15752aaf5d558d98ef74dbfe7ac134b2373e87a5c58446e3b651879bf376215d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1086066adb5655a4b58d80429bd9ade.exe
Size

890KB
MD5

e1086066adb5655a4b58d80429bd9ade
SHA1

85f8029f00405ede2ce648ba3693739236caa17f
SHA256

15752aaf5d558d98ef74dbfe7ac134b2373e87a5c58446e3b651879bf376215d
SHA512

b207011f9f81d4a86e3285ca8ccc3290407f83700e2645da32fe26bedb2d590904e67faf0fafc6c157f15ab7944ca9e77521daa656c4178ad32ce2da95f219ae
SSDEEP

6144:93MnbEPPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fKr2i:hMnl/Ng1/Nmr/Ng1/Nblt01PBNkEG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe

Executes dropped EXE 64 IoCs

pid	Process
452	Jcbihpel.exe
1840	Jbhfjljd.exe
1596	Jcgbco32.exe
2460	Jehokgge.exe
3688	Jlbgha32.exe
3152	Jblpek32.exe
2052	Jeklag32.exe
2500	Jmbdbd32.exe
2912	Jpppnp32.exe
2352	Kemhff32.exe
2340	Kiidgeki.exe
4464	Klgqcqkl.exe
1412	Kfmepi32.exe
4068	Kpeiioac.exe
4460	Lfkaag32.exe
4608	Lmdina32.exe
3140	Lpcfkm32.exe
3816	Lgmngglp.exe
3024	Likjcbkc.exe
1908	Ldanqkki.exe
4652	Lbdolh32.exe
3452	Lebkhc32.exe
4648	Lingibiq.exe
2936	Lllcen32.exe
4364	Lphoelqn.exe
3956	Mbfkbhpa.exe
3628	Medgncoe.exe
4624	Mmlpoqpg.exe
4724	Mlopkm32.exe
228	Mdehlk32.exe
1448	Mgddhf32.exe
4868	Mibpda32.exe
3040	Mlampmdo.exe
4816	Mdhdajea.exe
4108	Mgfqmfde.exe
1604	Miemjaci.exe
3920	Mlcifmbl.exe
2748	Mdjagjco.exe
1416	Mgimcebb.exe
1812	Melnob32.exe
1480	Mmbfpp32.exe
4916	Mpablkhc.exe
2720	Mcpnhfhf.exe
832	Menjdbgj.exe
2944	Mnebeogl.exe
384	Npcoakfp.exe
4864	Ncbknfed.exe
3568	Nepgjaeg.exe
2856	Ncdgcf32.exe
2592	Nebdoa32.exe
2452	Nnjlpo32.exe
4268	Nphhmj32.exe
4032	Ncfdie32.exe
2796	Neeqea32.exe
1836	Nnlhfn32.exe
3840	Npjebj32.exe
772	Ndfqbhia.exe
3348	Ngdmod32.exe
4760	Njciko32.exe
4752	Nlaegk32.exe
3448	Nfjjppmm.exe
4832	Oponmilc.exe
1292	Ocnjidkf.exe
3596	Ojgbfocc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jeklag32.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Kfmepi32.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Nnbnoffm.dll	Jblpek32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbdbd32.exe	Jeklag32.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Jehokgge.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Jehokgge.exe	Jcgbco32.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6292	6188	WerFault.exe	230

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e1086066adb5655a4b58d80429bd9ade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e1086066adb5655a4b58d80429bd9ade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 452	3220	e1086066adb5655a4b58d80429bd9ade.exe	89
PID 3220 wrote to memory of 452	3220	e1086066adb5655a4b58d80429bd9ade.exe	89
PID 3220 wrote to memory of 452	3220	e1086066adb5655a4b58d80429bd9ade.exe	89
PID 452 wrote to memory of 1840	452	Jcbihpel.exe	90
PID 452 wrote to memory of 1840	452	Jcbihpel.exe	90
PID 452 wrote to memory of 1840	452	Jcbihpel.exe	90
PID 1840 wrote to memory of 1596	1840	Jbhfjljd.exe	91
PID 1840 wrote to memory of 1596	1840	Jbhfjljd.exe	91
PID 1840 wrote to memory of 1596	1840	Jbhfjljd.exe	91
PID 1596 wrote to memory of 2460	1596	Jcgbco32.exe	92
PID 1596 wrote to memory of 2460	1596	Jcgbco32.exe	92
PID 1596 wrote to memory of 2460	1596	Jcgbco32.exe	92
PID 2460 wrote to memory of 3688	2460	Jehokgge.exe	93
PID 2460 wrote to memory of 3688	2460	Jehokgge.exe	93
PID 2460 wrote to memory of 3688	2460	Jehokgge.exe	93
PID 3688 wrote to memory of 3152	3688	Jlbgha32.exe	94
PID 3688 wrote to memory of 3152	3688	Jlbgha32.exe	94
PID 3688 wrote to memory of 3152	3688	Jlbgha32.exe	94
PID 3152 wrote to memory of 2052	3152	Jblpek32.exe	95
PID 3152 wrote to memory of 2052	3152	Jblpek32.exe	95
PID 3152 wrote to memory of 2052	3152	Jblpek32.exe	95
PID 2052 wrote to memory of 2500	2052	Jeklag32.exe	96
PID 2052 wrote to memory of 2500	2052	Jeklag32.exe	96
PID 2052 wrote to memory of 2500	2052	Jeklag32.exe	96
PID 2500 wrote to memory of 2912	2500	Jmbdbd32.exe	97
PID 2500 wrote to memory of 2912	2500	Jmbdbd32.exe	97
PID 2500 wrote to memory of 2912	2500	Jmbdbd32.exe	97
PID 2912 wrote to memory of 2352	2912	Jpppnp32.exe	98
PID 2912 wrote to memory of 2352	2912	Jpppnp32.exe	98
PID 2912 wrote to memory of 2352	2912	Jpppnp32.exe	98
PID 2352 wrote to memory of 2340	2352	Kemhff32.exe	99
PID 2352 wrote to memory of 2340	2352	Kemhff32.exe	99
PID 2352 wrote to memory of 2340	2352	Kemhff32.exe	99
PID 2340 wrote to memory of 4464	2340	Kiidgeki.exe	100
PID 2340 wrote to memory of 4464	2340	Kiidgeki.exe	100
PID 2340 wrote to memory of 4464	2340	Kiidgeki.exe	100
PID 4464 wrote to memory of 1412	4464	Klgqcqkl.exe	101
PID 4464 wrote to memory of 1412	4464	Klgqcqkl.exe	101
PID 4464 wrote to memory of 1412	4464	Klgqcqkl.exe	101
PID 1412 wrote to memory of 4068	1412	Kfmepi32.exe	102
PID 1412 wrote to memory of 4068	1412	Kfmepi32.exe	102
PID 1412 wrote to memory of 4068	1412	Kfmepi32.exe	102
PID 4068 wrote to memory of 4460	4068	Kpeiioac.exe	103
PID 4068 wrote to memory of 4460	4068	Kpeiioac.exe	103
PID 4068 wrote to memory of 4460	4068	Kpeiioac.exe	103
PID 4460 wrote to memory of 4608	4460	Lfkaag32.exe	104
PID 4460 wrote to memory of 4608	4460	Lfkaag32.exe	104
PID 4460 wrote to memory of 4608	4460	Lfkaag32.exe	104
PID 4608 wrote to memory of 3140	4608	Lmdina32.exe	105
PID 4608 wrote to memory of 3140	4608	Lmdina32.exe	105
PID 4608 wrote to memory of 3140	4608	Lmdina32.exe	105
PID 3140 wrote to memory of 3816	3140	Lpcfkm32.exe	106
PID 3140 wrote to memory of 3816	3140	Lpcfkm32.exe	106
PID 3140 wrote to memory of 3816	3140	Lpcfkm32.exe	106
PID 3816 wrote to memory of 3024	3816	Lgmngglp.exe	107
PID 3816 wrote to memory of 3024	3816	Lgmngglp.exe	107
PID 3816 wrote to memory of 3024	3816	Lgmngglp.exe	107
PID 3024 wrote to memory of 1908	3024	Likjcbkc.exe	108
PID 3024 wrote to memory of 1908	3024	Likjcbkc.exe	108
PID 3024 wrote to memory of 1908	3024	Likjcbkc.exe	108
PID 1908 wrote to memory of 4652	1908	Ldanqkki.exe	109
PID 1908 wrote to memory of 4652	1908	Ldanqkki.exe	109
PID 1908 wrote to memory of 4652	1908	Ldanqkki.exe	109
PID 4652 wrote to memory of 3452	4652	Lbdolh32.exe	110

C:\Users\Admin\AppData\Local\Temp\e1086066adb5655a4b58d80429bd9ade.exe
"C:\Users\Admin\AppData\Local\Temp\e1086066adb5655a4b58d80429bd9ade.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\SysWOW64\Jcbihpel.exe
  C:\Windows\system32\Jcbihpel.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\Jbhfjljd.exe
    C:\Windows\system32\Jbhfjljd.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\Jcgbco32.exe
      C:\Windows\system32\Jcgbco32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        28⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        30⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        34⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        40⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        42⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        52⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        53⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        54⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        57⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        60⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        62⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        68⤵
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        69⤵
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        70⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        75⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4940
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3060
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4228
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        83⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        85⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        86⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        88⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        90⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        94⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        95⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        96⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        99⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        101⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        104⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        110⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        119⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        121⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        124⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        125⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        126⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        130⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        131⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        133⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        134⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        136⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        137⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2768
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        139⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        140⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 212
        141⤵
        Program crash
        
        PID:6292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6188 -ip 6188
1⤵
PID:6252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
890KB

MD5
d51fc598724798d554e97bad348287b5

SHA1
4b8f0df34698e1973484933d3e9430b22b1a38a3

SHA256
6f9ef1234aba3a9f985887543987df65ec728c7f1f2241e11e919fceb6b74592

SHA512
16128bcf75c72d03afd6e1689a7cd2873af0453c7c8166e4e54247c847b9e1e321511ce08a75fff618b8ff8dc0bbd8ca000f59983af60c709fc33a31f9faf019

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
576KB

MD5
d527a537f5d23fc1152b4a8a74f29864

SHA1
ec37a03c9215a6711b785d00702a31589b7daf10

SHA256
04b7d32aefb387f17a7150bbd09f3f58b9b5eeba97ab35b69fc85bcad3bcd8a6

SHA512
dc6e6217b7a0aebd66b102640a3dc1738e4eef65a38e3336cbf5979ff1af040e7569719518b2e37d43864fe1e03e4f769c6f90777fbd6ac865cb3fb158a2259c

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
890KB

MD5
4d0c5cf213f1997cce31931e0b5f22d9

SHA1
5c63f2671abfffcdd526c6255d8c920bd813ff11

SHA256
5a32104ed938f840d54f5d7e98485ba5c95ca5f81169f1ee1f806314845d1d5b

SHA512
5007b391774164e489edf59d04e9ab20327cf2bebc0cc0256885878e1463870faacc5522bd94b1d521af17c7eb5cb54925a711322fdaca684f73df8b208cbb84

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
890KB

MD5
0d87a72632c3ed25b6b5eca3b5219d42

SHA1
1ccb928d75295011295e8b60b2d5b2305b81af29

SHA256
87497b37ea0f82b1f70c443e528ce5086007885f20e3f71f37291778e89e2f54

SHA512
0aec5b1b0adb963ae963d3b3c7c7b185e87dd461aeaf65f7e68b5f5bcf66d67ddea32f8a00d31f0119107aebb9dfb85a7d83642c14bdb5ccb681418cc95d41d5

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
890KB

MD5
e343b1c52b992678421376dd601bc47d

SHA1
0f6f0ea6692611a09d368926d482424a3d8d6f0d

SHA256
bf0fb283891ab1ba98754a6741b04acecf6396d565ddae9dd40b8b4a597e0374

SHA512
a356b1cada9824c2709a990db94546fde40ad8700fbd1aaf2b70874ad6805174c49521555c56afdfe82c484fa6b616da68b4e7f75d0c08990cd28b472173c155

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
890KB

MD5
f10f2f6103234f14ea179517a95b8a0e

SHA1
bbb6d60197b1fd9d17bcdea41435632314e1237c

SHA256
af52dbfb8daaaec69703f3bece6ba6e45dde5afc18e424caafbe3dc8112dc24a

SHA512
8ae2b75bd3b9f1624ad9fd5795f4a991753a25e905a3ad80e39c9fa5927fec2517c583a9311e7828efacb186d21ede11a3c2208de1580794af9b2dc0d85d00d1

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
890KB

MD5
64edb51210c86fb662cd300f159f3443

SHA1
4373317457464d47530d5d0e1432d90deb44ba6e

SHA256
92e80fc100344d9bc55f414104079c546862c306530e1ae6139d867e0c16427e

SHA512
1c7eeac0c3261e22740e4b2a04f69c3f7e3be90c882e7b29815b9a076d0f0b52c5f47fcf04a6b40968b5a7ea2621c9f5d9e0661316aa9fdcefe67a5da47a1952

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
890KB

MD5
7e8572f3877fd1fe7a8318d986660056

SHA1
b6c664209506cebb01235001f72c0e6b952e8548

SHA256
acf1a8a785802f1c775ec229c6848bd8013ca4a2142a42d766a5295490da1fcf

SHA512
a9f8cc86d3f79aa19224744bd96015881d27715b89f0a93590f1c5e7cb654ba9d5d49b6af2d4e4f5024bba406e7af978523de8fccbc54246ab4b66a4c2d1e566

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
890KB

MD5
e65bf557bcacb916335e54edcf0fbe31

SHA1
de69524fdc9167e00e735cbf365f41bfaaee2f48

SHA256
b3bada94adb5d4d185a4fb8ec813bd6c56e5cd8068cceb1097c133c17b3b0356

SHA512
0362ecdd84809a5f11426c4c5db7e2cadedbefcc0a7f34c3823aca176d6ba3e53b6cb3b54ea53e7e48a492dcd9a888b8e19c5aba70672c86d02cf7c5e3c32cd9

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
890KB

MD5
f061e9515c04d6ef7c3e6731840c9b86

SHA1
532bf9815042fc35b143482b148c0ffc37ec223c

SHA256
63caf62220e24f03c4c36251d5d0efd97858f069e247822155bb6b32d39e549f

SHA512
acfd04261c43145b52b0f51d5a99329af6cef66208b9b90243ca7f01602a1194d90d217296db15df67369efa99351d18312bd279ff610b0e727b064c1845c7a7

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
890KB

MD5
822305a59c57136705ec8162874ab746

SHA1
1b15530d717f38b82b58d98da4e255b8391d3df2

SHA256
4015002a7814953862773e6f2e2e0a4b9c9ee7addf4e8c515950cc803e038945

SHA512
cecefa3d9f7f157829c80b7f63de0da01eb3c742403266923c6a6112b96bf40ab9e81783cbb72061713ac21aeee464f635c37377dea78e4e9cf69dc0ea7ef620

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
890KB

MD5
9f05196ab73caffd352175b84905b173

SHA1
2ff731da4b783e2e18387e9cc048acb642f20e2a

SHA256
3ab143f495cbd011d30d42b9e2f255c6d8bb60015865492f6ce96cf924a65655

SHA512
a991ca3cd40330b7d142d11a5e8cbe6ff5d98de525f1db6c25f5cc2b08c377bc6b3db46b567b835e5eed7595db89dca2faa9d47b94bcb173c3aee0a74e16acb1

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
890KB

MD5
102bbcca6b787df309b32d8dfeebdc22

SHA1
febb8c003054063d565ad196311e071a4ba2ba05

SHA256
406ae7b0cff5fa2bda2fb20e23f2a1d4a9ea76ac3a4a7c6d4278eab238c20326

SHA512
333d5e9014fa18a20b77b311bce08a41b602d3f12156bd89e5087d51b257b7150c89e60125bd361b2950f563252ca5758b23630ba1645bd1201fa3562aee3e47

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
890KB

MD5
f59906618964d541a44a121d0a95005b

SHA1
d958e288cf523826205bb8bbac967789c71f8f26

SHA256
28beb4ffabcb34c91702804f551937cedaa15d61860bb796b592c83eb9aa50fd

SHA512
9bf9a35885db58c0974363f35012929b318becbb50a75fb615ebdf2f4f68cf1d076f222caafbc78f9c20e9d826ab4badfeb591f0c79e2db9b5678bccfd0dbe3d

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
890KB

MD5
68447b3d09346df9f04a14c6caebfca1

SHA1
f93dc6da4bbe6e4c9dafad01ece607fdb80381fd

SHA256
7f5031b76243d6263bb35177f2cfd13c8b90604bf59b9dc8c1a677692a1267ee

SHA512
1b1a9e411a1d24e5d188d46a2372a056de85acf3f82e7dce3f002fac66d643117eaaf9b141013f7fd2c818a804757331fc33813289cf9edf43c8250f510989dc

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
890KB

MD5
111a03cfbdffda5b17b95e250eb0386e

SHA1
1975e1bb7598c0855de6763257e1576f614ce9dd

SHA256
a6d88de2cd3a40431d44e8624370f971cecde5e93b347b255843176bf63fcba6

SHA512
cff1d2e92b0a6eaae72d92d7d57f1eb193de5089a748cd6d8f06a3ee6e83101cc56b75e243a56b37bf062d2f5eadf63bb646dc71b222a96249788d8dfd3bc37b

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
890KB

MD5
eb6783fb81676bd7e9d1340eaa54cca5

SHA1
76dc6087e634a3af9da73afd6167f56b61765f99

SHA256
89da7e4bf5824e70585c9c1bf3975ba5459051454ae3fdb9b9d23c61314fffb7

SHA512
5b16190b5e7be2f8daddf530f08a310e62f00fdfd7356fdc8e10899784a752212e9118bc170277a15989621960ceea3a1026924e869668e03b4f19890dad3d7e

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
890KB

MD5
0013a59a261f067a39b7aacda8e172b3

SHA1
d91f31f514d81499b0b2ee340690a88866f67550

SHA256
1a4a846598faf2403a6cc253605079c0db9145b231bfd972fc3a686bfc31c745

SHA512
0c550b7690653fd9a9781200e4c15e7633f482e604a0adc907d782205551a8d5a546814f7ee2b077a51b313bee2a0947a5d63fdd1eff32d8503c0433a211c4ba

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
890KB

MD5
d1a82175ea1b01015d644648ed60a887

SHA1
da6654eef2bc7cf992c4d0454a1b5d78bc301e2d

SHA256
50020a92c4601ecd94154a467fc29721f9c79ee9e4b23a01c5fc029730c60ca8

SHA512
3b571ab955b995b9c6e635965935046c2f08b5099abe60f9be735cbaa09f775c6e530a73e151d6e9eb2a5ee35a1e67ac103d4da5cc3990800aa5a7228fb2feae

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
890KB

MD5
e82d3041270965f877bca76dadc331ec

SHA1
8d318eb3b2c7b5371231880cdabdb54026f63340

SHA256
0f5f8d090fa513d36a741cc2ce3fd2820ff8cad9d10edb7bfb9bb57c391f9f7d

SHA512
3e7f9face3784cbc5a7c82bce0cb3e9b8b99da8d4f4fa5ae160ed5c16a06aff367aab8941a67e4ce096220f7fc7a5f3ddcd47983c5c18b9a825ab9d88bdbc3dd

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
890KB

MD5
13ed3091bc222dd25a1f9f3753a24184

SHA1
56b86668528ddb66a0e000e7e3687985a19aec0f

SHA256
d5d12412ca2ed1e6902a8a095ae68af673bbfac7ac0b12a498f92fcd29acf79e

SHA512
14e857510fb7046542e8cde2d44ce1aade226884a7856af72a5d42e2cf8bbb9435d9b9b464c7645324482aa8f0fc172bd0e48134f5344b347697cee0cf670619

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
890KB

MD5
8bc87ae197a135750a381d2146bbc085

SHA1
569e77109272653b8eb20ebec9aaac7738689bad

SHA256
7a0f15bb4a17a05ca6b3c49dce7083795a630c20620c00efc5a8d07e0f3281f6

SHA512
a6a2c7fa16bc32e3fee2db973416d857b6d6bc02586c8b051e1a69d4e37068ebbb0035953b0a4dd8b51455dc53ff999dbb3220385ac2707512a3592a7454c526

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
890KB

MD5
5d19d62ab3285e08b2f3b74f8194a575

SHA1
23bc6630ce6dd8e911372495b1d9b2a0fff0462c

SHA256
dc15a739c6d129ca11ce7766cf4a87928f67ec5e5f6287aa68555099cd502231

SHA512
d9879ad59fe08baad613249b254a8fc126241d758145a03a3034a38330ef008fc5a7813b905a46243c28163bebc91ec1355b912aec6a8a8e97f48ada6be40ac5

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
890KB

MD5
f77d2394e579826fe1df3abe792cf572

SHA1
f7c395584a358f0ec18fe6cc01bf241bbd6d7226

SHA256
d2dd4538795e74b841185b0d6d0a066454b8e41eb9d063a24643489c4ed97ea6

SHA512
0e6b8c09f7fd9cb6ea12fc8a0f5852642e970271bfb5615c8faf87e82d39749a6e817498db951c4d79b3f1fad384111b5eb3ec723cddba280a07940e02703e7e

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
890KB

MD5
6f1782331e0567bd3ad453b70da01344

SHA1
097495bde75513d8090ea872e735eac33c3a3db4

SHA256
535d4a0af2f207e2ce7d8a8e79f4f27887a240dd959731b78ecc3639c9f95b77

SHA512
55b2e1c6877920604d2cb2168b8c33dd76702bcf8e15eed99b086690fb8dde99c639308ae46ce9f6d410fae2fe9c257de3655cb49c1669545baae1755e500769

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
890KB

MD5
2c511291927085d8cb6778278f55977f

SHA1
af2bc79b2bdccc262a6983bd1c3e4d00288dc749

SHA256
886e5e1d3fd0969893211746834564296f3111978f8a20a3fd6d46fd3c48f2e8

SHA512
c13b57c8a0a0496434b67e9fc971ffd18592b166d9d9c8e882bab7d01be492012b88db8b2a4cfb98c22a1dfa346ba34724361d4d0d2f4b4d53e4f289b3348b75

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
890KB

MD5
4b503f56c9218ddcdef8bc57c8db6f82

SHA1
2c7f4900a5ac84e21d627649951fe8760d3ecf3a

SHA256
9f39cf5824ca22579c9b98e3f6c4cfe44e319c492fc463d6b1f8a61b5a27a1c7

SHA512
a255fca06671fe6c46be75073c18bff36e697e4545b179d5b67d93f56c2e9df43a800bad642fc14ac5668adec7077084560849247e173d89797c82e95e4da71f

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
890KB

MD5
7aa563be1f640cf10ad2cc700cde0465

SHA1
6a85ac39fac3b040a0bde9cb32738dcacc0ec02c

SHA256
26a2b0aeb268c2e0d4252bb8589850c6a6591101d5d85a2c48db3541827cec40

SHA512
2781d59a0cf8c6f4ad08df7d54fba7ac95d67f85204e9155446895904fcfa6ad37f8a61c5b7c4a94c381c865f614f01c10f69adfdc59aa42f769bbaaf90ce489

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
890KB

MD5
2561aba138cb3b9dfaf2eeeac56caa5b

SHA1
a6c739fa240805f107c03065b8cf7bcdcdcbd081

SHA256
57f12f93eedbb175795323c96ce41fd7238d6a43e761d254d983347faaacd54b

SHA512
d90febfd452b25637b9a931393831dbc4f5cc26f26a70517d0a7eeaa296e971bb3f7f1068b8e0ae0e85ee2cc3faa21d64943b994d5fde3db4b62e6326be76c5e

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
890KB

MD5
9ae49b3358b13ace5e4dd6537f365546

SHA1
dd85dfb849c2c53f37e46fc1e19ea3d6e1c296b7

SHA256
33953a3c05f684fdb7fd0971f2dd95a13ebb611d0691f5b93ae26bb99aab7f73

SHA512
58c5ffd2efcf95672636fe9e7260a6edb0afd14e437a664217f2c21b402cfebb65b897302a3980302bcee7c7df0ca20277d8051eb1e4ba8bcfd53302ee7fc8e6

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
890KB

MD5
dfca0da6a69d8065eae816ffb14d34f8

SHA1
c438ba2fd618188128c4f303e99cff8d37f46fc6

SHA256
e1b1f11ccd07941226f74bb6e5e3969b79baf5cbef9e92471c7433039739ccd8

SHA512
1d31391c1add5661996c7906b33a53100de9d1ce04e4670ec1da7edaa39f31c2eb657ceb5ac67fbd6df7e45a31e7b8263e1124bd156af868075680ce15755f40

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
890KB

MD5
568e94b6ad532a9553d3120e2bfd0473

SHA1
cfdb265b5798357bedec0251f0c9291f588d1608

SHA256
a08b0b85af1faccff15509c9c9d2abbfd690a6b8d20dc0e7fb2a4fa7a3e34688

SHA512
db17ff163efa529ac33a862bae722cff341ffa7d769fc3c2f0fc856d9206e54d8c74f371970c3d3afb3c334c0b5570d5785ff8273eacec61d7b2221d8b106cbf

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
890KB

MD5
5c92ee25c4703e8ef8a20ccd91b5a6b1

SHA1
524c9466092f66c48892f8e62b59bc70351070ba

SHA256
58400dea8624c29618973642dcbf9c552dec34ba6ac5ab151e698bf8b87eac78

SHA512
3bd170df2acd6bff85915479ab87745881fc1b7539c2e207a27997222772bc9c0ae1e332f78e3c1ef77a2898668e4e27a0b472d9123d8c28b465e694207031e3

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
890KB

MD5
d7a61994a0e2a92f76b375e074fb0de5

SHA1
4885955a0c1b4ec73d1f4f11e484d44b087edbb0

SHA256
a25fb39d0902f2d519df957498b7928d32aaf78003565d77a2aed13a1f73138c

SHA512
7262b479911122be9804457f347ecfa04036bd2c42af45bceed1707fa1371eafb8f24200354ad0f26b6d8b06bb55d942e01e07c8bc8a1e5f28943b48a42c7bd4

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
890KB

MD5
df7d43d422e5345d4c1b1be4391d00ed

SHA1
0b9d9e16a2a4ad59691f1b0753fbb55fcc78768b

SHA256
842abd9d83bea58bc7e32dff0a2f467d80c12c5d1b39b460148aba78a2bfede1

SHA512
e7986007a9502c8a13e4352fe3c6ba4b8a1e4aa07f1e3026dfc8bb3bed5919560286c9b1e6928edbf394f3d2758d603ab1e75ec2ec7473b5565d36c523de4996

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
890KB

MD5
376331ed50640ece9c0bcb91c180c892

SHA1
c1aacebb9ce47a8e9a62bc1a683a66abf84cb3ba

SHA256
12907506d5276f25d7f25b8fcc2b14d71e049c30a4da1948625480c062d525a8

SHA512
30ea2cc13f7d496903ca9bf50c4c013a0415e0d17b2a6711aba9b52c9d388c5b77e3d5abd74fad2ead520cba14a0fb7805c3d254271bea8fa0a5ac2df835a671

Download Submit
memory/228-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-902-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5124-913-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5140-934-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5212-933-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5272-932-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5384-911-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5428-918-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5568-917-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5588-928-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5604-947-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5652-946-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5664-927-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5692-916-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5712-909-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5724-926-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5728-944-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5796-925-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5812-942-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5836-905-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5860-924-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5876-910-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6016-922-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6068-936-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6116-921-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6140-935-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6188-900-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads