b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116.exe
Size

104KB
MD5

cfb4b3f484e7631463f0468fea017c20
SHA1

ff2f8e1a25409d8362591b03b7d1e35fcec20a94
SHA256

b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116
SHA512

5d45c0e89c0bf91f7f8c2f55553c2177856b7fb89346db7001d90565486793dd300c42fa9fb906380ebad418053a48fb8c3af3d339e9c4ad90d8cde3727507c2
SSDEEP

3072:d1mEfzBq37J7Onjnuw2J5e5lx7cEGrhkngpDvchkqbAIQS:d15q3V2uw2JM5lx4brq2Ahn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpjnjii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfgipd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iapjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjaioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iaedanal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehbnigjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndick32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjkbnfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebfign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehbnigjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlppno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfcok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnpaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hqdkkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddifgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekcgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiacacpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgiiiidd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fajbjh32.exe

Executes dropped EXE 64 IoCs

pid	Process
5080	Iojbpo32.exe
2884	Impliekg.exe
404	Jiglnf32.exe
1184	Jmeede32.exe
2128	Jgmjmjnb.exe
1060	Jinboekc.exe
3348	Jgbchj32.exe
4748	Knnhjcog.exe
5040	Kgiiiidd.exe
1968	Kcpjnjii.exe
4424	Kcbfcigf.exe
2960	Lgpoihnl.exe
980	Lokdnjkg.exe
3008	Lfgipd32.exe
2864	Lckiihok.exe
2748	Lcnfohmi.exe
2908	Mnegbp32.exe
3252	Mmkdcm32.exe
3652	Mcgiefen.exe
444	Monjjgkb.exe
4820	Nqpcjj32.exe
4132	Nmfcok32.exe
4272	Nfohgqlg.exe
4568	Nagiji32.exe
2524	Ojomcopk.exe
5112	Ocgbld32.exe
1272	Ogekbb32.exe
4640	Oclkgccf.exe
3260	Opclldhj.exe
4852	Pfoann32.exe
5004	Pccahbmn.exe
2172	Pagbaglh.exe
5116	Phcgcqab.exe
3164	Ppolhcnm.exe
1628	Panhbfep.exe
3712	Qpcecb32.exe
5160	Qfmmplad.exe
5200	Qpeahb32.exe
5240	Aogbfi32.exe
5280	Afbgkl32.exe
5324	Adfgdpmi.exe
5368	Adhdjpjf.exe
5408	Bajqda32.exe
5448	Cncnob32.exe
5488	Cnfkdb32.exe
5528	Cdbpgl32.exe
5568	Cklhcfle.exe
5620	Dkndie32.exe
5660	Ddifgk32.exe
5700	Doagjc32.exe
5740	Eqdpgk32.exe
5780	Eqgmmk32.exe
5820	Ebfign32.exe
5860	Ehbnigjj.exe
5900	Ebkbbmqj.exe
5948	Ekcgkb32.exe
5988	Fqeioiam.exe
6028	Fniihmpf.exe
6068	Fkmjaa32.exe
6104	Fajbjh32.exe
2440	Gbiockdj.exe
5140	Ggfglb32.exe
5212	Ganldgib.exe
3484	Gbnhoj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nagiji32.exe	Nfohgqlg.exe
File opened for modification	C:\Windows\SysWOW64\Qpeahb32.exe	Qfmmplad.exe
File opened for modification	C:\Windows\SysWOW64\Hlppno32.exe	Hiacacpg.exe
File opened for modification	C:\Windows\SysWOW64\Khlklj32.exe	Kcoccc32.exe
File created	C:\Windows\SysWOW64\Mnokmd32.dll	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Kgffoo32.dll	Iojbpo32.exe
File created	C:\Windows\SysWOW64\Kpqfid32.dll	Ganldgib.exe
File opened for modification	C:\Windows\SysWOW64\Lancko32.exe	Lplfcf32.exe
File created	C:\Windows\SysWOW64\Iapjgo32.exe	Hkcbnh32.exe
File opened for modification	C:\Windows\SysWOW64\Nagiji32.exe	Nfohgqlg.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jaqcnl32.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	Ppolhcnm.exe
File opened for modification	C:\Windows\SysWOW64\Knnhjcog.exe	Jgbchj32.exe
File created	C:\Windows\SysWOW64\Kcbfcigf.exe	Kcpjnjii.exe
File opened for modification	C:\Windows\SysWOW64\Eqgmmk32.exe	Eqdpgk32.exe
File created	C:\Windows\SysWOW64\Iagqgn32.exe	Iaedanal.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkac32.exe	Lojfin32.exe
File created	C:\Windows\SysWOW64\Ejhdfi32.dll	b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116.exe
File created	C:\Windows\SysWOW64\Mnegbp32.exe	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Jklliiom.dll	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Ocgjojai.dll	Nqaiecjd.exe
File created	C:\Windows\SysWOW64\Dmokdgeg.dll	Kcbfcigf.exe
File created	C:\Windows\SysWOW64\Baampdgc.dll	Fniihmpf.exe
File opened for modification	C:\Windows\SysWOW64\Iojbpo32.exe	b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116.exe
File opened for modification	C:\Windows\SysWOW64\Lpjjmg32.exe	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Djgdkk32.exe	Dalofi32.exe
File opened for modification	C:\Windows\SysWOW64\Lolcnman.exe	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kefiopki.exe	Khbiello.exe
File opened for modification	C:\Windows\SysWOW64\Ehbnigjj.exe	Ebfign32.exe
File opened for modification	C:\Windows\SysWOW64\Lindkm32.exe	Lcclncbh.exe
File opened for modification	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lpgmhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hjaioe32.exe	Hbfdjc32.exe
File opened for modification	C:\Windows\SysWOW64\Jhmhpfmi.exe	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Lhdbgapf.dll	Pfoann32.exe
File created	C:\Windows\SysWOW64\Fanmld32.dll	Momcpa32.exe
File opened for modification	C:\Windows\SysWOW64\Fcekfnkb.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Mhfdfbqe.dll	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Jgbchj32.exe	Jinboekc.exe
File created	C:\Windows\SysWOW64\Ajdggc32.dll	Hnlodjpa.exe
File created	C:\Windows\SysWOW64\Lpjjmg32.exe	Ljpaqmgb.exe
File opened for modification	C:\Windows\SysWOW64\Gjficg32.exe	Gclafmej.exe
File created	C:\Windows\SysWOW64\Fniihmpf.exe	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Ppolhcnm.exe
File opened for modification	C:\Windows\SysWOW64\Acccdj32.exe	Pblajhje.exe
File created	C:\Windows\SysWOW64\Ikfbpdlg.dll	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Fachkklb.dll	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Cpclaedf.dll	Hkjohi32.exe
File created	C:\Windows\SysWOW64\Epaaihpg.dll	Iagqgn32.exe
File created	C:\Windows\SysWOW64\Dfaadk32.dll	Ilmedf32.exe
File opened for modification	C:\Windows\SysWOW64\Jgbchj32.exe	Jinboekc.exe
File created	C:\Windows\SysWOW64\Jlkidpke.dll	Bajqda32.exe
File created	C:\Windows\SysWOW64\Eqgmmk32.exe	Eqdpgk32.exe
File created	C:\Windows\SysWOW64\Ganldgib.exe	Ggfglb32.exe
File opened for modification	C:\Windows\SysWOW64\Jojdlfeo.exe	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Khbiello.exe	Jojdlfeo.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Bfkbfd32.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Ifolcq32.dll	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Ljnakk32.dll	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Ocgbld32.exe	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Gndick32.exe	Gbnhoj32.exe
File created	C:\Windows\SysWOW64\Kifojnol.exe	Kefiopki.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7556	7392	WerFault.exe	293

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll"	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Pfoann32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fniihmpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ganldgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmmco32.dll"	Ipbaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcblekh.dll"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekcgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fajbjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipbaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll"	Ipgkjlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll"	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll"	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coppbe32.dll"	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcmal32.dll"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqcco32.dll"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll"	Fniihmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjccmbf.dll"	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begfqa32.dll"	Ebkbbmqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompbfo32.dll"	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll"	Acccdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehbnigjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jeocna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjaioe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnegbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gdnjfojj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gndick32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 5080	4180	b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116.exe	98
PID 4180 wrote to memory of 5080	4180	b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116.exe	98
PID 4180 wrote to memory of 5080	4180	b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116.exe	98
PID 5080 wrote to memory of 2884	5080	Iojbpo32.exe	99
PID 5080 wrote to memory of 2884	5080	Iojbpo32.exe	99
PID 5080 wrote to memory of 2884	5080	Iojbpo32.exe	99
PID 2884 wrote to memory of 404	2884	Impliekg.exe	100
PID 2884 wrote to memory of 404	2884	Impliekg.exe	100
PID 2884 wrote to memory of 404	2884	Impliekg.exe	100
PID 404 wrote to memory of 1184	404	Jiglnf32.exe	101
PID 404 wrote to memory of 1184	404	Jiglnf32.exe	101
PID 404 wrote to memory of 1184	404	Jiglnf32.exe	101
PID 1184 wrote to memory of 2128	1184	Jmeede32.exe	102
PID 1184 wrote to memory of 2128	1184	Jmeede32.exe	102
PID 1184 wrote to memory of 2128	1184	Jmeede32.exe	102
PID 2128 wrote to memory of 1060	2128	Jgmjmjnb.exe	103
PID 2128 wrote to memory of 1060	2128	Jgmjmjnb.exe	103
PID 2128 wrote to memory of 1060	2128	Jgmjmjnb.exe	103
PID 1060 wrote to memory of 3348	1060	Jinboekc.exe	104
PID 1060 wrote to memory of 3348	1060	Jinboekc.exe	104
PID 1060 wrote to memory of 3348	1060	Jinboekc.exe	104
PID 3348 wrote to memory of 4748	3348	Jgbchj32.exe	105
PID 3348 wrote to memory of 4748	3348	Jgbchj32.exe	105
PID 3348 wrote to memory of 4748	3348	Jgbchj32.exe	105
PID 4748 wrote to memory of 5040	4748	Knnhjcog.exe	106
PID 4748 wrote to memory of 5040	4748	Knnhjcog.exe	106
PID 4748 wrote to memory of 5040	4748	Knnhjcog.exe	106
PID 5040 wrote to memory of 1968	5040	Kgiiiidd.exe	107
PID 5040 wrote to memory of 1968	5040	Kgiiiidd.exe	107
PID 5040 wrote to memory of 1968	5040	Kgiiiidd.exe	107
PID 1968 wrote to memory of 4424	1968	Kcpjnjii.exe	108
PID 1968 wrote to memory of 4424	1968	Kcpjnjii.exe	108
PID 1968 wrote to memory of 4424	1968	Kcpjnjii.exe	108
PID 4424 wrote to memory of 2960	4424	Kcbfcigf.exe	109
PID 4424 wrote to memory of 2960	4424	Kcbfcigf.exe	109
PID 4424 wrote to memory of 2960	4424	Kcbfcigf.exe	109
PID 2960 wrote to memory of 980	2960	Lgpoihnl.exe	111
PID 2960 wrote to memory of 980	2960	Lgpoihnl.exe	111
PID 2960 wrote to memory of 980	2960	Lgpoihnl.exe	111
PID 980 wrote to memory of 3008	980	Lokdnjkg.exe	112
PID 980 wrote to memory of 3008	980	Lokdnjkg.exe	112
PID 980 wrote to memory of 3008	980	Lokdnjkg.exe	112
PID 3008 wrote to memory of 2864	3008	Lfgipd32.exe	113
PID 3008 wrote to memory of 2864	3008	Lfgipd32.exe	113
PID 3008 wrote to memory of 2864	3008	Lfgipd32.exe	113
PID 2864 wrote to memory of 2748	2864	Lckiihok.exe	114
PID 2864 wrote to memory of 2748	2864	Lckiihok.exe	114
PID 2864 wrote to memory of 2748	2864	Lckiihok.exe	114
PID 2748 wrote to memory of 2908	2748	Lcnfohmi.exe	115
PID 2748 wrote to memory of 2908	2748	Lcnfohmi.exe	115
PID 2748 wrote to memory of 2908	2748	Lcnfohmi.exe	115
PID 2908 wrote to memory of 3252	2908	Mnegbp32.exe	116
PID 2908 wrote to memory of 3252	2908	Mnegbp32.exe	116
PID 2908 wrote to memory of 3252	2908	Mnegbp32.exe	116
PID 3252 wrote to memory of 3652	3252	Mmkdcm32.exe	117
PID 3252 wrote to memory of 3652	3252	Mmkdcm32.exe	117
PID 3252 wrote to memory of 3652	3252	Mmkdcm32.exe	117
PID 3652 wrote to memory of 444	3652	Mcgiefen.exe	118
PID 3652 wrote to memory of 444	3652	Mcgiefen.exe	118
PID 3652 wrote to memory of 444	3652	Mcgiefen.exe	118
PID 444 wrote to memory of 4820	444	Monjjgkb.exe	119
PID 444 wrote to memory of 4820	444	Monjjgkb.exe	119
PID 444 wrote to memory of 4820	444	Monjjgkb.exe	119
PID 4820 wrote to memory of 4132	4820	Nqpcjj32.exe	120

C:\Users\Admin\AppData\Local\Temp\b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116.exe
"C:\Users\Admin\AppData\Local\Temp\b0a3d6118d33f6ab660853ef8ecaaf543a72f11b7fa1f5e8467d603af58bf116.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SysWOW64\Iojbpo32.exe
  C:\Windows\system32\Iojbpo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\Impliekg.exe
    C:\Windows\system32\Impliekg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\Jiglnf32.exe
      C:\Windows\system32\Jiglnf32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        25⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        27⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        28⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        29⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        33⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        36⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5200
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        40⤵
        Executes dropped EXE
        
        PID:5240
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        41⤵
        Executes dropped EXE
        
        PID:5280
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        42⤵
        Executes dropped EXE
        
        PID:5324
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        46⤵
        Executes dropped EXE
        
        PID:5488
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        47⤵
        Executes dropped EXE
        
        PID:5528
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5568
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5620
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5660
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        51⤵
        Executes dropped EXE
        
        PID:5700
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        53⤵
        Executes dropped EXE
        
        PID:5780
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        60⤵
        Executes dropped EXE
        
        PID:6068
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        62⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        67⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        68⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1212
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        72⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        73⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        76⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        77⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        79⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3244
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        81⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        83⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        84⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        85⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        86⤵
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3620
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        89⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        90⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        91⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        92⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        95⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        96⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        97⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        98⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        99⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        100⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        101⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        102⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:564
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4436
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        105⤵
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        106⤵
        
        PID:572
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        108⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        109⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        110⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        114⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        115⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        116⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        117⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6620
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        120⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        121⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        123⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        124⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        126⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        127⤵
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        130⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        131⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        133⤵
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        134⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        136⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        137⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        138⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        139⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        140⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        141⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        142⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        143⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        145⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        148⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        149⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        152⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        153⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Gjkbnfha.exe
        
        C:\Windows\system32\Gjkbnfha.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7020
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        159⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        163⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7224
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7280
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        166⤵
        Drops file in System32 directory
        
        PID:7320
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        167⤵
        Drops file in System32 directory
        
        PID:7356
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7400
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7436
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        170⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        171⤵
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        172⤵
        Modifies registry class
        
        PID:7564
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7604
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        174⤵
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7692
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        176⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        177⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        178⤵
        Drops file in System32 directory
        
        PID:7812
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        179⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7900
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        181⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        182⤵
        Drops file in System32 directory
        
        PID:7984
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8028
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8076
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8116
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        186⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        188⤵
        Drops file in System32 directory
        
        PID:7272
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7312
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        190⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 420
        191⤵
        Program crash
        
        PID:7556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7392 -ip 7392
1⤵
PID:7444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:7592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fcekfnkb.exe

Filesize
104KB

MD5
6ab8b3630f9333414954f55c812ceda3

SHA1
f1403631ab0d4511ce1b7cc79deec530c9ea8796

SHA256
f3b0f16a4126711da9c9b2c39f6c5e2b1b3d7f79358664230c36d0cdd86e459a

SHA512
0b079121efe68e9221d5fd54a32668381c89fcddeb6ad4807306dad87eeeeb8e6752573bfa5956d4a4180d834b32dd6720c19fcdfdbc75fb1206c6b544e46343

Download Submit
C:\Windows\SysWOW64\Fniihmpf.exe

Filesize
104KB

MD5
d84c90f9b17e437f41f7dab72eb00924

SHA1
759d11ea635f74d8f05b958a7374047f3c10503a

SHA256
f1df6b588a70dd01cea615153080c02f1b7529b82d4127c6df286dce0c5006d6

SHA512
89518142d609866606f13413e8f5ed7c10854216f2f1b41072d6033cbf70fed1f3a24bfcb658d27347bf96653c99c2f5b007be8604cb3e39196befea86f2ef24

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
104KB

MD5
70fad8ce52bcc41782c6a270234b58ba

SHA1
75f174f8065f93746ff5229eb9d3195eff569ae4

SHA256
b94b0fdb1b701acb26aae933f3687eff230bd35d54695fa0709162cd9a05dd93

SHA512
f4390453548105f1ad73c4676b9fbb649aa528fdb66eeb89cfc7340dd86fc732d0d518d0d599e19a022d383dfc94d342aa56c983891a3444f65cd4febae4e5a4

Download Submit
C:\Windows\SysWOW64\Impliekg.exe

Filesize
104KB

MD5
2938ba3e4bfd539f72a419c7895aca19

SHA1
0091d8e41bce60aa6880078a989f1327ee48e9b9

SHA256
c36e6f9e0cd26ee3f07204037513a668ff3cd750f23a0ed7f3b364aa3eb9cb15

SHA512
c957bed0a1c910d217994e61e33c801dfca48025cb6a08dc9692c65a2473d53e2f3c25d068caef1d62680328c1a934cc6e66a33e05f6c42f0d29cf162a830215

Download Submit
C:\Windows\SysWOW64\Iojbpo32.exe

Filesize
104KB

MD5
4875a6225d71d8160fd8e10cef9a2b74

SHA1
b8801e53d109710e46b9ac32cde8baf6ee3e9081

SHA256
9c78eaba5b15bdcd01f6db9f2ac41fff4cc9d209e7fc4b9ef0bad17f6494d8e0

SHA512
521f569add075031e6bb25b55357d57936d59f31e2be4420ee653c4cf89eb5baeca50c2a02d75b643dadfd7da490d1019ef1c1c3f7767d8233bbdde0bb56ecf6

Download Submit
C:\Windows\SysWOW64\Jgbchj32.exe

Filesize
104KB

MD5
26dbde6fa18fc5cf9444aeeb57beb362

SHA1
50891d06fbc440b2747dc445c4db53eb44f297f5

SHA256
ff36751c8e46d2cc376f18f84428ca87ae9797d8e11f4621a809af14a46f5ebd

SHA512
beb8069813e2f9648d3f443e8e4b0b2386d22f4f9a66e5ec2c4b3f23f2f283f5386ae2a44681f718a25ad372bb29301abfc7169e0bc48c785ec3db86d6f7a7ae

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe

Filesize
104KB

MD5
0ec279ffcdabdb531767c91581767d5c

SHA1
1f1bbb752d76cd27436b071e82e6eb18767b8bdc

SHA256
0f8d9b44f069d4bb24168b5222fe42cb230f1d970ae18095e3d31aa3f33eed50

SHA512
2d657261f235db34beb4d5ece1417f5037f36f04659faa2aa3513eb240fdc69a429ac68ae15c0a15ede048e4288bd3020db01bbcf15ecd699f863cbfd28a541a

Download Submit
C:\Windows\SysWOW64\Jiglnf32.exe

Filesize
104KB

MD5
35626580079bbec0fa0e94317f2b7c08

SHA1
465a5bf034bdea953eae5c993dd3a7eab6edc2a6

SHA256
13ace9881c0cbf90d223c14bb1a78805802852b2c95e3ab23355ae598c22e884

SHA512
88f81739c305478f58e95a950099d64922dabecdc8b5e10ef3c983ff17f958aeb1ad4c7945a78d773aae1b9d0926f4a38853cbf82cffbb454c15b904342b5dcb

Download Submit
C:\Windows\SysWOW64\Jinboekc.exe

Filesize
104KB

MD5
c0e13693b21afe997b2f7b43d74dbf52

SHA1
c38b61c914ce15ab227e7e02c7910d32f4d27ea5

SHA256
52942bd0bab9b05da96fc16bcb4d0ebcfb0f91c123142e5e053ac072a4241c61

SHA512
b4fc9d5cfbd2d53aded21cd32f1af47b0acb9e7806b4b8e6d692c8796119b8ec7eb01e0a5c0de0f401ce086757b5ebc9d9617f7c16e80e63f96372186b117813

Download Submit
C:\Windows\SysWOW64\Jmeede32.exe

Filesize
104KB

MD5
b5eb77302219ef0712216a584ab75742

SHA1
b2b102f4694010893ed5d9ed64cde51ba2114bb8

SHA256
15e6402c4d1f11f4a45e09ec68d860534526db25c89ce62384c894f3650132ce

SHA512
8a94997741cda055ab2893dbff83a6c2cdee6007f8a1ee728548d1df0ce3838bda7f163d2919876b1be1fe4df58d33b1b6aba661faaa47f06df92921a0e0a1a5

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
104KB

MD5
bd15558fad31158cfdbfafcd896f1dec

SHA1
7dabe559f1cfb77a5826d620bb15bab122dc1909

SHA256
16c9570375c4e9dfa5efdffa8bc8866ab6ddef3f2ae91a034900da65909ba95f

SHA512
a1b130ef9ad0af74e98ef3696b970f435a5c972138afce1183f8b69b249c11e5fbeb5e74685c39fc15e4a9a83608eb6e9765532cfc66d563391f2c2257d8abc5

Download Submit
C:\Windows\SysWOW64\Kcpjnjii.exe

Filesize
104KB

MD5
207037c0ef66a982abf9ff86b2e85ce3

SHA1
dd07f0ede56f04df05bade3e5a212ba6414f6e41

SHA256
2c9691ee67a0f1793a9766e479d7bcd9b9006d6e8d2b0e3c082d40341a2de242

SHA512
73c8cbfaadc4cf4eac8145433a93132bd5feeeffce9a09cda0ecfe5b29b1adc8fd043be0636c925d3a0af851a507fd1be0e790b73028ce9ad8636a27d140cf9c

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
104KB

MD5
225238e76c6ca069452bd409bb1f37f1

SHA1
3e355b3d94184456dd82cf548f6f201dc92c6099

SHA256
da8278be2999259ee60a6c36869cb089e1dc696f6324cc88f08571babcb1abd2

SHA512
32b9c464e7be5f7a4c20b2937fa008e207a71427502ca6ce61853a6fe34aacd5629214355227a2799e5b6b215e7ea6c904f1b23097e8b1be2ceac6572c6d9610

Download Submit
C:\Windows\SysWOW64\Knnhjcog.exe

Filesize
104KB

MD5
521ae69717007c8768eef9fe264b4c05

SHA1
6ff05f542bf1ac2f91e12e70811bcd64ec305e22

SHA256
295b7faaa7551f959ab79761f850a65ff5fee76262b3618714c7eda23ecd963e

SHA512
c6cadc6a63183b7f1ac264d31d6827f8344d8e44ffadd007acbb07653e8645de4125c5af8883204f4d7273f3b4b10cc0dd49afc701f621c8b9bd2c67c153a665

Download Submit
C:\Windows\SysWOW64\Lckiihok.exe

Filesize
104KB

MD5
dbc4095a2f00328058761a2602ff5aaa

SHA1
07d0032e50c31f055d458d87fdb155ab6e3f08f5

SHA256
225e8e123561fd21f11a1a2b483dc933563af223a1945642ec3bcf30c04f69b8

SHA512
970bdcf057d58a36c1985191d5053512b143a0076b31f411deb21a898951c2773ea2a54e83887f6df77d241d93cb7af16863736a5bf3114dfcf253d4ad517f5d

Download Submit
C:\Windows\SysWOW64\Lcnfohmi.exe

Filesize
104KB

MD5
ea1e53dfaed15fcf81653284996ae70c

SHA1
eccc0966fbc536a106de81229c7522fa82660195

SHA256
131274a9f206ce935892a294d9dfd0372fb966cb62bb3a30c7181a72d8796e94

SHA512
287c8315d8b4bfc3033dd4ec53ce08daf3389efd2669d399e9f06f8620826512103687193cb95e1b61d35fad9a0013d20d7b4afdc78461722602c95ca80a93f4

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
104KB

MD5
185154af526057a916a7deee82d934b6

SHA1
152192a3cc812e95599b1f601f0ea668287e1292

SHA256
db8468944a386c1468359567a9262f35b76746c48d9e7e11be2a50cbea4f8659

SHA512
fdf9d46d444177462071c8f9c05703d7dda41d7688f52e3d1f80a9877eabe3ec05d43ee5900f4d774e1abf2ccc98ea3ff1aae988e5590a97295d7b4fa7a7c406

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
104KB

MD5
23f3fd41d2e52791fb713a867d53ef0d

SHA1
cd03f65253dd0186788d4583fc510389e32034d9

SHA256
a8c6e576cf5640f9ea717f8b27350f79bb07999ac6b221c3eee26c463770d132

SHA512
8969402deeeb54d26fd2c6300edbf6f3d5820c9dde88717ce24e340fd2ca9ea4500d56d4962fc845e55b5050973ad5a9c9652fa99f35e38edb42adb2a5166c41

Download Submit
C:\Windows\SysWOW64\Lokdnjkg.exe

Filesize
104KB

MD5
0f32d6e2403e8018bfdfc01592a7c60e

SHA1
d2d01fb6971996f3acd333b555f6f33cc41fec32

SHA256
fa2694ced3a766a659a6c0463ceb05be5277c748836c70b8d9c573ef8b6c201e

SHA512
790e3fd387e9675b849417a3f6ac8667ae0416606104f67651a24bd4a3a0badde508ce396449a663cff2066b05978186e171ca781c8aa8bb42f690fde7731971

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
104KB

MD5
0dd5d57b85dbc28290dcb4865e798f99

SHA1
6967839bfca45835e8d3731bd45b37019dbd8a7d

SHA256
327a40399c7d08bb49167fe74c3bed61f91415210197c05d224a647aca097b1e

SHA512
5ab9b8970b89b71be29d0296b0e89cab4a88de8a2e264835a3bdae943bf00d97cb5de7923a2021e962acdab2282ef5bdb5d422732f44c743bc31158a9602f5da

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
104KB

MD5
08f6d99baf71bf650ec28f38090e3707

SHA1
702d02341a97055ab9cc7a273a787e6387af4568

SHA256
9139f6b15ec188864ad7f754a5da50add622ccd3dbc04c2adc704c6e1efe4fe4

SHA512
616a8a1b7399819b27359802e073cf6b02d92a2d89fc5e83d943e97af38660a3e28d18059c3268cf0f6cd37ef3af5dbd7d319c309017584a3e1188f649a541b3

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
104KB

MD5
ad3857956da4913404c80a10dce052b2

SHA1
48f0493593011c49e54e4c67ff441bab2b226028

SHA256
6d454f6102098aec8a6cdc7dae00576a20f8b510370c58cd44702eda7f0e1a92

SHA512
4e71c5a643f2285b01f047462d0ba36a3c04588bfeac8d7946ef545d92495560e5c51e8ff9400c975f3b29d7e7737faa200238845ca3339a402f35d0fb85a864

Download Submit
C:\Windows\SysWOW64\Monjjgkb.exe

Filesize
104KB

MD5
3b30fa34be357cdea21aed057bbfd4ac

SHA1
936048bf70543e9733606e4c1cf0989a0fe3c0ea

SHA256
a47acc7a5ed3e855a5e9875f613650b59988bf3d2e698b1819f600c46209d432

SHA512
e096f572c62c06bd8d7392a016bbeb86911dd84efc27adace901e6c615340fa4b21f9b1ce552cc2b1d3cb3264cf4da65ee00b79babdfbcf760482737fc910613

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
104KB

MD5
9743d4c662e1ffffa0da862327e3c8d6

SHA1
0ac8bc6a0e5e0e81742831c7e7f9a07e4399de56

SHA256
80eb1ecd2b20754ccfdaf8d3767832075949ab504d96835f9f0176f16d0823b1

SHA512
0e61f961bae0f1774c4e4db6a05fcee905499b826feee5b9fe13a0be127d09f00abad2fecaa9e2dda30cf3e39c804fc00d3006047e99db38604463bddd652f3a

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
104KB

MD5
155ab4d2ae4741224913a41dffb4e128

SHA1
411d4154b4dad9af0e3a5af4ea6720f72ed5244e

SHA256
ef7a14a183b308fa1754a96e6dd477f27088d97f911ea2ee376a2be4a2e2a533

SHA512
7ccadf19d17531ff8427bfae4f785e0b894549c76e4ca81a4d1d3335003d75bf82ea320a7168a464531ba5f33aaa8d84e9d89b722ede590e73347acfd19ffb73

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
104KB

MD5
75908994ec5aaed69cc0b8ebb6097ea5

SHA1
1c7aa250674f3fbdad0660714e495003ca603450

SHA256
d6f84dbae26820df2e541e5c10744c0354511347220eedd196fd6f5d0e1e8d80

SHA512
fa20b478ea6034bba61ab4f48b0c17e6f89d716ba1691fb8850adb40d52f01626beba56fdda841b299463cb9e81c4085c618c98ca2b08793894e8c7860465348

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
104KB

MD5
d5dce5b196516a45cb252cac2b734e29

SHA1
4e91f5b817590402f93636566be3d12a77e3edf7

SHA256
db5f738faab5e6ac4d0de1144408572f7265cab3c5aa93fb15677c92828a2a54

SHA512
984944046dc0e3e69eb008d5983cfb2c1efc76692b8e9b575623fdf2622421d44bfaa34a890015d1e7c91d2b198bda27a41a624db2ad8a0c19ffdf55e5d01439

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
104KB

MD5
7a4794959bbf14142e837a9e43a27ed8

SHA1
d85efcc28216893350c99235b56e2c047a1202ba

SHA256
a2ecb52f2fe60642184eab35dde6de452180241938137e9e435643ce9ee83f8e

SHA512
c7718660840d7d24cf6d34cb690206c40e0931bde2a5a8f21bfcf0ef1fc3146c35fb36cae100f83a9dae02b9e006ebfdecce0ed999804f2e1c8852bbef385802

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
15KB

MD5
7ab6ec62f52dd6b624170104846a5418

SHA1
d74ca06f15a2f643ac125533bd804381d45bbb2a

SHA256
1f4ad8d93094d12ceab69edb5a07646d3c44fe64fe4c17b8a1fcb9199eedaaf3

SHA512
0e50df5570ba3047a554bac3acf4d386371ed4a5b9b405768b5fb6e1891e894a731bc16f9aae084d55fb3e888b190106367cd898ac944608518bc77b31b15cf3

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
104KB

MD5
54e0e3595e55402ef7c157a158c03faf

SHA1
5c871a2b2b1b6321b73c35850e8abe83eb5eeafd

SHA256
32ea838deb53ecd9b6870e5ce71dcc792869c0181054445b57c87de0c86ef0ef

SHA512
d1449bb6de1d4c8afc32f6e9d693c29c23721fb219bc14f2a2fca55a865ab462092b2f8792b65a6d401774b0ea34bdfae95fb8397df53d7b4cd425e3c9104608

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
104KB

MD5
cfdb4d2b1028c25c7b3f65c7bc17b882

SHA1
d47d5ea025fcdb48db9988ebfca671f08950858f

SHA256
d4a04164dc6cdbf70296623132fce6473ae11a7d070a1196aeee848e67db9bc5

SHA512
f871b44f1299109e397af60b450d51624f83b1edf26f165b18221c0bd084cc1a8bb4b629ddfaf6897ddca2ed593f81e28a78c0dee9e917a39b59fd11aee16cef

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
104KB

MD5
172ac6e4235d456d393a540dbcfc07af

SHA1
dc0623c8df27f3fccd34b58cdaa216063513d4c4

SHA256
802deb4c39a27edbb1f96dc4ab30c52acb3db083b8da543617eb9251f15cfdaa

SHA512
cdf592b4fe709993cda901a070163bd40fd02c1a45f8861e17cf0f08957dbd0e3cbccec1a7b4ea25e2990e30cfe6399d3b9392983a1429a564d37ed902c6227a

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
104KB

MD5
f230777fb3c92800baa46775a8e8fe49

SHA1
c2767b72e0aaee7e7a3f625d48669a5a12ca8628

SHA256
52bc02d8aca4f04b65711993cacfa249a76d9d05e835fcd129cfa08fdc50bedc

SHA512
67cf6be3030662e7bbc938476fd575c218caa7a17c08305685f635897e4af9e638c78d7b60cb7d1763141ae52bcd39e1da498b62d1b3f4bf36e2cc347f9f62e2

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
104KB

MD5
3666f0eda995cf0aa1d35a880a331944

SHA1
94fccfa5841cafb996a01188ee80f89acdc0383a

SHA256
be691506f301c7f0722a819fffe39de73b38b3f6558e211c1af1a823be2ccfd3

SHA512
9086d343c9e48e32b385fffd8fe42e4f10fd8ae2acfc700e00d0c9301819bc21a06c7932558a04b1282c2962978e82627e38cc6346c9d4409a234e217d4a871f

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
104KB

MD5
ad5add1b09dde68b5f5c29f6716af8c8

SHA1
40139a27d767cc41b84d888ad71c8c385a6379ff

SHA256
5764bbaa12636076b06fd0e888087bf702b609d225d60fe7157fd9c37ef784e4

SHA512
8cd0edecb54a66f9dc219f9fc74f68dc6efe72303ef16070068982806e63bf20abb7a6c3e65f1ef266c5f14a2eeb547ba26f68c1b30d10274e53f31a1b778436

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
104KB

MD5
1324d5bbbd3b24197dc32066e666d561

SHA1
8abaa95d6cf5603582fc2e63fb65d68b5cb660b8

SHA256
d015f005ff546b8ef61d2f5b70225acbb757c56206589315bb70fed81f18b060

SHA512
69763c669397750b6a2d49d2f36e8586f41f733d3e6429a150c29f7db2fb7fc819d068dcb37ab6b5b36d8d66e5f599030f031afb19f24ad35b54410df285443c

Download Submit
C:\Windows\SysWOW64\Pjdhbppo.dll

Filesize
7KB

MD5
04dc89a8da20108f9b1046a8c18c2895

SHA1
843cfc7839c4fe587d8da96c3974d65b0989bc1a

SHA256
f1160f540d66efff77acce071fa15e487f7bd91597229c13aef47697692f5d9c

SHA512
7d8a2099aa3499ec597ada87a5c956e561a13bdda91896e18e634a371cf09b1e596cb893c5192144f5ce83ea936163c53bbf881d05bb4cadfbf4b2370e70b230

Download Submit
memory/404-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/444-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/980-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1184-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1272-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1968-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2440-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2748-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3164-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3260-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3348-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3712-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4132-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4180-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4424-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4640-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4820-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4852-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5004-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5140-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5160-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5200-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5212-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5240-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5280-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5324-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5368-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5408-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5448-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5488-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5528-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5568-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5620-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5660-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5700-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5740-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5780-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5820-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5860-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5900-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5948-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5988-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6028-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6068-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6104-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads