b2316fa6ae990920929f322ca096e3f7645dcb811ae1ff77de0dcc74ffd9006c

Analysis

max time kernel
155s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b59f9842d22f968620f82c103760cd13.exe
Size

78KB
MD5

b59f9842d22f968620f82c103760cd13
SHA1

812caa5dcbaa8856a72326e29530b0201ff58e8e
SHA256

b2316fa6ae990920929f322ca096e3f7645dcb811ae1ff77de0dcc74ffd9006c
SHA512

65ea11ba5f7900eef6ea591e8e1ad7070070c42eab51033c724fb4667a28e2391a5260538d932027cd57d0207cbb3bcaf2bfca948dc979951b3eb6a89de8181c
SSDEEP

1536:r9RD6d4y7bsuI/IMPSZpOqr6eU/28PAiyc6yf5oAnqDM+4yyF:D+7bsFZiXUBPAizCuq4cyF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fchlhnlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhelddln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmlpjdgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dijppjfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kanbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akgcdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgldl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifckkhfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkmqne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefgak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkicjgnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnilfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gadimkpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebcdjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqigee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdpfbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opopdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkich32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmaakpfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkegbfgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohobebig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glmqjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbhnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofmbkipk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplaaiqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppccemjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akgcdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blabakle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkicjgnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbiioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmmbmiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkakhakq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejdonq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnkbcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkqccbkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccipelcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkioojpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhdbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmamba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccfcpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gplged32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gplged32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojeodga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oinbgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dehgejep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebjokda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnilfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bndjfjhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joikdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knjhae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcdfho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jognokdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollgiplp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbpndnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ollgiplp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkmqne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnmpbec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiimejap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boaeioej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Philfgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iodjcnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aofemaog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgiiclkl.exe

Executes dropped EXE 64 IoCs

pid	Process
2608	Iqpclh32.exe
3228	Iedbcebd.exe
4920	Jcjodbgl.exe
1436	Jelhcd32.exe
4960	Jnfjbj32.exe
3948	Knifging.exe
2684	Kceoppmo.exe
4252	Kanidd32.exe
3748	Lelajb32.exe
4904	Lmlpjdgo.exe
4448	Mehafq32.exe
4908	Mkicjgnn.exe
3272	Nncoaq32.exe
3064	Noehac32.exe
620	Oolnabal.exe
4340	Philfgdh.exe
1092	Pnhacn32.exe
4328	Pklamb32.exe
2780	Qkakhakq.exe
4648	Adnilfnl.exe
1276	Aocmio32.exe
2724	Akogio32.exe
1008	Bbklli32.exe
1232	Bndjfjhl.exe
792	Bbbblhnc.exe
4980	Ciogobcm.exe
624	Cldjkl32.exe
3136	Dfemdcba.exe
4972	Dpnbmi32.exe
1488	Eoconenj.exe
4332	Eeodqocd.exe
936	Ebcdjc32.exe
4888	Eojeodga.exe
1672	Fcodfa32.exe
1596	Fljedg32.exe
4152	Ghqeihbb.exe
4024	Ggdbmoho.exe
4216	Gplged32.exe
2412	Gjghdj32.exe
5012	Hcdfho32.exe
3600	Hhaope32.exe
3536	Igghilhi.exe
4776	Iodjcnca.exe
2876	Ijlkfg32.exe
4336	Ifckkhfi.exe
728	Jcgldl32.exe
2556	Jmamba32.exe
384	Jihngboe.exe
2884	Jfokff32.exe
3796	Kplijk32.exe
4144	Kanbjn32.exe
2552	Kfjjbd32.exe
4652	Lplaaiqd.exe
2108	Mpchbhjl.exe
5000	Mfomda32.exe
1656	Nfdfoala.exe
3372	Nffceq32.exe
5020	Npadcfnl.exe
3792	Ohkijc32.exe
4840	Oacmchcl.exe
408	Oinbgk32.exe
4380	Ohobebig.exe
2032	Opopdd32.exe
1632	Ppffec32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mehafq32.exe	Lmlpjdgo.exe
File created	C:\Windows\SysWOW64\Nombnc32.exe	Nicjaino.exe
File opened for modification	C:\Windows\SysWOW64\Qkakhakq.exe	Pklamb32.exe
File created	C:\Windows\SysWOW64\Hqcqdk32.dll	Pklamb32.exe
File opened for modification	C:\Windows\SysWOW64\Kplijk32.exe	Jfokff32.exe
File created	C:\Windows\SysWOW64\Pghaghfn.exe	Obfpejcl.exe
File created	C:\Windows\SysWOW64\Lfkich32.exe	Lmcejbbd.exe
File opened for modification	C:\Windows\SysWOW64\Knjhae32.exe	Kpfggang.exe
File created	C:\Windows\SysWOW64\Mgmipoen.dll	Nqgiel32.exe
File created	C:\Windows\SysWOW64\Kppdpo32.dll	Qkakhakq.exe
File created	C:\Windows\SysWOW64\Eeodqocd.exe	Eoconenj.exe
File created	C:\Windows\SysWOW64\Kfjjbd32.exe	Kanbjn32.exe
File created	C:\Windows\SysWOW64\Chkgcq32.dll	Fmpjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pnhacn32.exe	Philfgdh.exe
File created	C:\Windows\SysWOW64\Kjmopone.dll	Bndjfjhl.exe
File created	C:\Windows\SysWOW64\Jihngboe.exe	Jmamba32.exe
File created	C:\Windows\SysWOW64\Dcqmpa32.exe	Ckclfp32.exe
File opened for modification	C:\Windows\SysWOW64\Ekcemmgo.exe	Dgcoaock.exe
File created	C:\Windows\SysWOW64\Aljefena.exe	Aofemaog.exe
File created	C:\Windows\SysWOW64\Ejennd32.exe	Eckfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Aiimejap.exe	Qbhnga32.exe
File opened for modification	C:\Windows\SysWOW64\Eckfaj32.exe	Enomic32.exe
File created	C:\Windows\SysWOW64\Lelajb32.exe	Kanidd32.exe
File created	C:\Windows\SysWOW64\Qkakhakq.exe	Pklamb32.exe
File created	C:\Windows\SysWOW64\Adkcem32.dll	Bbbblhnc.exe
File opened for modification	C:\Windows\SysWOW64\Ebcdjc32.exe	Eeodqocd.exe
File created	C:\Windows\SysWOW64\Bjhpqn32.exe	Blabakle.exe
File created	C:\Windows\SysWOW64\Iedbcebd.exe	Iqpclh32.exe
File created	C:\Windows\SysWOW64\Lpdlpnie.dll	Dokqfl32.exe
File created	C:\Windows\SysWOW64\Foajai32.dll	Ffeaichg.exe
File created	C:\Windows\SysWOW64\Knifging.exe	Jnfjbj32.exe
File created	C:\Windows\SysWOW64\Hcdfho32.exe	Gjghdj32.exe
File created	C:\Windows\SysWOW64\Fejlbgek.exe	Fblpflfg.exe
File created	C:\Windows\SysWOW64\Nfjeej32.exe	Npqmipjq.exe
File opened for modification	C:\Windows\SysWOW64\Obfpejcl.exe	Ollgiplp.exe
File created	C:\Windows\SysWOW64\Doikfb32.dll	Lbbjhini.exe
File opened for modification	C:\Windows\SysWOW64\Gadimkpb.exe	Fmpjfn32.exe
File created	C:\Windows\SysWOW64\Pklamb32.exe	Pnhacn32.exe
File created	C:\Windows\SysWOW64\Phajblpj.dll	Eojeodga.exe
File opened for modification	C:\Windows\SysWOW64\Mfomda32.exe	Mpchbhjl.exe
File opened for modification	C:\Windows\SysWOW64\Fjdajhbi.exe	Fchlhnlo.exe
File created	C:\Windows\SysWOW64\Mgklcd32.dll	Qipjokik.exe
File created	C:\Windows\SysWOW64\Docpdpol.dll	Iedbcebd.exe
File created	C:\Windows\SysWOW64\Lampbohh.dll	Kanidd32.exe
File created	C:\Windows\SysWOW64\Fmflco32.dll	Gmnfglcd.exe
File created	C:\Windows\SysWOW64\Oapllk32.exe	Oghgbe32.exe
File created	C:\Windows\SysWOW64\Pichac32.dll	Kplijk32.exe
File created	C:\Windows\SysWOW64\Kpfggang.exe	Kkioojpp.exe
File created	C:\Windows\SysWOW64\Fecibala.dll	Lnhdbc32.exe
File created	C:\Windows\SysWOW64\Ciogobcm.exe	Bbbblhnc.exe
File created	C:\Windows\SysWOW64\Jaekkfcm.exe	Jognokdi.exe
File opened for modification	C:\Windows\SysWOW64\Kpanmb32.exe	Jgiiclkl.exe
File created	C:\Windows\SysWOW64\Kbfgmnia.dll	Gmnmbbgp.exe
File created	C:\Windows\SysWOW64\Iaqjia32.dll	Kfmmajed.exe
File created	C:\Windows\SysWOW64\Bbhoko32.dll	Imnoni32.exe
File created	C:\Windows\SysWOW64\Jpmfpmhg.dll	Nncoaq32.exe
File created	C:\Windows\SysWOW64\Opfqgkgc.dll	Gjghdj32.exe
File opened for modification	C:\Windows\SysWOW64\Lplaaiqd.exe	Kfjjbd32.exe
File created	C:\Windows\SysWOW64\Nmommn32.exe	Nbiioe32.exe
File created	C:\Windows\SysWOW64\Caikpked.dll	Jognokdi.exe
File created	C:\Windows\SysWOW64\Bijfpm32.dll	Ohkijc32.exe
File created	C:\Windows\SysWOW64\Dnkbcp32.exe	Dijppjfd.exe
File created	C:\Windows\SysWOW64\Ehcfdc32.dll	Eckfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Iqpclh32.exe	b59f9842d22f968620f82c103760cd13.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3548	7028	WerFault.exe	300
2384	7028	WerFault.exe	300

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhjdnn32.dll"	Adnilfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bndjfjhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jefgak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmaakpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcaho32.dll"	Knifging.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfjjbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akgcdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejennd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghqeihbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phpklp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dokqfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdendn32.dll"	Eqdpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcefei32.dll"	Iodjcnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jelhcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlfniafa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaekkfcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abfmnkfh.dll"	Iqpclh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoconenj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akgcdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dklomnmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iobecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqcqdk32.dll"	Pklamb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkcackeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmlpjdgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkcem32.dll"	Bbbblhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jihngboe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pichac32.dll"	Kplijk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppffec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iedbcebd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflfda32.dll"	Pghaghfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfqmlko.dll"	Qkmqne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgcoaock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damneiak.dll"	Lmcejbbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geflne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfemdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inepckml.dll"	Mpchbhjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjood32.dll"	Npadcfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmbkipk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkcjajig.dll"	Pgmkbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhelddln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enomic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciogobcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plphjbim.dll"	Hcdfho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dijppjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akipic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmmbmiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcqmpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jelhcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmopone.dll"	Bndjfjhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcjodbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjppniq.dll"	Dnkbcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpmfklbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onlaqbaj.dll"	Ggdbmoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcgldl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejdonq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qipjokik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccfcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffeaichg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfemdcba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnmpbec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jogeia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpfqiha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccipelcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppccemjk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2608	1216	b59f9842d22f968620f82c103760cd13.exe	94
PID 1216 wrote to memory of 2608	1216	b59f9842d22f968620f82c103760cd13.exe	94
PID 1216 wrote to memory of 2608	1216	b59f9842d22f968620f82c103760cd13.exe	94
PID 2608 wrote to memory of 3228	2608	Iqpclh32.exe	95
PID 2608 wrote to memory of 3228	2608	Iqpclh32.exe	95
PID 2608 wrote to memory of 3228	2608	Iqpclh32.exe	95
PID 3228 wrote to memory of 4920	3228	Iedbcebd.exe	96
PID 3228 wrote to memory of 4920	3228	Iedbcebd.exe	96
PID 3228 wrote to memory of 4920	3228	Iedbcebd.exe	96
PID 4920 wrote to memory of 1436	4920	Jcjodbgl.exe	97
PID 4920 wrote to memory of 1436	4920	Jcjodbgl.exe	97
PID 4920 wrote to memory of 1436	4920	Jcjodbgl.exe	97
PID 1436 wrote to memory of 4960	1436	Jelhcd32.exe	98
PID 1436 wrote to memory of 4960	1436	Jelhcd32.exe	98
PID 1436 wrote to memory of 4960	1436	Jelhcd32.exe	98
PID 4960 wrote to memory of 3948	4960	Jnfjbj32.exe	99
PID 4960 wrote to memory of 3948	4960	Jnfjbj32.exe	99
PID 4960 wrote to memory of 3948	4960	Jnfjbj32.exe	99
PID 3948 wrote to memory of 2684	3948	Knifging.exe	100
PID 3948 wrote to memory of 2684	3948	Knifging.exe	100
PID 3948 wrote to memory of 2684	3948	Knifging.exe	100
PID 2684 wrote to memory of 4252	2684	Kceoppmo.exe	101
PID 2684 wrote to memory of 4252	2684	Kceoppmo.exe	101
PID 2684 wrote to memory of 4252	2684	Kceoppmo.exe	101
PID 4252 wrote to memory of 3748	4252	Kanidd32.exe	102
PID 4252 wrote to memory of 3748	4252	Kanidd32.exe	102
PID 4252 wrote to memory of 3748	4252	Kanidd32.exe	102
PID 3748 wrote to memory of 4904	3748	Lelajb32.exe	103
PID 3748 wrote to memory of 4904	3748	Lelajb32.exe	103
PID 3748 wrote to memory of 4904	3748	Lelajb32.exe	103
PID 4904 wrote to memory of 4448	4904	Lmlpjdgo.exe	104
PID 4904 wrote to memory of 4448	4904	Lmlpjdgo.exe	104
PID 4904 wrote to memory of 4448	4904	Lmlpjdgo.exe	104
PID 4448 wrote to memory of 4908	4448	Mehafq32.exe	105
PID 4448 wrote to memory of 4908	4448	Mehafq32.exe	105
PID 4448 wrote to memory of 4908	4448	Mehafq32.exe	105
PID 4908 wrote to memory of 3272	4908	Mkicjgnn.exe	106
PID 4908 wrote to memory of 3272	4908	Mkicjgnn.exe	106
PID 4908 wrote to memory of 3272	4908	Mkicjgnn.exe	106
PID 3272 wrote to memory of 3064	3272	Nncoaq32.exe	107
PID 3272 wrote to memory of 3064	3272	Nncoaq32.exe	107
PID 3272 wrote to memory of 3064	3272	Nncoaq32.exe	107
PID 3064 wrote to memory of 620	3064	Noehac32.exe	108
PID 3064 wrote to memory of 620	3064	Noehac32.exe	108
PID 3064 wrote to memory of 620	3064	Noehac32.exe	108
PID 620 wrote to memory of 4340	620	Oolnabal.exe	109
PID 620 wrote to memory of 4340	620	Oolnabal.exe	109
PID 620 wrote to memory of 4340	620	Oolnabal.exe	109
PID 4340 wrote to memory of 1092	4340	Philfgdh.exe	110
PID 4340 wrote to memory of 1092	4340	Philfgdh.exe	110
PID 4340 wrote to memory of 1092	4340	Philfgdh.exe	110
PID 1092 wrote to memory of 4328	1092	Pnhacn32.exe	111
PID 1092 wrote to memory of 4328	1092	Pnhacn32.exe	111
PID 1092 wrote to memory of 4328	1092	Pnhacn32.exe	111
PID 4328 wrote to memory of 2780	4328	Pklamb32.exe	112
PID 4328 wrote to memory of 2780	4328	Pklamb32.exe	112
PID 4328 wrote to memory of 2780	4328	Pklamb32.exe	112
PID 2780 wrote to memory of 4648	2780	Qkakhakq.exe	113
PID 2780 wrote to memory of 4648	2780	Qkakhakq.exe	113
PID 2780 wrote to memory of 4648	2780	Qkakhakq.exe	113
PID 4648 wrote to memory of 1276	4648	Adnilfnl.exe	114
PID 4648 wrote to memory of 1276	4648	Adnilfnl.exe	114
PID 4648 wrote to memory of 1276	4648	Adnilfnl.exe	114
PID 1276 wrote to memory of 2724	1276	Aocmio32.exe	115

C:\Users\Admin\AppData\Local\Temp\b59f9842d22f968620f82c103760cd13.exe
"C:\Users\Admin\AppData\Local\Temp\b59f9842d22f968620f82c103760cd13.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\Iqpclh32.exe
  C:\Windows\system32\Iqpclh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\Iedbcebd.exe
    C:\Windows\system32\Iedbcebd.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Windows\SysWOW64\Jcjodbgl.exe
      C:\Windows\system32\Jcjodbgl.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\SysWOW64\Jelhcd32.exe
        
        C:\Windows\system32\Jelhcd32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Windows\SysWOW64\Jnfjbj32.exe
        
        C:\Windows\system32\Jnfjbj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Knifging.exe
        
        C:\Windows\system32\Knifging.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Kceoppmo.exe
        
        C:\Windows\system32\Kceoppmo.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Kanidd32.exe
        
        C:\Windows\system32\Kanidd32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Lelajb32.exe
        
        C:\Windows\system32\Lelajb32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Lmlpjdgo.exe
        
        C:\Windows\system32\Lmlpjdgo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Mehafq32.exe
        
        C:\Windows\system32\Mehafq32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Mkicjgnn.exe
        
        C:\Windows\system32\Mkicjgnn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Nncoaq32.exe
        
        C:\Windows\system32\Nncoaq32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Noehac32.exe
        
        C:\Windows\system32\Noehac32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Oolnabal.exe
        
        C:\Windows\system32\Oolnabal.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Philfgdh.exe
        
        C:\Windows\system32\Philfgdh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Pnhacn32.exe
        
        C:\Windows\system32\Pnhacn32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Pklamb32.exe
        
        C:\Windows\system32\Pklamb32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Qkakhakq.exe
        
        C:\Windows\system32\Qkakhakq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Adnilfnl.exe
        
        C:\Windows\system32\Adnilfnl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Aocmio32.exe
        
        C:\Windows\system32\Aocmio32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Akogio32.exe
        
        C:\Windows\system32\Akogio32.exe
        23⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Bbklli32.exe
        
        C:\Windows\system32\Bbklli32.exe
        24⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Bndjfjhl.exe
        
        C:\Windows\system32\Bndjfjhl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Bbbblhnc.exe
        
        C:\Windows\system32\Bbbblhnc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Ciogobcm.exe
        
        C:\Windows\system32\Ciogobcm.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Cldjkl32.exe
        
        C:\Windows\system32\Cldjkl32.exe
        28⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Dfemdcba.exe
        
        C:\Windows\system32\Dfemdcba.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Dpnbmi32.exe
        
        C:\Windows\system32\Dpnbmi32.exe
        30⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Eoconenj.exe
        
        C:\Windows\system32\Eoconenj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Eeodqocd.exe
        
        C:\Windows\system32\Eeodqocd.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Ebcdjc32.exe
        
        C:\Windows\system32\Ebcdjc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Eojeodga.exe
        
        C:\Windows\system32\Eojeodga.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Fcodfa32.exe
        
        C:\Windows\system32\Fcodfa32.exe
        35⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Fljedg32.exe
        
        C:\Windows\system32\Fljedg32.exe
        36⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Ghqeihbb.exe
        
        C:\Windows\system32\Ghqeihbb.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Ggdbmoho.exe
        
        C:\Windows\system32\Ggdbmoho.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Gplged32.exe
        
        C:\Windows\system32\Gplged32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Gjghdj32.exe
        
        C:\Windows\system32\Gjghdj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Hcdfho32.exe
        
        C:\Windows\system32\Hcdfho32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Hhaope32.exe
        
        C:\Windows\system32\Hhaope32.exe
        42⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Igghilhi.exe
        
        C:\Windows\system32\Igghilhi.exe
        43⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Iodjcnca.exe
        
        C:\Windows\system32\Iodjcnca.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Ijlkfg32.exe
        
        C:\Windows\system32\Ijlkfg32.exe
        45⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Ifckkhfi.exe
        
        C:\Windows\system32\Ifckkhfi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Jcgldl32.exe
        
        C:\Windows\system32\Jcgldl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Jmamba32.exe
        
        C:\Windows\system32\Jmamba32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Jihngboe.exe
        
        C:\Windows\system32\Jihngboe.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Jfokff32.exe
        
        C:\Windows\system32\Jfokff32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Kplijk32.exe
        
        C:\Windows\system32\Kplijk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Kanbjn32.exe
        
        C:\Windows\system32\Kanbjn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Kfjjbd32.exe
        
        C:\Windows\system32\Kfjjbd32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Lplaaiqd.exe
        
        C:\Windows\system32\Lplaaiqd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Mpchbhjl.exe
        
        C:\Windows\system32\Mpchbhjl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Mfomda32.exe
        
        C:\Windows\system32\Mfomda32.exe
        56⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Nfdfoala.exe
        
        C:\Windows\system32\Nfdfoala.exe
        57⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Nffceq32.exe
        
        C:\Windows\system32\Nffceq32.exe
        58⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Npadcfnl.exe
        
        C:\Windows\system32\Npadcfnl.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Oacmchcl.exe
        
        C:\Windows\system32\Oacmchcl.exe
        61⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Oinbgk32.exe
        
        C:\Windows\system32\Oinbgk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Ohobebig.exe
        
        C:\Windows\system32\Ohobebig.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Opopdd32.exe
        
        C:\Windows\system32\Opopdd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Ppffec32.exe
        
        C:\Windows\system32\Ppffec32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Phpklp32.exe
        
        C:\Windows\system32\Phpklp32.exe
        66⤵
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Qkcackeb.exe
        
        C:\Windows\system32\Qkcackeb.exe
        67⤵
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Agcdnjcl.exe
        
        C:\Windows\system32\Agcdnjcl.exe
        68⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\Biigildg.exe
        
        C:\Windows\system32\Biigildg.exe
        69⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Cebdcmhh.exe
        
        C:\Windows\system32\Cebdcmhh.exe
        70⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Cnpbgajc.exe
        
        C:\Windows\system32\Cnpbgajc.exe
        71⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Dnkbcp32.exe
        
        C:\Windows\system32\Dnkbcp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Dehgejep.exe
        
        C:\Windows\system32\Dehgejep.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Ejdonq32.exe
        
        C:\Windows\system32\Ejdonq32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Eejcki32.exe
        
        C:\Windows\system32\Eejcki32.exe
        76⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Fblpflfg.exe
        
        C:\Windows\system32\Fblpflfg.exe
        77⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Fejlbgek.exe
        
        C:\Windows\system32\Fejlbgek.exe
        78⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Geflne32.exe
        
        C:\Windows\system32\Geflne32.exe
        79⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Npqmipjq.exe
        
        C:\Windows\system32\Npqmipjq.exe
        80⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Nfjeej32.exe
        
        C:\Windows\system32\Nfjeej32.exe
        81⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ofmbkipk.exe
        
        C:\Windows\system32\Ofmbkipk.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Ollgiplp.exe
        
        C:\Windows\system32\Ollgiplp.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Obfpejcl.exe
        
        C:\Windows\system32\Obfpejcl.exe
        84⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Pghaghfn.exe
        
        C:\Windows\system32\Pghaghfn.exe
        85⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Ppccemjk.exe
        
        C:\Windows\system32\Ppccemjk.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Pgmkbg32.exe
        
        C:\Windows\system32\Pgmkbg32.exe
        87⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Qkmqne32.exe
        
        C:\Windows\system32\Qkmqne32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Qpmfklbq.exe
        
        C:\Windows\system32\Qpmfklbq.exe
        89⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Aiejda32.exe
        
        C:\Windows\system32\Aiejda32.exe
        90⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Acmomgoa.exe
        
        C:\Windows\system32\Acmomgoa.exe
        91⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Akgcdc32.exe
        
        C:\Windows\system32\Akgcdc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Akipic32.exe
        
        C:\Windows\system32\Akipic32.exe
        93⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Acdeneij.exe
        
        C:\Windows\system32\Acdeneij.exe
        94⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Blabakle.exe
        
        C:\Windows\system32\Blabakle.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Bjhpqn32.exe
        
        C:\Windows\system32\Bjhpqn32.exe
        96⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Bjjmfn32.exe
        
        C:\Windows\system32\Bjjmfn32.exe
        97⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Cgnmpbec.exe
        
        C:\Windows\system32\Cgnmpbec.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Cgpjebcp.exe
        
        C:\Windows\system32\Cgpjebcp.exe
        99⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Cmmbmiag.exe
        
        C:\Windows\system32\Cmmbmiag.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Cgbfka32.exe
        
        C:\Windows\system32\Cgbfka32.exe
        101⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Ckclfp32.exe
        
        C:\Windows\system32\Ckclfp32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Dcqmpa32.exe
        
        C:\Windows\system32\Dcqmpa32.exe
        103⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Dklomnmf.exe
        
        C:\Windows\system32\Dklomnmf.exe
        104⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Dqigee32.exe
        
        C:\Windows\system32\Dqigee32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4352
        
        C:\Windows\SysWOW64\Dgcoaock.exe
        
        C:\Windows\system32\Dgcoaock.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Ekcemmgo.exe
        
        C:\Windows\system32\Ekcemmgo.exe
        107⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Emlgedge.exe
        
        C:\Windows\system32\Emlgedge.exe
        108⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Fnkdpgnh.exe
        
        C:\Windows\system32\Fnkdpgnh.exe
        109⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Fchlhnlo.exe
        
        C:\Windows\system32\Fchlhnlo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Fjdajhbi.exe
        
        C:\Windows\system32\Fjdajhbi.exe
        111⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Fejegaao.exe
        
        C:\Windows\system32\Fejegaao.exe
        112⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Flfjjkgi.exe
        
        C:\Windows\system32\Flfjjkgi.exe
        113⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Glmqjj32.exe
        
        C:\Windows\system32\Glmqjj32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Gmnmbbgp.exe
        
        C:\Windows\system32\Gmnmbbgp.exe
        115⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Hoepmd32.exe
        
        C:\Windows\system32\Hoepmd32.exe
        116⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Iefnjm32.exe
        
        C:\Windows\system32\Iefnjm32.exe
        117⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Ihicah32.exe
        
        C:\Windows\system32\Ihicah32.exe
        118⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Jogeia32.exe
        
        C:\Windows\system32\Jogeia32.exe
        119⤵
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Jkqccbkf.exe
        
        C:\Windows\system32\Jkqccbkf.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Jefgak32.exe
        
        C:\Windows\system32\Jefgak32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Jhgpbf32.exe
        
        C:\Windows\system32\Jhgpbf32.exe
        122⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Kfmmajed.exe
        
        C:\Windows\system32\Kfmmajed.exe
        123⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Knhbflbp.exe
        
        C:\Windows\system32\Knhbflbp.exe
        124⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Khpcid32.exe
        
        C:\Windows\system32\Khpcid32.exe
        125⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Khbpndnp.exe
        
        C:\Windows\system32\Khbpndnp.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3740
        
        C:\Windows\SysWOW64\Knphfklg.exe
        
        C:\Windows\system32\Knphfklg.exe
        127⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Lhelddln.exe
        
        C:\Windows\system32\Lhelddln.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Lnbdlkje.exe
        
        C:\Windows\system32\Lnbdlkje.exe
        129⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Ldlmieaa.exe
        
        C:\Windows\system32\Ldlmieaa.exe
        130⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Lmcejbbd.exe
        
        C:\Windows\system32\Lmcejbbd.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Lfkich32.exe
        
        C:\Windows\system32\Lfkich32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Locnlmoe.exe
        
        C:\Windows\system32\Locnlmoe.exe
        133⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\Lbbjhini.exe
        
        C:\Windows\system32\Lbbjhini.exe
        134⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Mmaakpfd.exe
        
        C:\Windows\system32\Mmaakpfd.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Mfiedfmd.exe
        
        C:\Windows\system32\Mfiedfmd.exe
        136⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Mkfnlmkl.exe
        
        C:\Windows\system32\Mkfnlmkl.exe
        137⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Mflbjejb.exe
        
        C:\Windows\system32\Mflbjejb.exe
        138⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Nbiioe32.exe
        
        C:\Windows\system32\Nbiioe32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:416
        
        C:\Windows\SysWOW64\Nmommn32.exe
        
        C:\Windows\system32\Nmommn32.exe
        140⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Poqckdap.exe
        
        C:\Windows\system32\Poqckdap.exe
        141⤵
        
        PID:904
        
        C:\Windows\SysWOW64\Pmbcik32.exe
        
        C:\Windows\system32\Pmbcik32.exe
        142⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Qipjokik.exe
        
        C:\Windows\system32\Qipjokik.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Qlnfkgho.exe
        
        C:\Windows\system32\Qlnfkgho.exe
        144⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Qbhnga32.exe
        
        C:\Windows\system32\Qbhnga32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Aiimejap.exe
        
        C:\Windows\system32\Aiimejap.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Aofemaog.exe
        
        C:\Windows\system32\Aofemaog.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Aljefena.exe
        
        C:\Windows\system32\Aljefena.exe
        148⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Aebjokda.exe
        
        C:\Windows\system32\Aebjokda.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Boaeioej.exe
        
        C:\Windows\system32\Boaeioej.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Cfpfqiha.exe
        
        C:\Windows\system32\Cfpfqiha.exe
        151⤵
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Cohkinob.exe
        
        C:\Windows\system32\Cohkinob.exe
        152⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Cnjkgf32.exe
        
        C:\Windows\system32\Cnjkgf32.exe
        153⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Ccfcpm32.exe
        
        C:\Windows\system32\Ccfcpm32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Cnlhme32.exe
        
        C:\Windows\system32\Cnlhme32.exe
        155⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Ccipelcf.exe
        
        C:\Windows\system32\Ccipelcf.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Cnndbecl.exe
        
        C:\Windows\system32\Cnndbecl.exe
        157⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Dlfniafa.exe
        
        C:\Windows\system32\Dlfniafa.exe
        158⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Dokqfl32.exe
        
        C:\Windows\system32\Dokqfl32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Enlqdc32.exe
        
        C:\Windows\system32\Enlqdc32.exe
        160⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Enomic32.exe
        
        C:\Windows\system32\Enomic32.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Eckfaj32.exe
        
        C:\Windows\system32\Eckfaj32.exe
        162⤵
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Ejennd32.exe
        
        C:\Windows\system32\Ejennd32.exe
        163⤵
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Eqdpfm32.exe
        
        C:\Windows\system32\Eqdpfm32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Ffeaichg.exe
        
        C:\Windows\system32\Ffeaichg.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Fmpjfn32.exe
        
        C:\Windows\system32\Fmpjfn32.exe
        166⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Gadimkpb.exe
        
        C:\Windows\system32\Gadimkpb.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Gmnfglcd.exe
        
        C:\Windows\system32\Gmnfglcd.exe
        168⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Hmginjki.exe
        
        C:\Windows\system32\Hmginjki.exe
        169⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Hoibmmpi.exe
        
        C:\Windows\system32\Hoibmmpi.exe
        170⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Ihagfb32.exe
        
        C:\Windows\system32\Ihagfb32.exe
        171⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Imnoni32.exe
        
        C:\Windows\system32\Imnoni32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Iobecl32.exe
        
        C:\Windows\system32\Iobecl32.exe
        173⤵
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Jognokdi.exe
        
        C:\Windows\system32\Jognokdi.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Jaekkfcm.exe
        
        C:\Windows\system32\Jaekkfcm.exe
        175⤵
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Joikdk32.exe
        
        C:\Windows\system32\Joikdk32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Jgdphm32.exe
        
        C:\Windows\system32\Jgdphm32.exe
        177⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Jgiiclkl.exe
        
        C:\Windows\system32\Jgiiclkl.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Kpanmb32.exe
        
        C:\Windows\system32\Kpanmb32.exe
        179⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Kgkfil32.exe
        
        C:\Windows\system32\Kgkfil32.exe
        180⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Knenffqf.exe
        
        C:\Windows\system32\Knenffqf.exe
        181⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\Kdpfbp32.exe
        
        C:\Windows\system32\Kdpfbp32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2336
        
        C:\Windows\SysWOW64\Kkioojpp.exe
        
        C:\Windows\system32\Kkioojpp.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Kpfggang.exe
        
        C:\Windows\system32\Kpfggang.exe
        184⤵
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Knjhae32.exe
        
        C:\Windows\system32\Knjhae32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Lajmmc32.exe
        
        C:\Windows\system32\Lajmmc32.exe
        186⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Lonnfg32.exe
        
        C:\Windows\system32\Lonnfg32.exe
        187⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Lnhdbc32.exe
        
        C:\Windows\system32\Lnhdbc32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Lgqhki32.exe
        
        C:\Windows\system32\Lgqhki32.exe
        189⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Mqpcdn32.exe
        
        C:\Windows\system32\Mqpcdn32.exe
        190⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Mkegbfgp.exe
        
        C:\Windows\system32\Mkegbfgp.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1276
        
        C:\Windows\SysWOW64\Nkjqme32.exe
        
        C:\Windows\system32\Nkjqme32.exe
        192⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Nqgiel32.exe
        
        C:\Windows\system32\Nqgiel32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Nicjaino.exe
        
        C:\Windows\system32\Nicjaino.exe
        194⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Nombnc32.exe
        
        C:\Windows\system32\Nombnc32.exe
        195⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Nqnofkkj.exe
        
        C:\Windows\system32\Nqnofkkj.exe
        196⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Oghgbe32.exe
        
        C:\Windows\system32\Oghgbe32.exe
        197⤵
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Oapllk32.exe
        
        C:\Windows\system32\Oapllk32.exe
        198⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Okfpid32.exe
        
        C:\Windows\system32\Okfpid32.exe
        199⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 400
        200⤵
        Program crash
        
        PID:3548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 400
        200⤵
        Program crash
        
        PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:5492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7028 -ip 7028
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acdeneij.exe

Filesize
78KB

MD5
57f297f96cb0a021374c8c15765baa30

SHA1
ad6e92487f638a872a3f47bce78b6b301f00233a

SHA256
e08e0998915fd15c481ce7b578671ec7397ebd2e84d045f6d0bd4e5a29915f90

SHA512
0edad13e80c0eb7b98cd8cf088cef5d74a78d97db195363694e69f1eb1d420bb55072fe1f7afb27f9bcc10413ffa728795fd751a1d1972c1b01a4714f59f234b

Download Submit
C:\Windows\SysWOW64\Adnilfnl.exe

Filesize
78KB

MD5
d2af07ee561109282d5c1b76f967a299

SHA1
f2febbd5e975d778111de5d8f7de682b99282a92

SHA256
a1e1637d7a3f5f9519973fac0adedf61fea87c04e65daba3adb7e5604c437f3c

SHA512
8478e7f8e8868901162d3fabdaba737ba1b64102e6fcdfefb6f882da539371ba734c239c786db5aa132f0c71fd9ada2abb576864814c5b40df3656c4ccf8b643

Download Submit
C:\Windows\SysWOW64\Akogio32.exe

Filesize
78KB

MD5
f9d13848f18fc2566dcee4c70b97334b

SHA1
ef296fb334b67ca6f8a8c44721480a9334ba6dbd

SHA256
a008dd5b0a473e9ce8b355a8fabed08bdf008807ce32096a0f3f553f66c0f386

SHA512
3338b4199a7c68e96dce2c727ba8dd12a7e6d4b1df50919f6714b20d6516e8715dba5bc03bf72f28effca35b10ab82d2a0bdc179553464dbe42866d3ed28ba23

Download Submit
C:\Windows\SysWOW64\Aocmio32.exe

Filesize
78KB

MD5
aec178cf9b20dbbf3a89ae984f1dd050

SHA1
53213c783a4c3d4b9add3d274aaf45327e000901

SHA256
da6d515090f84d665ac9f2e615e62afc463200e7b5df8ede78e9a3a0a2c6ec3c

SHA512
31f5b5374a0cc926c00c19f7e20f98d0c2c7b124e0ff0da5f7fc47bc65d79e9e0c46388f5b2c8dc2ad5405dd93028e6b32d75a13b5b332e14bbebbe67816ac9f

Download Submit
C:\Windows\SysWOW64\Bbbblhnc.exe

Filesize
78KB

MD5
a4486f277b0ad4f2a66b2e5730bc94f6

SHA1
11ec3cdeb14106c73b5ba27bba12f90e21c38a26

SHA256
683e65710588e587b9b78d983d40e91a2b92accf16c98065f8c330bda8e80366

SHA512
c0b043fde6070a3d2e60b6ebd7fa8e3b403839b1ce9ad54bcf7310d20b28377fec729951950dde659114a4b67235959d677c38b29605612bca8e856c16503e11

Download Submit
C:\Windows\SysWOW64\Bbklli32.exe

Filesize
78KB

MD5
6a964cf1b5ac83fd150bf6f84eaea7e5

SHA1
cc6b0c05769ef9545ca65aa5cab8fa7ed5fef21e

SHA256
d12920515aa389660ffa5e877008479e5ae3725367aef851b16024ae6d4bb837

SHA512
e60e7a0e415b19ea5e8d3a069e464728950a0ffb73a460bace1085697b8138e7bb873d97c53a246fb93052d534422c495d0ed911c38655397dda6314334b8781

Download Submit
C:\Windows\SysWOW64\Bndjfjhl.exe

Filesize
78KB

MD5
fa652861fd4540acd51f1269c243449f

SHA1
af396ab3dcc03d03b1787a26708ec5c2cb1e2a66

SHA256
4188a7b168d36a982940a96831f6c4ee8e2c892583a5aae429399f07e55f70c9

SHA512
75aa3c41b64537f105f92fc02d7b06dfd08f2430baad7f9201c833c99bd99f2a918442ec0dc7bc3c37f79dfbbf3743cadf38d31d501961e38b0d345c0648b530

Download Submit
C:\Windows\SysWOW64\Ciogobcm.exe

Filesize
78KB

MD5
4850f7f43c26f650fa62f235463a8112

SHA1
4816f8e5f6cc339be2f425034e1f12dec27a0887

SHA256
37fd9f313187201db5e9ad93c9899ed62cdf1de5bb0f14fc4089d85a5ba2b5cd

SHA512
1d9520c08c0690b373367e13331d6d49fe8f8e8bf30ffbbf384ac8c647ebb082a17c9e6780e8c2df36a1220727699ab75462c23d208f4d72cdb9cf436b32654a

Download Submit
C:\Windows\SysWOW64\Cldjkl32.exe

Filesize
78KB

MD5
38c99d6d5e6bb532ad4a95d044cdc77f

SHA1
ffdb54cbe05d7b515d3403c6bea34902e4810298

SHA256
86f20aa7382947287577644c5d3a3d5115baabfaa3cd0ff6671d40971c436005

SHA512
73a481a005866cf12fb3c6f4f2b532c00e67628f09133cd011c28423298977bab027b634fabeaa6111805992efc0c78ad4f86b770587d974df22bdbc59330dc2

Download Submit
C:\Windows\SysWOW64\Dfemdcba.exe

Filesize
78KB

MD5
bdcf10ed94fcf78d91b531df7774e3f7

SHA1
afd9cd03d837d726a4c49fb381ec879a2f690e95

SHA256
e164884aaee56c05a326117b1279852f12ccff5b4c3c530eeea998a9f545bdc4

SHA512
2188534c8a20bfb6162bed6a3c6c3ec40b96a438902bd60ee1a4973597478423cc08c42b122e182a515c9d89128c841d6f5722a182dd781752ad3114531a237b

Download Submit
C:\Windows\SysWOW64\Dpnbmi32.exe

Filesize
78KB

MD5
dc4bb0d1b44f4c3f925d324ad25efcc1

SHA1
0182ea8a252fdeb8def2d5daad8018173b9a7615

SHA256
3f756c43db5cdfccdc8eae0c778538acb174735ebe1178ee3cf9d12703f51718

SHA512
576c337360f97a40470c965b93d6efdec819a408102937531e5a07e21627d48b3349cafa093e3fb0d9272baa93945fad00b671d8a19cea18f975d8ecf4bf85d7

Download Submit
C:\Windows\SysWOW64\Ebcdjc32.exe

Filesize
78KB

MD5
41962f02a4ec63b9750182398cd13eb2

SHA1
c9676e91881d8b75bcfdd5efdd3d73da2476d818

SHA256
870b31f24e45f13cb9bd2a32ffac2f00a0f14dcd0bdf6775b6e832f6a3daceac

SHA512
62429e95ae68c6db16028b8892576025070fbdb72832f49c6f1ad701ff88cf22bc209a48470631c71d4fbdeca3247e0b07364924ec4b5e62adfb5fcb65a73730

Download Submit
C:\Windows\SysWOW64\Eeodqocd.exe

Filesize
78KB

MD5
4c8cf1f7ae70571e01bc84cc41436f95

SHA1
eb6538302b0ab68e3a4c2dbf64e2f81c30ff959d

SHA256
9f083f6f5dd9ba5d864e6d1145b471e0c5680220684b4a2cc0b16e35b01dcbae

SHA512
48226670fe04961efebfac9740be3bb07176e1a92081e946a06e5779b2403c39a5837def8125e5ee0d4ce69a269690f732458ce5bc3e66894be40812042f80ca

Download Submit
C:\Windows\SysWOW64\Eoconenj.exe

Filesize
78KB

MD5
7768b56968a3e4446b1055726b6913f0

SHA1
e3a33289695e48aeb2747f98da9a04f62258c1dc

SHA256
b3dd6b4a1b9624600e40548c4e467f3c5de49b10f6bde86eec796bddb20141f7

SHA512
abb547d319d84184628a6428bbb69a11afca743bf3ceffb2049f2d635be14c4248c1599fac5e3f74db0634aa12e0ff67eb34d90e2acdee57d37caaea872bb186

Download Submit
C:\Windows\SysWOW64\Hcdfho32.exe

Filesize
78KB

MD5
d8501c240f23a868d61e4326a02ac583

SHA1
0b85d2e1499e99bdd2ccabb965c7eb6bb98b74c3

SHA256
8e8f9a785142bbd8e5da5c5c201e4bf6c73da4f4b7a2d4b4f4ac9db4595d3c2b

SHA512
586bc7554b995a2cbcff981da98890830040475cff6f2ecfeca860930805c08f07594835711d75d2e43b22b76b4f0cdfd529e6a239e59c5d21b5903fa1057765

Download Submit
C:\Windows\SysWOW64\Iedbcebd.exe

Filesize
78KB

MD5
9ef1cd4384bd010163970a89046590fa

SHA1
e8c7427ebd2b99962c9e97080f99abe1d5de4b28

SHA256
7f061a434945a4ec6ca4154e54f6f88cb5f2a5829dd57d9d0c553ff816117aba

SHA512
1596e3b3972f55d98cab8914e3e39207ec483ed61a4471916c9b8b4ddb6e71ab33caf299beb9168bc3a1d5e2051820383d66d9b6221c916e704468b0ed1e0fd9

Download Submit
C:\Windows\SysWOW64\Iqpclh32.exe

Filesize
78KB

MD5
8047b81fcecdba8e6ff0bbd9d53bbf72

SHA1
63dd2c27714aba72fdf8dee1dea1e0b783b2aa11

SHA256
a152e25ec8a4cbf1f0231f61724036874ff863371acff491bdbcdf8264d317f0

SHA512
240f1cecd5676b1c23554e92bf8ceb43289d14c08899110a2f618e4424ac66997b54705d77bc9d861366c5face7291c56284a2f56932b8c969453bddece55a65

Download Submit
C:\Windows\SysWOW64\Jcjodbgl.exe

Filesize
78KB

MD5
e70bd938faeec20048597da5441ce94a

SHA1
faf3ec5b8da5d300b9509951c307e46a9bef6f62

SHA256
f918aee486cad69f8ecab6971df1c6ca40b0f79f0f91556557b229bf3cfb072f

SHA512
21cde2506a9e539f88d2b32d54fef81e4aa1126629a5be578b846962533249c93efee3c975cc9260234d4ebd9fc178bbdc24c5b108f4abe6fabbcd8d50f5b073

Download Submit
C:\Windows\SysWOW64\Jelhcd32.exe

Filesize
78KB

MD5
97091da251c679d181fe5ef76ffbc502

SHA1
ce60758114a2de08222cc51b2118ba759485e6af

SHA256
f6595e01547929f979bd43adc3486f10a55d563f7dc781303713bf1db25fec9f

SHA512
e5b00e55d37fa18df3b1b0ea3bf7db3a59620561d8da15deaf10bcfbc332dab50589776459e3991152fb4da4589caaddb3424bccb0c0d156539eea3413580e38

Download Submit
C:\Windows\SysWOW64\Jmamba32.exe

Filesize
78KB

MD5
6278bd2bfce1a417210f243ec1789c11

SHA1
fc1713390393d3d8a5785a9e81fc1dc087c7bd1a

SHA256
e99371537f0d0eddc733bfe625dd0b0681d513d3d2bd7ae560367400985bb141

SHA512
c1438cb430b71cbb9259f6aafeb70f66b16e85167f35a4d1727638cab5f0ac6c4b8a05ac78d328032a3a6b8e8779286d6e0780b38d58b15beab7d5ef36678a3c

Download Submit
C:\Windows\SysWOW64\Jnfjbj32.exe

Filesize
78KB

MD5
fd2ca2b9b32b84b46fa5cbee820bc236

SHA1
ab661dbc00487d5e828734e533d1639670b81979

SHA256
f5d3a42ec65e3ec80291409a20406e8c435f12adae4fe948caf1c3b1c697c94b

SHA512
39226acb985f8697f8e723aca80dea78967141e482e1f48711c7b30585eeb68d504e96f6a9097c813383144c7bc4eba8343bc43831020a9dcd70c6138d2107a1

Download Submit
C:\Windows\SysWOW64\Kanidd32.exe

Filesize
78KB

MD5
4e08ef25579327ad90b07909503c0bf1

SHA1
480cd2b179cc7946eb0115328659996336910759

SHA256
fd6e1b1b899cc77bb08adb90a06a50149a96c9a2d586c991a00228643230f8e8

SHA512
0421c50175fe5d8c8089483cab027a8b388d1c47278ac78fbf393ade8c8f46e0e2807f2345221c6231aca41081eec7356a42fb5a51d740e84e992f4e56f4a701

Download Submit
C:\Windows\SysWOW64\Kceoppmo.exe

Filesize
78KB

MD5
c19c750c87d0ca42b65662e536a27439

SHA1
2e1cbcc4d7c4a625d2dfaf339cc6684dd99c5175

SHA256
cd02d084b98c29dbcd713f551a0e3a4b6830acc7cfc1a48f33b3173e0b5a7b88

SHA512
3d859931d80892fb00fb97f83e8c2920e789a7628d0463e83e94421789fb2fb175f8f80919a459729f9a6d1b870ab2a70bc6043a45f5e7f070c17273f44f0726

Download Submit
C:\Windows\SysWOW64\Knifging.exe

Filesize
78KB

MD5
45ac79588d4c33db8fdbc084b55afbbe

SHA1
344895582d9d193884d04c95317df1520a3522e2

SHA256
90905607fa195f82962ac4f9ca0a1c6785453248c989aac655b82a61990b62b7

SHA512
f727a8cd1152841d4a05cc2522f20d1127a0571cadb0f3a7e834d99e222b48ec98c2a8414eb28ca5e29af535fa17a80b15a96f1f76ca4929ab4f81634a661fe6

Download Submit
C:\Windows\SysWOW64\Lajmmc32.exe

Filesize
78KB

MD5
45919a2cc9229151ad50898a2aee9e34

SHA1
9ff2d221899c17391a84ec0758c3dec8af6ffd80

SHA256
a9827a5d14e513d33feb4820d90dee014c62a3cfc9f03f4af77d9599f44f4033

SHA512
68f18b95c3628e6011950c1ecf2e81548020919179a5cafc2cdcd00757e113e395350157e44f3620b8cc0e6574fe934100d77794a167a118df2873ad378efc25

Download Submit
C:\Windows\SysWOW64\Lelajb32.exe

Filesize
78KB

MD5
5895cdb678a347c4105831dfa90b2c9f

SHA1
4b4ece1227560d4e8bb706b5df2952f2e920ff8e

SHA256
ed3eef3e9253cd0d7fa3c734270cdd4d336d8285015c659592a81598f2afdb70

SHA512
227d564d56a42c1f49330d699ebf1a2ce136cb227eac8d27112ada1489e13dfee86dc85aa2a4e2ad0432524cef1f1c27fb73ae49b86e8c0cb6cef0691859d0d6

Download Submit
C:\Windows\SysWOW64\Lmlpjdgo.exe

Filesize
78KB

MD5
6890d9c928b9637b7ff779fc5c6663eb

SHA1
b6da8871ab719668e25a73914a393ae3af6fb259

SHA256
2b73b2eff82010993abfff7e33ce4d9a9ca1645057e880435e2511d01fd4c4b4

SHA512
62270a1a5c2819272279492815278d093afcf839b517b2a16015093b6a514f8c975981c83d5925e1d228f1fa36ab19addb6bc75d91d72f2cc7efdaa27e08f2c5

Download Submit
C:\Windows\SysWOW64\Mehafq32.exe

Filesize
78KB

MD5
4e00b2a5b3953947057e82889dd520fd

SHA1
608d5ef49b0a050547b2b7f79f79544b17831db4

SHA256
94e7fc78c0831b2f1fd9114eca975c37d0317eebf1b427fd125360296054713e

SHA512
8ec639ef3198e78821f9c8d26783468755845fc911e94d3daee8fcb9d326d4995675170e5a43a2b0b743a88ea02794660f941a406ea17256a8bf51f77b383310

Download Submit
C:\Windows\SysWOW64\Mkicjgnn.exe

Filesize
78KB

MD5
f5163a1d1d3c1982ea46496a394cdcb0

SHA1
c2c2b8bbaf89d5b22640123adbc865a9931df327

SHA256
c7d5ecf06191ec57cc84a033f88359998ba67310f1ae083f1d1bca69d036b7f8

SHA512
06d05d5f56c553ceeb54aa334206c5ec01fedb18aa6d855a00c26aaabacd555258ed7de3d35620689037aedbe0d951de7560b21c422ca3c67b9cbf35cbdd7cec

Download Submit
C:\Windows\SysWOW64\Nncoaq32.exe

Filesize
78KB

MD5
a30b8404c41d24895f17d26d01c1be10

SHA1
fa1067fa67aaffcc25dd6daf9c9ef77af0ca1753

SHA256
bac65212d7ef177e989352642fdfe2d177944167d646af2f075a5d6168952e86

SHA512
8877a8246c8ee31f452d0785555ed19eae53427b698d79765629a640cdad0300033f715f6adef7df20d15aa2fa5e00f061094c22306028b3a2de723424307a24

Download Submit
C:\Windows\SysWOW64\Noehac32.exe

Filesize
78KB

MD5
994820d909680cd390febc9075b08793

SHA1
5740a20b6947cb83d1a24f870e8e00ea7ccebf8f

SHA256
ebd9fbfe4e4f35d9bf1013b69cc5148921810546f3bc298f96d5455628f9d839

SHA512
e71c913f87469c0a8810253ee4482e32bcf2d3dc78c4f4cee9b31834a66bbf3c10e2dc5c382dc779c7691fe098b8632d55a7d2aefbd166fafb7a5d2a27176125

Download Submit
C:\Windows\SysWOW64\Oolnabal.exe

Filesize
78KB

MD5
d8aaf3cc9f19ed24eb20cd2652a7f943

SHA1
946870af737bdd970d1fc527e951d1e9a8872d70

SHA256
c140fd2236e3a801bc51639a637febe54e13db584ba12d6827619a8e50a93b30

SHA512
12151469100264b83b951c3f86b36063dffd0b099f9de05ebdfb6f06427e2baf2f05c06059571f09133aa63add278d7d527cff6b880bb2b0fbffaf48c2d86d15

Download Submit
C:\Windows\SysWOW64\Philfgdh.exe

Filesize
78KB

MD5
c1c5209c3307a457e2b66ebfbbeafd72

SHA1
96efd5fe3b8d4f51fc64adc2b40a2c055d65d8be

SHA256
8f3c27107855067a26bc7c9bd5a85c4cd76c9be6ee1f185edcebc0b6afb45681

SHA512
73ef56a0a28de18fbca7735e7f200f2a966343b64f02a75f9573484280c18e55b572aa265cd41ef4df815e32f715c248fca9c2f7335a8730ea73a8b95d1be670

Download Submit
C:\Windows\SysWOW64\Pklamb32.exe

Filesize
78KB

MD5
e36d6acba832499aa056cc201d59a009

SHA1
1b592852cdfc48140d2b302c7f4f7e61fd49fbc5

SHA256
f3da6be272a7c8f4ce719ce3840e2a0435b36f0f7ee2e5bf577e9eb4f501a2cd

SHA512
2a278b545b2bf70fb1d7afdd7785232c8eb6a8a8083c384801c73e03717fb85130836994280eef6bd8019d4a104e9c4e0b7e83f54aa4f70b33e2954f1b2aaad6

Download Submit
C:\Windows\SysWOW64\Pnhacn32.exe

Filesize
78KB

MD5
cd801fce36ee87b047493747eda168ed

SHA1
decb56252b2329c5a4ba32df85ac2c28a8a65b13

SHA256
da92d911273ff16aebf77b6ec9bf8f4fad8948b0b008b09a8a204d5b176bf96c

SHA512
59d5a8e77fc43879dd120506dcbabce29f81b5a4e3b0e7876297cedef3c4550ba4257c2584c67ae6559561969d87e0787c1ed08311769c17efb7bc604195c767

Download Submit
C:\Windows\SysWOW64\Qkakhakq.exe

Filesize
78KB

MD5
216dc1b80fd2ae95414d8bfd0def1d5f

SHA1
9b06c6b84df0389f8f1906e9ff231bc2739adc5e

SHA256
6d349220502c8dc25155fc0bbe4e3a4c08ace020b3b6e25dfb22506d663ecde0

SHA512
95e1ff8d2d3b6b25965393cf7e23f1a527396da5398c9d04cfa4c1b99722ef481416c043bd90e1f8bbbf2c499622abf32d9e55d9b52d340ed31fc60a11cbd152

Download Submit
memory/384-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/408-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/728-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/792-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1008-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1092-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1216-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1216-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1216-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-194-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1276-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1436-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1488-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2108-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3136-226-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3272-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3536-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3748-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3792-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3796-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4144-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4152-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4336-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-210-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-396-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5012-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5020-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads