eaf25dcce1aa8f92d0a51030f2bd33728a49d408a03ac2233e87ca6818821629

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f0eac01231bca4dc447f4d3e60a5d2c.exe
Size

416KB
MD5

4f0eac01231bca4dc447f4d3e60a5d2c
SHA1

0f9a9a7ccbb4061e4b23fed7cf57996c79dc14fc
SHA256

eaf25dcce1aa8f92d0a51030f2bd33728a49d408a03ac2233e87ca6818821629
SHA512

6f67a406c142a29b8a53cb516fd2c2d8817181cbb3bde8a0b1d65bae519c8e59102f9df7693b0fe09ecfd055e9c6067c1b6408dfbcf84d84ba7a0edeaa02ce87
SSDEEP

12288:pMYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:2YJ07kE0KoFtw2gu9RxrBIUbPLwH96/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkjafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikfabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnobem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlggjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kjlopc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icpecm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jopiom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgqdfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbmcbime.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbbmmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kclgmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehfljca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfbibikg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qlggjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohaokbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iohjlmeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Najjmjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbqdmodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mikepg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfhpilbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foqkdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iohjlmeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gglpibgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hghoeqmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Foqkdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdnldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fonnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hocqam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhopgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfhipj32.exe

Executes dropped EXE 64 IoCs

pid	Process
4308	Lenamdem.exe
3224	Ldoaklml.exe
3556	Lgmngglp.exe
324	Likjcbkc.exe
4556	Ldanqkki.exe
4416	Lebkhc32.exe
4072	Lllcen32.exe
4952	Mmlpoqpg.exe
4956	Mdehlk32.exe
1128	Mmnldp32.exe
4424	Mmpijp32.exe
4576	Melnob32.exe
3132	Menjdbgj.exe
4888	Mlhbal32.exe
1372	Ngmgne32.exe
3852	Ndaggimg.exe
3268	Nphhmj32.exe
4912	Neeqea32.exe
4352	Oponmilc.exe
4204	Oflgep32.exe
3512	Ofnckp32.exe
4504	Ofqpqo32.exe
4856	Oqhacgdh.exe
1036	Pmoahijl.exe
428	Pjcbbmif.exe
4788	Pqmjog32.exe
4688	Pfjcgn32.exe
1976	Pdmpje32.exe
760	Pnfdcjkg.exe
2732	Pfaigm32.exe
1160	Qdbiedpa.exe
1132	Qnjnnj32.exe
1652	Fnobem32.exe
1376	Fhdfbfdh.exe
5092	Fonnop32.exe
3504	Fehfljca.exe
1852	Foqkdp32.exe
4212	Gekcaj32.exe
364	Gglpibgm.exe
3436	Gochjpho.exe
4148	Gaadfkgc.exe
1276	Ghklce32.exe
4484	Goedpofl.exe
2312	Gepmlimi.exe
2464	Gkleeplq.exe
4008	Gfbibikg.exe
2580	Ghpendjj.exe
4644	Gkobjpin.exe
2104	Gahjgj32.exe
4820	Goljqnpd.exe
4316	Hdicienl.exe
5020	Hghoeqmp.exe
1424	Hbmcbime.exe
2808	Hkehkocf.exe
2612	Hdnldd32.exe
1180	Hocqam32.exe
4420	Hbbmmi32.exe
4860	Hkjafn32.exe
2616	Hbdjchgn.exe
2248	Hhnbpb32.exe
1148	Iohjlmeg.exe
3380	Ibffhhek.exe
924	Igcoqocb.exe
3640	Ikfabm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ibffhhek.exe	Iohjlmeg.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Fonnop32.exe	Fhdfbfdh.exe
File opened for modification	C:\Windows\SysWOW64\Hkjafn32.exe	Hbbmmi32.exe
File created	C:\Windows\SysWOW64\Efficj32.dll	Kiejmi32.exe
File opened for modification	C:\Windows\SysWOW64\Mnmmboed.exe	Mgbefe32.exe
File created	C:\Windows\SysWOW64\Bgemej32.dll	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Hiagomkq.dll	Ghklce32.exe
File created	C:\Windows\SysWOW64\Dhkehk32.dll	Ibffhhek.exe
File opened for modification	C:\Windows\SysWOW64\Kiejmi32.exe	Jkhngl32.exe
File created	C:\Windows\SysWOW64\Jencdebl.dll	Lflbkcll.exe
File created	C:\Windows\SysWOW64\Mnegbp32.exe	Mgloefco.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Gglpibgm.exe	Gekcaj32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Gfbibikg.exe	Gkleeplq.exe
File opened for modification	C:\Windows\SysWOW64\Hbbmmi32.exe	Hocqam32.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Offnhpfo.exe	Onkidm32.exe
File created	C:\Windows\SysWOW64\Mkfbmfbn.dll	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Mfeccm32.exe	Liofdigo.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Pocehodm.dll	Gahjgj32.exe
File created	C:\Windows\SysWOW64\Hocqam32.exe	Hdnldd32.exe
File created	C:\Windows\SysWOW64\Ikfabm32.exe	Igcoqocb.exe
File created	C:\Windows\SysWOW64\Kghlhg32.dll	Ikfabm32.exe
File created	C:\Windows\SysWOW64\Ljeafb32.exe	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Figfoijn.dll	Mgbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Kcbfcigf.exe	Knenkbio.exe
File opened for modification	C:\Windows\SysWOW64\Lcgpni32.exe	Loighj32.exe
File created	C:\Windows\SysWOW64\Ppcbba32.dll	Omdppiif.exe
File created	C:\Windows\SysWOW64\Icgbob32.exe	Fdadpk32.exe
File opened for modification	C:\Windows\SysWOW64\Jopiom32.exe	Icpecm32.exe
File created	C:\Windows\SysWOW64\Liofdigo.exe	Lbcabo32.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Omdppiif.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Kcmmhj32.exe	Kpoalo32.exe
File created	C:\Windows\SysWOW64\Okehmlqi.dll	Mnmmboed.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Enjfli32.exe	Enhifi32.exe
File opened for modification	C:\Windows\SysWOW64\Pmjhlklg.exe	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Cjacpfqm.dll	Aqilaplo.exe
File created	C:\Windows\SysWOW64\Npighq32.exe	Mfofjk32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ibffhhek.exe	Iohjlmeg.exe
File created	C:\Windows\SysWOW64\Logooemi.dll	Jkhngl32.exe
File created	C:\Windows\SysWOW64\Nadleilm.exe	Njjdho32.exe
File created	C:\Windows\SysWOW64\Njmqnobn.exe	Nadleilm.exe
File created	C:\Windows\SysWOW64\Offnhpfo.exe	Onkidm32.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Kjeiodek.exe	Gpbpbecj.exe
File created	C:\Windows\SysWOW64\Dmlijb32.dll	Kenggi32.exe
File created	C:\Windows\SysWOW64\Jknfplei.dll	Gaadfkgc.exe
File created	C:\Windows\SysWOW64\Kclgmq32.exe	Qlggjk32.exe
File created	C:\Windows\SysWOW64\Kcpjnjii.exe	Kncaec32.exe
File opened for modification	C:\Windows\SysWOW64\Dnqcfjae.exe	Dkbgjo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1744	4388	WerFault.exe	257

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfilbnn.dll"	Gkleeplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glokko32.dll"	Hdicienl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnobem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npldbgic.dll"	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npighq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hghoeqmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanmnefk.dll"	Lnldla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mikepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqjbf32.dll"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfbmfbn.dll"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpapcb32.dll"	Fhdfbfdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Moipoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmpdgdmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmkqm32.dll"	Fonnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gochjpho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghlhg32.dll"	Ikfabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghklce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gepmlimi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kenggi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgdidgjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himnbjpd.dll"	Hbmcbime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbbmmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll"	Kjlopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdadpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnobem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Goedpofl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcleff32.dll"	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donloloo.dll"	Bbhhlccb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndgpnogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fonahn32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgpni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icgbob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djipbbne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibffhhek.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4308	2820	4f0eac01231bca4dc447f4d3e60a5d2c.exe	85
PID 2820 wrote to memory of 4308	2820	4f0eac01231bca4dc447f4d3e60a5d2c.exe	85
PID 2820 wrote to memory of 4308	2820	4f0eac01231bca4dc447f4d3e60a5d2c.exe	85
PID 4308 wrote to memory of 3224	4308	Lenamdem.exe	86
PID 4308 wrote to memory of 3224	4308	Lenamdem.exe	86
PID 4308 wrote to memory of 3224	4308	Lenamdem.exe	86
PID 3224 wrote to memory of 3556	3224	Ldoaklml.exe	87
PID 3224 wrote to memory of 3556	3224	Ldoaklml.exe	87
PID 3224 wrote to memory of 3556	3224	Ldoaklml.exe	87
PID 3556 wrote to memory of 324	3556	Lgmngglp.exe	88
PID 3556 wrote to memory of 324	3556	Lgmngglp.exe	88
PID 3556 wrote to memory of 324	3556	Lgmngglp.exe	88
PID 324 wrote to memory of 4556	324	Likjcbkc.exe	89
PID 324 wrote to memory of 4556	324	Likjcbkc.exe	89
PID 324 wrote to memory of 4556	324	Likjcbkc.exe	89
PID 4556 wrote to memory of 4416	4556	Ldanqkki.exe	91
PID 4556 wrote to memory of 4416	4556	Ldanqkki.exe	91
PID 4556 wrote to memory of 4416	4556	Ldanqkki.exe	91
PID 4416 wrote to memory of 4072	4416	Lebkhc32.exe	92
PID 4416 wrote to memory of 4072	4416	Lebkhc32.exe	92
PID 4416 wrote to memory of 4072	4416	Lebkhc32.exe	92
PID 4072 wrote to memory of 4952	4072	Lllcen32.exe	94
PID 4072 wrote to memory of 4952	4072	Lllcen32.exe	94
PID 4072 wrote to memory of 4952	4072	Lllcen32.exe	94
PID 4952 wrote to memory of 4956	4952	Mmlpoqpg.exe	95
PID 4952 wrote to memory of 4956	4952	Mmlpoqpg.exe	95
PID 4952 wrote to memory of 4956	4952	Mmlpoqpg.exe	95
PID 4956 wrote to memory of 1128	4956	Mdehlk32.exe	96
PID 4956 wrote to memory of 1128	4956	Mdehlk32.exe	96
PID 4956 wrote to memory of 1128	4956	Mdehlk32.exe	96
PID 1128 wrote to memory of 4424	1128	Mmnldp32.exe	97
PID 1128 wrote to memory of 4424	1128	Mmnldp32.exe	97
PID 1128 wrote to memory of 4424	1128	Mmnldp32.exe	97
PID 4424 wrote to memory of 4576	4424	Mmpijp32.exe	99
PID 4424 wrote to memory of 4576	4424	Mmpijp32.exe	99
PID 4424 wrote to memory of 4576	4424	Mmpijp32.exe	99
PID 4576 wrote to memory of 3132	4576	Melnob32.exe	100
PID 4576 wrote to memory of 3132	4576	Melnob32.exe	100
PID 4576 wrote to memory of 3132	4576	Melnob32.exe	100
PID 3132 wrote to memory of 4888	3132	Menjdbgj.exe	101
PID 3132 wrote to memory of 4888	3132	Menjdbgj.exe	101
PID 3132 wrote to memory of 4888	3132	Menjdbgj.exe	101
PID 4888 wrote to memory of 1372	4888	Mlhbal32.exe	102
PID 4888 wrote to memory of 1372	4888	Mlhbal32.exe	102
PID 4888 wrote to memory of 1372	4888	Mlhbal32.exe	102
PID 1372 wrote to memory of 3852	1372	Ngmgne32.exe	103
PID 1372 wrote to memory of 3852	1372	Ngmgne32.exe	103
PID 1372 wrote to memory of 3852	1372	Ngmgne32.exe	103
PID 3852 wrote to memory of 3268	3852	Ndaggimg.exe	104
PID 3852 wrote to memory of 3268	3852	Ndaggimg.exe	104
PID 3852 wrote to memory of 3268	3852	Ndaggimg.exe	104
PID 3268 wrote to memory of 4912	3268	Nphhmj32.exe	105
PID 3268 wrote to memory of 4912	3268	Nphhmj32.exe	105
PID 3268 wrote to memory of 4912	3268	Nphhmj32.exe	105
PID 4912 wrote to memory of 4352	4912	Neeqea32.exe	106
PID 4912 wrote to memory of 4352	4912	Neeqea32.exe	106
PID 4912 wrote to memory of 4352	4912	Neeqea32.exe	106
PID 4352 wrote to memory of 4204	4352	Oponmilc.exe	107
PID 4352 wrote to memory of 4204	4352	Oponmilc.exe	107
PID 4352 wrote to memory of 4204	4352	Oponmilc.exe	107
PID 4204 wrote to memory of 3512	4204	Oflgep32.exe	108
PID 4204 wrote to memory of 3512	4204	Oflgep32.exe	108
PID 4204 wrote to memory of 3512	4204	Oflgep32.exe	108
PID 3512 wrote to memory of 4504	3512	Ofnckp32.exe	109

C:\Users\Admin\AppData\Local\Temp\4f0eac01231bca4dc447f4d3e60a5d2c.exe
"C:\Users\Admin\AppData\Local\Temp\4f0eac01231bca4dc447f4d3e60a5d2c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\Lenamdem.exe
  C:\Windows\system32\Lenamdem.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\Ldoaklml.exe
    C:\Windows\system32\Ldoaklml.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\SysWOW64\Lgmngglp.exe
      C:\Windows\system32\Lgmngglp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:324
      - C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        25⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        26⤵
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        28⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Fnobem32.exe
        
        C:\Windows\system32\Fnobem32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Fhdfbfdh.exe
        
        C:\Windows\system32\Fhdfbfdh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Fonnop32.exe
        
        C:\Windows\system32\Fonnop32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Fehfljca.exe
        
        C:\Windows\system32\Fehfljca.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Foqkdp32.exe
        
        C:\Windows\system32\Foqkdp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Gekcaj32.exe
        
        C:\Windows\system32\Gekcaj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Gglpibgm.exe
        
        C:\Windows\system32\Gglpibgm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:364
        
        C:\Windows\SysWOW64\Gochjpho.exe
        
        C:\Windows\system32\Gochjpho.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Gaadfkgc.exe
        
        C:\Windows\system32\Gaadfkgc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Ghklce32.exe
        
        C:\Windows\system32\Ghklce32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Goedpofl.exe
        
        C:\Windows\system32\Goedpofl.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Gepmlimi.exe
        
        C:\Windows\system32\Gepmlimi.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Gkleeplq.exe
        
        C:\Windows\system32\Gkleeplq.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Gfbibikg.exe
        
        C:\Windows\system32\Gfbibikg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Ghpendjj.exe
        
        C:\Windows\system32\Ghpendjj.exe
        48⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Gkobjpin.exe
        
        C:\Windows\system32\Gkobjpin.exe
        49⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Gahjgj32.exe
        
        C:\Windows\system32\Gahjgj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Goljqnpd.exe
        
        C:\Windows\system32\Goljqnpd.exe
        51⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Hdicienl.exe
        
        C:\Windows\system32\Hdicienl.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Hghoeqmp.exe
        
        C:\Windows\system32\Hghoeqmp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Hbmcbime.exe
        
        C:\Windows\system32\Hbmcbime.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Hkehkocf.exe
        
        C:\Windows\system32\Hkehkocf.exe
        55⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Hdnldd32.exe
        
        C:\Windows\system32\Hdnldd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Hocqam32.exe
        
        C:\Windows\system32\Hocqam32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Hbbmmi32.exe
        
        C:\Windows\system32\Hbbmmi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Hkjafn32.exe
        
        C:\Windows\system32\Hkjafn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Hbdjchgn.exe
        
        C:\Windows\system32\Hbdjchgn.exe
        60⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Hhnbpb32.exe
        
        C:\Windows\system32\Hhnbpb32.exe
        61⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Iohjlmeg.exe
        
        C:\Windows\system32\Iohjlmeg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Ibffhhek.exe
        
        C:\Windows\system32\Ibffhhek.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Igcoqocb.exe
        
        C:\Windows\system32\Igcoqocb.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Ikfabm32.exe
        
        C:\Windows\system32\Ikfabm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Ifleoe32.exe
        
        C:\Windows\system32\Ifleoe32.exe
        66⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\Jkhngl32.exe
        
        C:\Windows\system32\Jkhngl32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Kiejmi32.exe
        
        C:\Windows\system32\Kiejmi32.exe
        68⤵
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Kenggi32.exe
        
        C:\Windows\system32\Kenggi32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Kclgmq32.exe
        
        C:\Windows\system32\Kclgmq32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4696
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        72⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        73⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:824
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        75⤵
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        77⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        78⤵
        
        PID:680
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        80⤵
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        82⤵
        
        PID:424
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        83⤵
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        84⤵
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2272
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        88⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4468
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        90⤵
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3648
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        92⤵
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        94⤵
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        95⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        96⤵
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        97⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        98⤵
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        99⤵
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        100⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        102⤵
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        104⤵
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        105⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        107⤵
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        108⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        109⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        111⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        112⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        113⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        114⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        116⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        118⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        119⤵
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        120⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        121⤵
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        123⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        124⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        125⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        127⤵
        
        PID:560
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3396
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        129⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        130⤵
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        131⤵
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        132⤵
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        133⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1276
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1604
        
        C:\Windows\SysWOW64\Fdadpk32.exe
        
        C:\Windows\system32\Fdadpk32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Icgbob32.exe
        
        C:\Windows\system32\Icgbob32.exe
        138⤵
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Moiheebb.exe
        
        C:\Windows\system32\Moiheebb.exe
        139⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Bnbmqjjo.exe
        
        C:\Windows\system32\Bnbmqjjo.exe
        140⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Icpecm32.exe
        
        C:\Windows\system32\Icpecm32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Jopiom32.exe
        
        C:\Windows\system32\Jopiom32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2200
        
        C:\Windows\SysWOW64\Kgqdfi32.exe
        
        C:\Windows\system32\Kgqdfi32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1424
        
        C:\Windows\SysWOW64\Lhopgg32.exe
        
        C:\Windows\system32\Lhopgg32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2104
        
        C:\Windows\SysWOW64\Najjmjkg.exe
        
        C:\Windows\system32\Najjmjkg.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4972
        
        C:\Windows\SysWOW64\Ohaokbfd.exe
        
        C:\Windows\system32\Ohaokbfd.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3044
        
        C:\Windows\SysWOW64\Aqilaplo.exe
        
        C:\Windows\system32\Aqilaplo.exe
        147⤵
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Bbhhlccb.exe
        
        C:\Windows\system32\Bbhhlccb.exe
        148⤵
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Djipbbne.exe
        
        C:\Windows\system32\Djipbbne.exe
        149⤵
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Glbapoqh.exe
        
        C:\Windows\system32\Glbapoqh.exe
        150⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Lbqdmodg.exe
        
        C:\Windows\system32\Lbqdmodg.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4400
        
        C:\Windows\SysWOW64\Lbcabo32.exe
        
        C:\Windows\system32\Lbcabo32.exe
        152⤵
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Liofdigo.exe
        
        C:\Windows\system32\Liofdigo.exe
        153⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Mfeccm32.exe
        
        C:\Windows\system32\Mfeccm32.exe
        154⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Mfhpilbc.exe
        
        C:\Windows\system32\Mfhpilbc.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4044
        
        C:\Windows\SysWOW64\Mmdekf32.exe
        
        C:\Windows\system32\Mmdekf32.exe
        156⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Mikepg32.exe
        
        C:\Windows\system32\Mikepg32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Mfofjk32.exe
        
        C:\Windows\system32\Mfofjk32.exe
        158⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Npighq32.exe
        
        C:\Windows\system32\Npighq32.exe
        159⤵
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Ndgpnogo.exe
        
        C:\Windows\system32\Ndgpnogo.exe
        160⤵
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Nmpdgdmp.exe
        
        C:\Windows\system32\Nmpdgdmp.exe
        161⤵
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Nfhipj32.exe
        
        C:\Windows\system32\Nfhipj32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3880
        
        C:\Windows\SysWOW64\Nleaha32.exe
        
        C:\Windows\system32\Nleaha32.exe
        163⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 412
        164⤵
        Program crash
        
        PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4388 -ip 4388
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
416KB

MD5
9093478c32402edbf9d9b8e4a6f817e2

SHA1
ee0b0ec2b0c0334ac21b68b41b7c5f3308f63ad9

SHA256
8dc2eff3faf529e0c082f3a281cb391dd8e0d7f150292587c346bd5520199405

SHA512
a3e932683eef3cd92399779d0ca8ec5a743a52e34c174ebdd63d4aecf5d2820cf5f59638d7ea19b013931aedaf953c2102506bc6951cf33f93f0494985a86c75

Download Submit
C:\Windows\SysWOW64\Fhdfbfdh.exe

Filesize
416KB

MD5
60744373257d54c407e2f317870d4ae8

SHA1
e8f79bc51222bf31762d4d1fa5d63c6c637948a3

SHA256
8d043c48ba1bf3fa8d088ba7fdeeefab1d630ffe3db61c8666479c26b7ae02a7

SHA512
46c8dc699472102100a4baa6618fb751301e57206e2365dd1e091d96bea3e8bc45d2ed455deed5f4d4daea2e06bc3f497d639b271067bff1999febfd42a8e0db

Download Submit
C:\Windows\SysWOW64\Fonnop32.exe

Filesize
416KB

MD5
88f55aae02bb952c25fb02c7511b7a47

SHA1
5acd608f29662425cad2a1123c7c36cd94330923

SHA256
19bfaa87862afaf7fc212ecea92d72c2eac9b97c62ec8aeec9c8af83cdef8981

SHA512
deceb59f160c82e276751a49149dc1e47a658c7c7c052cd898ed8a654b1810e15f5e1cbbcd0e26d49210eb7af8e0288a3266d9a51364484c13cad6eb44c889d4

Download Submit
C:\Windows\SysWOW64\Gahjgj32.exe

Filesize
416KB

MD5
16ec84a423622cb213e1ec17f343da62

SHA1
e99e288fccad5b7423017991a819b8812e8570ea

SHA256
a5845f1b90b4fc2c18c0c8c655394e21f9197919a00a5e00cf570b95dadda290

SHA512
607a398765bf3dff4a1c5d6f32d82f9badf9af7e7faf2ad68c70801a69b626cb911580c23676627a8ef70252089c222c6c3df84d3aa3b4ac46009bc1dffe725e

Download Submit
C:\Windows\SysWOW64\Gfbibikg.exe

Filesize
416KB

MD5
33e0c4e47a614b0614c3c604ddedaf10

SHA1
ac31f35563e0db91b8e365e1077a483442fcee9a

SHA256
a04e4774cce859b10da553cddeb0be27a4b5365f0e93b49fbe9ebf8767f25c9c

SHA512
c00281aecce52a9d3aa50e2534fd83ca69e319f64d1c5f788aab2be11477905a5c87e80efb954a8873b105e9d0601bd4f8144064dd1273ea80e8b2a0497d8653

Download Submit
C:\Windows\SysWOW64\Ghpendjj.exe

Filesize
416KB

MD5
5e8b77f3890c5e4d2b69405cefe74485

SHA1
895ad2dbc7776ae2b5aa93a1123faf8af3f06322

SHA256
7b077ee1eafa98213aab9da852d297911aafcf0482a38bdce9a8884753a7cd00

SHA512
d2e181ccb90936765d057fffb252a55206192d49561d75ef0274be10bcf82496b7eafe584b930a9e613bde0ad1fb460c510513146526675f89938f239ab24026

Download Submit
C:\Windows\SysWOW64\Hbdjchgn.exe

Filesize
416KB

MD5
dbb96eb0eeb383628e7de1fc0ce4aa5f

SHA1
71282659fe30546c6a9f75953d082a2680e0e47b

SHA256
573b5ace0770a384e76fc0f0d9d50e7c071fc61756366531146e2104c52cb387

SHA512
be762446887b3079d9ecbe1bcba9dc89aa6c029c5eb71b5ad322432c2cc0f043746506fec3379261bb7913343611a3c4ec1edfed8a5465eda344df1f666f6dca

Download Submit
C:\Windows\SysWOW64\Hdnldd32.exe

Filesize
416KB

MD5
a045d5d3b6599422f9f1f5f021949de6

SHA1
31b263c3eecd9697c0149df5fc2844eba9af8854

SHA256
bb524cb78ec20050811b01f21153d5d41acc57387fe933c091fa08ad0c64f25c

SHA512
c8f1537b06391b4a28166eb4b8bcc93cbf4e4a1d4d9b582e667345274aeaf8d7d18c408f7bfb83ac2efdf45c7391685a8532d76a79c8ced5c916eb9c2302c818

Download Submit
C:\Windows\SysWOW64\Hkehkocf.exe

Filesize
416KB

MD5
d9f7ea9effa658bc6a7ed2c1586dda1f

SHA1
70db4aee5edff2ebc48cabd8b3ba88c416d0c996

SHA256
3cccd7e81ef74e36948faeb2788865baf0f6d6e66f4b47c10ec40b0145237222

SHA512
f8c4d7b1cd5a9adcc1431120565b305f18242a17c9ad3784b2f5e9c1fec118b10ec0e10d267f74852c5df4b200dcd5348fcef647dfed49bcd1d715a3dd23ec08

Download Submit
C:\Windows\SysWOW64\Icpecm32.exe

Filesize
256KB

MD5
e45c1c39310d852d36bb7c4b738007b4

SHA1
70c681b44edf1a5f68acd63ab011c69f747732b6

SHA256
c3743d4de9809bf81609b85d1ca027e88191bdd0b0878f3a5489370e562383bd

SHA512
3bcdb64c7b4ae298f844ebad74c741ba3354ee04ce0aa245ca6b637aafec6e2848578c1629ccfbb061435b9639e455cf8aae54491a473829cb000c5083694274

Download Submit
C:\Windows\SysWOW64\Ifleoe32.exe

Filesize
416KB

MD5
74b0df01d4ca3060bafbb8ba65238a10

SHA1
a9302d7179fd99660ee1d4a9fcc264b776704506

SHA256
a59d6f753b604bb7c9a2469fb5ce10b13aeee6e77eac506af1f36fe13ccec28e

SHA512
90f7d6283e1014e9f76400d49aa6fce42fd4d525d5d59528d5703cba87728fc438958f1b98d8851207939edaaf7911168a44c5a2d059b642aa0f6a185a241758

Download Submit
C:\Windows\SysWOW64\Kenggi32.exe

Filesize
416KB

MD5
4dfb1960bfb76cc9c05a97eda7851426

SHA1
4882c518a9a303638c99f57ef016f083efd88cf4

SHA256
755da6f7a7069d77e911f0a619deb022bc46e6119eee66016e6b074c979f808f

SHA512
1f6b3d84c0559a4af0b1fdf410bfa3cf46cc4ccae6da4855b1a74c91746cc6e51f613476c23a622554b8dc12b890d0753eb52fe7d8d4f6be09d7a54f27f2adc1

Download Submit
C:\Windows\SysWOW64\Kgqdfi32.exe

Filesize
416KB

MD5
4b663a3ca755dade0a4c60ac6925f81a

SHA1
1f5efc005a601a76534a029d8aa5aaba99a2d8ee

SHA256
ded9ccea0649fc112e90ab300303bfa5d987aa0fff53ce054bbecca42ad6f854

SHA512
38d79be2baef96188d9c60612dacf1b11d79e89fbb25cde200c8e5b9a5ccff4c1f2f456d6108e6f4966b4816e2fde7cce5a7c0b7d08af2be2d859befbe3c6c07

Download Submit
C:\Windows\SysWOW64\Lbqdmodg.exe

Filesize
416KB

MD5
d7243dd195b4437f1ddfa0eaf0c56c70

SHA1
63df021a5f50bd9f1cd3a858d052fcc7ea682838

SHA256
ee62ce10107a24f3de2200497f2261a6c7366dd2fbcba573b42c834dbf0b97b8

SHA512
7d8e18e3fe3c34d5205829b9055b2ffef438c83a724f23cd50ae770e47c5e664c932e98e56dfff78d93a5937a1ed75ffda59144d3a446989517178da87199b91

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
416KB

MD5
dc0142d0f2fdba13d61ced293e373c27

SHA1
af1ae4e09f8f986a2ae69601d72b18598e268b7a

SHA256
67d77c64beb336cdb1f85736a0cf48ba353ecad2eee0802df40d92031e6d0c89

SHA512
d7ddd6c9e3fe5ad6f5c86a63dc17094567e8c7eb2bd09a50e3d4786bb552d7c5cd65ced9488461e07924cdeb28c17ca889f2005456d5fb9d6093766a6d721594

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
416KB

MD5
524cdc6a415c1b287df8641ec339d25b

SHA1
74fd45d0f52f651509aea8068e9dfb5430ee6510

SHA256
f4fa8ad5c07636f730a868108c236e3cb65596f7e103b56f57672b7053e6e606

SHA512
eec9646c16f3578fc1672259a7ad80f5848c414d9349f4db7a8cd008aaf55bf295b94daea7e23aabf18b76ad1197387ddd118ddfdd8974028f82da4339264964

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
416KB

MD5
8aaf8c27cd3bd4128d3df1d89c38f061

SHA1
84695e3058fc3e6e240294beaa1d24e9e5c10f24

SHA256
86788c38893189f3088b8c1a5d5ee863aa77b479497418880f200679664987ed

SHA512
997fe1033f989a4a1205107e8cbf4668740e7d29f7634031801ff4e776e9b7e12271ee17550d7ed49192bb58872c0e574e71c2e0a71bda26e0ed5ec929d43f78

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
416KB

MD5
f0b8a976126c038a1b41c01115f51c49

SHA1
c9dda6b7003ee2580df489d5934a4512b3c7fbdf

SHA256
335b877c69b351aaa8236d184b3a2a097b721b7f4f1cc2dd364b38ee99a5d02d

SHA512
383a1ad0feb56567631c2b704d98163585064fd8cf7f25bcfe727f75bf1ce6e10c53de8101515140e285babe88c9099f1aafe7a61a2bec355d708beed81ad62e

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
416KB

MD5
bee69bab58fe400c96c10b245b4d6521

SHA1
fa097a3dd6a38363cecbfca71846e30acbffcc30

SHA256
5247f5fe14c04334ddfa6092558e4df560a0b7f51c7bb09d39347cd63be7bcda

SHA512
a0ed7f32701edf2f00c35565fdcc80cb78b099072cd46a0425572d82edc303cb80b37c39f34d26327e01a905b2e95998784eb1cee12cc50a6468d76422110c44

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
416KB

MD5
ead193dfe8f9ce191bb6196e3e5134ca

SHA1
daa67383cdded95cd2583daa36308c5b7823c5dc

SHA256
5ee264ceb27b3d318261e833cf6de14a34e5771f17945f9d362b0b30c9d42a0a

SHA512
66539ad830f15cab5c7087e5a529be8f87bbea4f11494d24c1455e347c91cf982140f362d3e3ca0f305db317d2c03627cce7b2b6dcc22c933944e59e3288da3b

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
416KB

MD5
b1c7739ac84236898f803f39056e62aa

SHA1
fd36f94624a174bf0ce61de91e1624ec992bbe2e

SHA256
9b2fac932ff0873a570354e41511c5d158f9651cbe7992760a6ab9cab34a476c

SHA512
648eb23dd63eb3feb9a615de62047e77fceecd1ff8613eba7cd9c1235ef95fd4a2a9f98f942a65945b3c526e4305b93ecc16bbde58b3d9c4801bcff9ee4173db

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
416KB

MD5
600a8376d03f6ab888e7a2523e39640e

SHA1
8ebf32f348ea403bf923beb40b2d315b9c9f08fb

SHA256
a4b73f1fc63df72e5c6bdfe300ee0d6ca647294f3732d06811bcf124d148d0cd

SHA512
37b4a2ada8af20a6e0a0f643ac8a87239682a1fc14541fdb2edba17ec05b14061147903c778f9d5187ad989766bd85e1c8885b39bcb26efc4949e3ea365a48de

Download Submit
C:\Windows\SysWOW64\Loighj32.exe

Filesize
416KB

MD5
1a19b742b476a5a0d58343e927050732

SHA1
9f7523cecd2021d4bb98ece76222c47e3953f99d

SHA256
ebaef634d75f2fed2ff260a568e9598786504ab3a3d67a09e9b492b3ed70cb11

SHA512
ea64f5fa7c2f4df01a71bab9a231a55d47e33b00785282e2282583fc484c1ab9e713bf3dd80a748b14ff566ab938a311d55e885ef0cb2b3d9ad1c2cf6f5747d2

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
416KB

MD5
aaf7035eac2dfb7204a7304d04855d6d

SHA1
a5a875c6c7eef9d4ea3eb7fb42dfe458aefef57d

SHA256
1065ffc78e910d95bea0c0e5b7fe1566c5b256c065b66cb05bb70a09106dbdff

SHA512
e2a69730b078f0ae45dd0c81cf70d5f49b2ec0a8f190f32fda06b555ef4f0dee17c403b28333d743e6fe6f5dcb8187ec991814e8a8b6f6f5fc6665b0ee51d6d9

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
416KB

MD5
e809908efbc770bed357cefc5af770ef

SHA1
547269774a4b6a220a84fc5bf5e9ecb8ad1baaa2

SHA256
e3cdea1edb3ddfd4224d2187111fe8bf3e47daf59896776c642915b0b37d8589

SHA512
87cb7092add2c74cbdfd430739b495140c4787742983caf9e059bc08cdfd2463861cbffddd3581ff7be839d3c963443ac3bde4851c512640decaa8281ca26128

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
416KB

MD5
13c04ff27ebadd1b2da062c1f7747063

SHA1
1f1a98ef41f0f6a86783c4ec02afbe78f5fe98de

SHA256
3b170c940ae12b443ee665619637dcb94df81972bf73f218cd49e825963b32e2

SHA512
e1b14e1a2025daa5b7e30385d4eff4e6c18c8832bd8eef2d45bca208296c9cac33f152c9156205dbca455765b4e0b042fc0ffbd12640af7a83ba3d2dac5865c3

Download Submit
C:\Windows\SysWOW64\Mfeccm32.exe

Filesize
416KB

MD5
f1c49ad7ebf874357d60613a7d3b75c3

SHA1
084375c0aeced27df59186eb946286b4d4cc5168

SHA256
5c792f4edc896e2b454b65e75e1213803316e47f6155ac7c26f28c1051294e17

SHA512
e79527d04ede5545ef38242dd62e3f8a493599fd4fd8022016177da736feb04b09504c7b455a08607889c8751c4985fa007a12ef7769038f1ff6f77bee357d69

Download Submit
C:\Windows\SysWOW64\Mfhpilbc.exe

Filesize
416KB

MD5
f6fc9e046b86d084eab977222b5800ff

SHA1
bf9f97aecc2c9188430ecac76e40c3dcc87e35bc

SHA256
f9746fe392d01bed28361ce5743c975e5bbe0489bbbc35d7b5c6d12fe3d2dcb5

SHA512
e0fab7b9f555e6a017f0a802b21f3ce6c62136bc5bfa3f2eef2760ebb0fe15d88050b812e27401a07d0f5e71786b3f9a254fda2824ec81b7e46200f7d534de9c

Download Submit
C:\Windows\SysWOW64\Mgbefe32.exe

Filesize
64KB

MD5
d5b41b84ac4b7b13c19a14a1f90c2a9c

SHA1
a93ac4be30030efd32c7d1cae8712fe730850502

SHA256
511247906cbb3cb4734ae80b4a164c9b019aeb96f388cfb8deba35de0093d3b7

SHA512
26f626fed772033be7070074c6359ffda4126495fefb902f329ee8c27af792b757dfe597f50968426aa4eac5b77aa5c387b44bde95b5339d2ca8c8c87f796147

Download Submit
C:\Windows\SysWOW64\Mikepg32.exe

Filesize
416KB

MD5
089ee2b41e9a32d9ab99ce3f7eb6036e

SHA1
dbe9fb20a8097f9bc71b517bfe2871a38c974117

SHA256
52bd5308e409a03953fbbab354543e7eafd449ae3bffaf8f0362665300f535aa

SHA512
6291a371ce85f778368486e59a98f4fbc6cb179327dc5ea25e6e775c5784d24d155e9a3669cc40a1390ce2d256b17a09ae7cd962c8c5ebabf234330c2ad05709

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
416KB

MD5
b5839e0fe3c226b52b6767a6e068e863

SHA1
d4dfb6a01726bf026a3fa7129a55ef0f414083e2

SHA256
1d939438576249ae1d6f40214fc33c6d99105ac4a223a574169097fb347bc6e9

SHA512
528397ec84c0273fa21f60ebbc2f36c129e3c3235a239514dd3387ebbab52ca806305d8d565eff5ae7fccfd50b18bbdbaf30e79d58f7b70449ee6319df5e6b20

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
416KB

MD5
6236446ef92a9b64959ca6fce36126fd

SHA1
1616289fb1cafaa11633429c294424846a58c65b

SHA256
ba03add9c13e047a55b8dcf02d026777bcec3213932df206a8418bd9db29038d

SHA512
b88ce368ccffb09230571a3c38867c526cbc34ac6625ebe22155ea533266bdd37c647041662451a89b29bed6562c4ffc4ac0e22e577c87ae7a899a8fc630900c

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
416KB

MD5
4db94a20628e047e862420609d415e4a

SHA1
5450adc722ceaa50e08ec296bd1e31425e25a314

SHA256
bcf262237921a847e752b1dd54e26c26167787b225adcba9945ff664399dd818

SHA512
13772a3904de67fddcbf8f3c15f0237fef698bae3ed7886e1da089a1ee9223396639a16405572503656f30d43c68f5cf00774b771977082a55281a1c4cb4f9a5

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
416KB

MD5
4743b19c4284be11c1ebac17b34b36e8

SHA1
9c4415fb7d738d359a90f4ff810d545a7e26fb2f

SHA256
adeaf0b68d3e5a9cccc02babf73a8d1c3875a5fff5eec1f13235ba745763c170

SHA512
69e7be68dfb783104f145542687c7b73746162689990c6223205ac379ebc9768cdcceb5f85d80657b6989639844224b89db9ac96d381355f5bd8a26f7e4533a2

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
416KB

MD5
21a776e5406cbed6bfc41c2f76878a52

SHA1
95b78ae4222d54eb80560239e9daa461e8bfe256

SHA256
611f38c0d73ee09b3c69996b917f893095e907be7deb9053960d2a84ccafef62

SHA512
867d6346c744653b61f30bdc28a4cd1452ac37fde60bf3efcc1af79bc112a0ba3b0dbaff3ef039578410597b04835a8496d8aafba73e81744f84486796f6b996

Download Submit
C:\Windows\SysWOW64\Monjjgkb.exe

Filesize
416KB

MD5
e3da4022496f9287b7b0700130d00a7b

SHA1
35abf841cc8573eea192e80f8e6889052671c91c

SHA256
7373ed90c254eb7040daac4e69c6d12222f3a9caedc9d66679ed3f362a78d747

SHA512
1d7243b58c7e67e3bab997b35f13683556e4556896f96b62dc58d0c703b4c1a01d1b7dddbc8ee8f6eb4f06e20eeb110935500af10432953ede1a16bcb77e451f

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
416KB

MD5
6f6cd0c635ecd16f9b51e455fe0c8f59

SHA1
4f4b1133ab819466d530133ee11cd54eba106abd

SHA256
38416c47d610452c0e6f6a30b7d22102bff76baefe5bb69ef1c16f25088bab41

SHA512
b0c58b54dc782373fd2e4f6e1141063f69bada81ffdd4b8e8566001f089fb75d651009cc470fe9cf202db78680f594712b25fb9d80d741a6ece6743a5fde493f

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
416KB

MD5
58eca21696c57e5544827f5c73824c6d

SHA1
bec5c0175c5a658566e915e7d79100a6de9be100

SHA256
6d41d41756da10f4ab8cd7e7efce01098d58f8949c0bbb655b1d55b87086d3eb

SHA512
43e2605818a8bb19b25a9169808235ab76d0e8abe2ac21e053fbce095c40a9ad91413d4cb0482b48f9319d76303e4af3afbac622c98f8eeba3c5c3acbed5e34a

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
416KB

MD5
e495891baa92668e88e04dd258c8d411

SHA1
54bda54e6a12d80150b7a87fcb28caba92159bae

SHA256
9aed07872c05e633b039be37e9590346940335150ac12c17746bccae869bb864

SHA512
491be8a14aa84a07a6aaecb747edbd2d61a207010c0f1a9e37f277aae4d5dfcd612cbd4ae8a776e7a6c0c863254cfed55784c76eaf57523a23a598c9bb85f162

Download Submit
C:\Windows\SysWOW64\Nhgfglco.dll

Filesize
7KB

MD5
5463aa720fa165e78c809f8fbcda0359

SHA1
97113a26b635dbef92cd3abeb1c2bf8714f8d136

SHA256
ca5f7c5101af5c0e0dbc42df0bac608ceff21d58b7473e94ede9960688cb49d9

SHA512
a3aed3c1f2ca384a2f64b96e55f0b2610be42d10cdfacce1eb5f96986a95fe7f9d7f1160a6fff31485e1c3aada32921c156532664d56489c2a854c439ae69d5c

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
128KB

MD5
4ac2cd233b7c457a8ca99b23b0b5cbb2

SHA1
b17c4926c63b9a141807e4dd935510b32d1bf997

SHA256
167eb8305c85f41f9fa571113aa4ffb698420a770bf01f3ad43a4b141d2691b6

SHA512
3a930f67f9d6688296cbb78de8cd5e2b82d01be9dc4784b861690a8a78e041f96a1ccd319bd478d4f9ff3c8a5a5bf18a8cf748d6d77d5c7a068a3d833f5eef37

Download Submit
C:\Windows\SysWOW64\Nmpdgdmp.exe

Filesize
416KB

MD5
ca01fd052266b3d5a0c9e338524b06cf

SHA1
f6e1a00f23a8518a463c29b279ff37011202b3ab

SHA256
fc05f1072de786fb7a66f13c2fc8ca3c6e25d08c0f323c15c6cc68907bdcde10

SHA512
b3b7cd6e4fbffb3a65e71a72c006d5b2294635247916484fad3ebec90a52b76c76f97987f1693086d11fcb693856ca51ea7b10299567fd186e05e9cd7f539b80

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
416KB

MD5
7a3ad7db131c36c3310d1e809ab7f671

SHA1
8c0c3677e83c07f556a161084eb1d32c96022d7c

SHA256
885ae004512af7d151effea4bc0014522a28d77fff358fa5f85b8e429a52e40f

SHA512
4e1d05589cf17efe900e2436a1ac65189d193edc844e2c51ba4d18c59b430ece89e75975410737821028d4319ceea8f59fc1dbb586c6b42ff96a66641c38f6a2

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
320KB

MD5
2d0048bf439c664467964fc132a3d77b

SHA1
f637d7daca167bbb7ebabe48f54ae049dcf8994c

SHA256
78194aea4fb4a9808602823b93fb8f887e2ce6c0850d01ebe5775c54b8ab02e0

SHA512
881feaad711a5ef7bff784b8fea9aed65603d106873c714a6b227ac0cc1e92de97eea1808663ce2d377498e582e2794ea75500eb5bd419e54e229addf2327ec7

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
416KB

MD5
89de775d1210c4e4b5f472060f6965ec

SHA1
b64f3de3c547c82f830f97fc5f3a9387776ab5e8

SHA256
d85b29e25eff6671e71e634ca653d14b48e16d420241c859cabd02b2646c768f

SHA512
c217fb1a81a13d843518c78c8a98b0da1aa76944150a1fc2d194e2236780161a38f66d16f55a44a56aec4db8239572d5eff128464093e7794dbdc0fa5a933ba1

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
416KB

MD5
2c75b77a7d4f44892ce1fc600bc5fb37

SHA1
508dd1e88939c572c97935fbeaeb685b74227455

SHA256
cbe1e5ec5d0bc648971675e36ec5fe29830aa19a2027088908bbd0c79f78b43a

SHA512
4f12bb7e109e6898bcc1d65bdc19b0c739ea537fba5d7e3f6badb6480cbf33c40a3679cbaec01d3daffe248e4bc84b4e22b2de69df1d6cf4aeb7997662d9109d

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
416KB

MD5
563dfcea7a21d60b5f505b293b9eb151

SHA1
608574c3a4441259a2e861f3bd6927c9d187a1c7

SHA256
db854e84c66213c592047be92aceb847b58b6e630a19a77f3d38fb2d84875b61

SHA512
815e50e187c2e7e8a80b82dfaa6f31bf231e3c83268a2b121a04568c2c13280a689563612d537b13b8d987dff888f0b67a73b6520484d6bc096cd344233623e0

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
416KB

MD5
ea7302c9b6b6058b7a85600ff27ab400

SHA1
1ea0f2934e866fdd892c22969924f7341eaababa

SHA256
7c7aebdbae48eba3792f13bddf5f4b9fcdbf1a63472ab655cba14519af6662fc

SHA512
b3735c92a555d7c42adf2a6ef8102a905e016a8d10549c78bcc757743ffdc3717a3b71d3dfe37d4702d57039a5902906a632402d35d8357bb6a704a1b2c7e411

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
416KB

MD5
e80c1d0c38244e1a754db55855b0c556

SHA1
4733808482b6bb93304719e929e33abb0590184f

SHA256
69ab87ea5fcf3b1a93279ee5fd123761738e71386f4df391e8046bfb9ef315fd

SHA512
b4df40b44909eca88bf5ec4fdd54466ed05a06efdf7c222068693f67039aa98b61318734fb3126f35aeb7f27082838677307ac2cd8702543fc48f39ea8d1cae5

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
416KB

MD5
bb060176058cfb868c3348bf8507c743

SHA1
d8dc4ff7a31f8046a6beb2da656d2b0b2e0ad381

SHA256
65de1f9b4c62e983cd4ca7c4670e6d380358a947ed9fdbf8261e7cf05bc70a67

SHA512
a79c0f11741324cab3d063a8737486b2b108041d8dee0679c41de6d5fabacf214bd01260f3063d535d8e016a4a087e2a6a82482c1b94cd9c45ad0878166507c9

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
416KB

MD5
8cae5e072ec4f79ac1cbcb031ad7bcef

SHA1
6195a2eaf1f42f9b240232989aa0fd36c9b871f9

SHA256
61a00a13e97d3fec6eb5cbc479c35b5ff4454e641fe281538ab0bd276a84260d

SHA512
dbc911d69623cd6b22f900233f11bee55c74d5d025641f2deba6f4eaa5f899fe72b39e3b5c145709302ab7ea704faec8e575b1bda1bd5e1c6a3193b7e2218904

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
416KB

MD5
f1a8270ca1cf7700d6dcd81150d2776b

SHA1
285706aaee8797985c3ff2672f06c155e29d933b

SHA256
01254e5b384e04a1ed996436222fcd42326312ba81afa1688f9048b287e41f3c

SHA512
0e65489801bd62cedc922aae09368c5f27b87362478fa076652d0dad6e8ad85c58122c2e555f462c6955a847333bc49355fbc34d96dd14155c819bc4e3cc9a61

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
416KB

MD5
1b7b52ca65463cf7812be56f3d85b338

SHA1
972e4e140ee27157ce06d2d38412f4eb13a1cbfb

SHA256
ac9dbc0c07fc8e19bacd2b271b9fb2c263c71e3e1f8ef3d521c9ad8b645499f2

SHA512
00824cfcbabf9f2bc1b031fc5ba91c2e43739aba7b86a31bf12145d2d42a08fa16af66bccdd6e9f8dfdb8c0a09281b382dca9a3eeac5892cd37f57179dbe0e48

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
416KB

MD5
70916a017b92e530c2e920238f768c73

SHA1
1fef56a98d262fd24fa850ef9a9ecd3ada969682

SHA256
6d2c1355392345e9565c0c39f197199555a1cd1160ded771fe9ce272eed9a8b6

SHA512
8fd663352d542476a10275773675b002005d9640947c1b405916c03e1bc7d19624622e44ad63c0bba6df1bef42557390c776bd32d0a3920bdf15091ccfa688fa

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
416KB

MD5
3be88a38cee16af9ab73df8c81ed2f9d

SHA1
45babdcbbd8475de628afeea1914b1cca47fbff1

SHA256
aae39280080865ba4d8e9449d128c67d2576db4108f98c6da74ceae6117aa294

SHA512
003f180f08bd8d49d68f24df210a6e61313e60ba43c43f3760ff5b1028adf3d0bc8d086ab51b42c78891555a00e1f5446f8228dd457032363de899a19aadaa1b

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
416KB

MD5
ceac1dd5642b59652e75df9432750445

SHA1
15df4fc8fa5e390b89e913217d9ccb0ac1a12ac3

SHA256
e3f05c0db2d81f4c65b066fb423d14e58563f11a8dcc3a8e1e7af3d21ac124c7

SHA512
4a2218b9fec5b67c29dc840734fbddefad87eb5c96450b86a56d656274615bd71e89f3fa13862bb9d1f851f6c601fdf099e5280830351d77faa6231f0cceb756

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
416KB

MD5
742a6c128d59b3fdd953d8940c5347c6

SHA1
2dfda7c80a3f027f8d8fcd5bdbb1e234b6a7adde

SHA256
e38a4dbc4e57835e6aa5290179ec7794a14e55a19487a815bbdefbc3c3862e3b

SHA512
3ec3b09c73dcc8e213adc9e212f3f18d5b6a6380d979f187ecdb8e60ef2d43d22326f3fff75483d2cd1f4e08ff12d1ba81c2256dfb5a5a13c07fb2aad90b02e2

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
416KB

MD5
bf4395b003084a96a7d8e91cf22b99e4

SHA1
f322db791499dca71bfbd1c9e464968159b2acdf

SHA256
7c3fc0c7c1f41b9269b98515132d397fc9fe1c94c282eca9ced8989d0d497f4c

SHA512
790347819bb409f3127f9c1e47f4dee15cf00dde506e4096e9557aa95e6be674edd44d3cef3075a7418d227e6f0af5aed9bada181727341b00940ca7910488fa

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
416KB

MD5
42719dbad9513b225bdd03be12a606d6

SHA1
d7f256165fcbbb3edf7f49bc2f1e9794b1e65e38

SHA256
09622d3aac29fa3c2ec428e22a7e155767ac88dfe72bb3296a4ef4acd9de4db6

SHA512
f6b0f41d434f61c2b7c19446f860d4a600b6252e594f236571c344f5569e4583fc24f242fee35e0bb92debd930014e5d7a0938f585d6c58486d23c85faa7a02d

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
416KB

MD5
f9651b76ed733797ba618bc544ef839e

SHA1
35e56e400145a7cd04137d9a9a23ce974facf314

SHA256
60483ac02abbbcae6aa4840b1d74d7cf0c457c61288dd4d9a95221fd2ee8e548

SHA512
24cc0a946efb6af1c8e74f6668c77b3aadce7c8802e71a28cac5ed94f6c111d2852071fc7def2ef007ba3ceafd15f1a7c19f1fa1c2dec337c95536af2dd0206d

Download Submit
memory/324-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/364-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/760-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1148-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1180-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1276-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3132-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3224-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3380-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3436-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3504-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3556-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4316-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4484-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4556-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4576-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4644-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4912-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads