA256
1ce48b124abc94e5f7668d2f8f0e76e1adbefe6edb40179bc79906c16e0feed2

SHA512
e45fee6bc1f3de7f49b6bf8c63d3cdaddede7dfc4eb3824e5953d5914e99d598861ac8bcdd39aeeb804d644bd4c73911bd0b32cabe6093baaa89b16cb8d5ff4a

Download Submit
C:\Windows\SysWOW64\Mjdebfnd.exe

Filesize
1.6MB

MD5
3506457a4bec59534ca9cb2c208f19b4

SHA1
8c5197c8015356596e50cc2ea0cdf7b7ec162e67

SHA256
598517fb2d7d6daa7b7850a3b85b017c585d458e4124fa08a596854791847cf2

SHA512
4d9a76289c0f1b7fa08ff2f914eb34100acd77a26f0bab9c579ca8f8cabd1f02addf33f2a362bf8994f975e4eef0448a9638bd22011666868a1eb56dc1bb4654

Download Submit
C:\Windows\SysWOW64\Mlkepaam.exe

Filesize
1.6MB

MD5
0c52262200b667ed7660e7d171ac041d

SHA1
bd19906a75706f75ec82ee2cc6ecb4da230cae6b

SHA256
994103c10756a36343e747932a7924a7de285a92ca5bf8cdb08904a08826bc34

SHA512
21d00f452ee10450670bbbe03d8dfbe552916645a3f2431837d491756bbdbb870fba288c2351f26743b05153d8b2a1fed2e3df799c7bb3dbc80a4749cbf5e6ef

Download Submit
C:\Windows\SysWOW64\Nahgoe32.exe

Filesize
1.6MB

MD5
a61cce192f343bc4a7346ae228eb7fe7

SHA1
793b4dc097d73c96fad3100406d3808f8093a801

SHA256
ecc665582e69fb3f6f6a4041b84f21e4227eca73a9d4c95de446b90daf93f8da

SHA512
446a3e73aa3cc6824a436d7c5c4c8a5f32341057be72d4bced3ee93b02f511b6acbf6a5c009177488ca8e2559a0499c906228e4533541de86afbf0b1ad28f374

Download Submit
C:\Windows\SysWOW64\Nimbkc32.exe

Filesize
1.6MB

MD5
0e88dec43629424522d760efcb8ef91a

SHA1
5884433d5c997647ea89982232b3d2862489075d

SHA256
c5eacfe7d44b0b1449f3486809cfd7830bd29c3568f59fc218018315478cb720

SHA512
6c175e980af6f2cfbe22c2fc498d48de288985cbb8d74e4aee948ea535b68992481528b4cc1be0574aae8dcb04fb67f88f958614be4453d7ec793d1d142c1389

Download Submit
C:\Windows\SysWOW64\Njiegl32.exe

Filesize
1.6MB

MD5
152ce47125ebddcf785cc224cb8fde0e

SHA1
45294033f3550849232c45d94f5d262229e724f2

SHA256
d07179379dca2fe8d0eaf459dc18620e7080ae13f52d20c0a456c876c372119c

SHA512
3a44e83cb884f1c958729d2541f83f6576d9427fc9e2787dc34074b441bf0b3b5e4c7f3ee67483716746d4afb2b37343b25ed80350d4f5eb380c9433ab757b33

Download Submit
C:\Windows\SysWOW64\Oeoblb32.exe

Filesize
576KB

MD5
50c90273bd8c804506c9fce5b8a876dc

SHA1
882d4f6592663a32a7ff38d77cc1d1a47d9d0ae6

SHA256
ba5ef0fd582ca6d1f4e60d7630af7245d4474d129eab0e9f77363aded02a99a8

SHA512
88b3b8d6b0311c2dcd88e9ff06ee5bc40ba6b93bb80e0496b2484d8ac5f962eaf328a7fe21a6de23b6e4f3b737294698a910eca14b3714794475532f2944dbe0

Download Submit
C:\Windows\SysWOW64\Oeoblb32.exe

Filesize
529KB

MD5
961ec84d66cca0f37d8ed84ba5ed09b5

SHA1
64ce812cf931a6f49cf32e890c7f2630b2d10800

SHA256
9291592ade3383142b33c3c5df806845e3d9528a6c631aefb3ec2bc21f8df5c8

SHA512
88613da80f8b71c182b808100923b6c4f877634daa1af20bfb1108d44620b833755104c88591c087e4699c0796dfb3e06520f6ff476b5f666e851702dea98a0f

Download Submit
C:\Windows\SysWOW64\Ohfami32.exe

Filesize
1.6MB

MD5
a19aefb13a0231b02b319b45f1a99774

SHA1
b647b8eefbcfa4c7e98fba69a923f1fe5d118b38

SHA256
ed70c8a33bfa08a09f2a7fb2d0b0910643cd4e8e987661759addd71832cce744

SHA512
0c5a6f5ad20f293a680aa993d2fdc80bf9a39f808c294bfb0d534c744d217e65125aad3393f0a0a3ec8874f90ace432c97c439c201e70126f3099e4f2b5774e4

Download Submit
C:\Windows\SysWOW64\Okgaijaj.exe

Filesize
1.6MB

MD5
47cff96b66cb3b47ddf9df8197e8f71f

SHA1
5253fde6914b0ae77641c1b2b288faf01ce81591

SHA256
9e4cd75a907a946038ba25b44dff1b84e3750a9216cfb3cc9174d8a9fb7faad8

SHA512
b792276a4e5b1248e66fbbc3827c4f34cbcb9a379c81093cd53e387987125ec235a1527e6c9d645eb95c508dbd230ca8b9952324eee5fc998d8b4232d3105973

Download Submit
C:\Windows\SysWOW64\Oldjcg32.exe

Filesize
1.6MB

MD5
543eb9b84cac5e71c8b9854ecc4c3e80

SHA1
470a61bc87cdcf8a8accf951cd34e34816f00088

SHA256
f4f28e618e0b5aad9ca1f1bf6989165729c684beaf519768c6fa992a1435d36e

SHA512
b61dbbe0be274f1d18b9e403b0584c0b97e2aab249529983352fcd0b9234e79fc4c39c5c0935b49da89e4aa6da3825c16512f8d96eb9f3c5687ff396ecde72ad

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
1.6MB

MD5
37ccd4cd93f9bf52ea202843ea609335

SHA1
10a54f81b1f98a90f40743b6b21153ea1daa0aca

SHA256
d51e864d013c5e4f906fc561f0c4517b5da84b669498da32d601ff2b2fe3992e

SHA512
86fed7c2c2424fde40f3675c435ebfad10bac5d19a39c3bad5471d16bfa3c75fc0d31d043779b1d6947346509c80956ecd1f3f26c4a4a67019cc72283e171c63

Download Submit
memory/64-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads