d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28

Analysis

max time kernel
136s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28.exe
Size

89KB
MD5

14f78af3f2e2fbde0864dc0110f352d6
SHA1

4b368ad60a5fbfbab20ca22bc2cabd16040a8cec
SHA256

d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28
SHA512

a251240b7cc534eaa6b4bbf297619884fbfe7bcb0f22b526602a6b9551812025e641b50b6c17be839b1f6ce653c67cdc6223daae924dd0f51bed933fd1568433
SSDEEP

1536:E/me2Pm/qjKshgX0yf/k0RuCPvnOgGlYqMbxAkd73STcFhlExkg8F:E/me2Pm/qWshgESM0dPvO7MbDdKcLla4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe

Executes dropped EXE 64 IoCs

pid	Process
1228	Jifhaenk.exe
1920	Jlednamo.exe
1476	Jcllonma.exe
2744	Kfjhkjle.exe
2128	Kemhff32.exe
3020	Kmdqgd32.exe
2708	Kbaipkbi.exe
4564	Kepelfam.exe
4264	Klimip32.exe
1196	Kpeiioac.exe
1016	Kfoafi32.exe
1364	Kimnbd32.exe
2176	Klljnp32.exe
4112	Kdcbom32.exe
2544	Kfankifm.exe
3128	Kmkfhc32.exe
3624	Kdeoemeg.exe
3616	Kfckahdj.exe
3992	Kmncnb32.exe
4288	Kplpjn32.exe
4372	Lffhfh32.exe
4176	Liddbc32.exe
1976	Llcpoo32.exe
5104	Ldjhpl32.exe
3760	Lmbmibhb.exe
3892	Ldleel32.exe
4696	Lboeaifi.exe
4492	Lmdina32.exe
4400	Llgjjnlj.exe
776	Lbabgh32.exe
944	Ldanqkki.exe
3916	Lebkhc32.exe
2032	Lmiciaaj.exe
2736	Lphoelqn.exe
4952	Mbfkbhpa.exe
4216	Medgncoe.exe
3236	Mlopkm32.exe
428	Mdehlk32.exe
1504	Mchhggno.exe
1952	Megdccmb.exe
2340	Mmnldp32.exe
4156	Mplhql32.exe
2648	Mckemg32.exe
2072	Mmpijp32.exe
3092	Mpoefk32.exe
4904	Mcmabg32.exe
3480	Melnob32.exe
712	Mlefklpj.exe
2844	Mdmnlj32.exe
3152	Miifeq32.exe
4660	Mlhbal32.exe
4020	Ndokbi32.exe
3100	Nilcjp32.exe
5080	Nljofl32.exe
2480	Ndaggimg.exe
2164	Ngpccdlj.exe
4592	Ngbpidjh.exe
3880	Nloiakho.exe
4672	Npjebj32.exe
3076	Ncianepl.exe
4528	Nfgmjqop.exe
4396	Nnneknob.exe
4928	Nckndeni.exe
1640	Nfjjppmm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pmdfog32.dll	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Lffhfh32.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kplpjn32.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bjjplc32.dll	Kfjhkjle.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kfankifm.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lnhjmp32.dll	Jcllonma.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6960	6660	WerFault.exe	265

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 1228	412	d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28.exe	87
PID 412 wrote to memory of 1228	412	d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28.exe	87
PID 412 wrote to memory of 1228	412	d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28.exe	87
PID 1228 wrote to memory of 1920	1228	Jifhaenk.exe	88
PID 1228 wrote to memory of 1920	1228	Jifhaenk.exe	88
PID 1228 wrote to memory of 1920	1228	Jifhaenk.exe	88
PID 1920 wrote to memory of 1476	1920	Jlednamo.exe	89
PID 1920 wrote to memory of 1476	1920	Jlednamo.exe	89
PID 1920 wrote to memory of 1476	1920	Jlednamo.exe	89
PID 1476 wrote to memory of 2744	1476	Jcllonma.exe	90
PID 1476 wrote to memory of 2744	1476	Jcllonma.exe	90
PID 1476 wrote to memory of 2744	1476	Jcllonma.exe	90
PID 2744 wrote to memory of 2128	2744	Kfjhkjle.exe	91
PID 2744 wrote to memory of 2128	2744	Kfjhkjle.exe	91
PID 2744 wrote to memory of 2128	2744	Kfjhkjle.exe	91
PID 2128 wrote to memory of 3020	2128	Kemhff32.exe	92
PID 2128 wrote to memory of 3020	2128	Kemhff32.exe	92
PID 2128 wrote to memory of 3020	2128	Kemhff32.exe	92
PID 3020 wrote to memory of 2708	3020	Kmdqgd32.exe	93
PID 3020 wrote to memory of 2708	3020	Kmdqgd32.exe	93
PID 3020 wrote to memory of 2708	3020	Kmdqgd32.exe	93
PID 2708 wrote to memory of 4564	2708	Kbaipkbi.exe	94
PID 2708 wrote to memory of 4564	2708	Kbaipkbi.exe	94
PID 2708 wrote to memory of 4564	2708	Kbaipkbi.exe	94
PID 4564 wrote to memory of 4264	4564	Kepelfam.exe	95
PID 4564 wrote to memory of 4264	4564	Kepelfam.exe	95
PID 4564 wrote to memory of 4264	4564	Kepelfam.exe	95
PID 4264 wrote to memory of 1196	4264	Klimip32.exe	96
PID 4264 wrote to memory of 1196	4264	Klimip32.exe	96
PID 4264 wrote to memory of 1196	4264	Klimip32.exe	96
PID 1196 wrote to memory of 1016	1196	Kpeiioac.exe	97
PID 1196 wrote to memory of 1016	1196	Kpeiioac.exe	97
PID 1196 wrote to memory of 1016	1196	Kpeiioac.exe	97
PID 1016 wrote to memory of 1364	1016	Kfoafi32.exe	98
PID 1016 wrote to memory of 1364	1016	Kfoafi32.exe	98
PID 1016 wrote to memory of 1364	1016	Kfoafi32.exe	98
PID 1364 wrote to memory of 2176	1364	Kimnbd32.exe	99
PID 1364 wrote to memory of 2176	1364	Kimnbd32.exe	99
PID 1364 wrote to memory of 2176	1364	Kimnbd32.exe	99
PID 2176 wrote to memory of 4112	2176	Klljnp32.exe	100
PID 2176 wrote to memory of 4112	2176	Klljnp32.exe	100
PID 2176 wrote to memory of 4112	2176	Klljnp32.exe	100
PID 4112 wrote to memory of 2544	4112	Kdcbom32.exe	101
PID 4112 wrote to memory of 2544	4112	Kdcbom32.exe	101
PID 4112 wrote to memory of 2544	4112	Kdcbom32.exe	101
PID 2544 wrote to memory of 3128	2544	Kfankifm.exe	102
PID 2544 wrote to memory of 3128	2544	Kfankifm.exe	102
PID 2544 wrote to memory of 3128	2544	Kfankifm.exe	102
PID 3128 wrote to memory of 3624	3128	Kmkfhc32.exe	103
PID 3128 wrote to memory of 3624	3128	Kmkfhc32.exe	103
PID 3128 wrote to memory of 3624	3128	Kmkfhc32.exe	103
PID 3624 wrote to memory of 3616	3624	Kdeoemeg.exe	104
PID 3624 wrote to memory of 3616	3624	Kdeoemeg.exe	104
PID 3624 wrote to memory of 3616	3624	Kdeoemeg.exe	104
PID 3616 wrote to memory of 3992	3616	Kfckahdj.exe	105
PID 3616 wrote to memory of 3992	3616	Kfckahdj.exe	105
PID 3616 wrote to memory of 3992	3616	Kfckahdj.exe	105
PID 3992 wrote to memory of 4288	3992	Kmncnb32.exe	106
PID 3992 wrote to memory of 4288	3992	Kmncnb32.exe	106
PID 3992 wrote to memory of 4288	3992	Kmncnb32.exe	106
PID 4288 wrote to memory of 4372	4288	Kplpjn32.exe	107
PID 4288 wrote to memory of 4372	4288	Kplpjn32.exe	107
PID 4288 wrote to memory of 4372	4288	Kplpjn32.exe	107
PID 4372 wrote to memory of 4176	4372	Lffhfh32.exe	108

C:\Users\Admin\AppData\Local\Temp\d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28.exe
"C:\Users\Admin\AppData\Local\Temp\d9b341db1ec979b38e4b0957789c4740a04c111ed6ef00ad1b29d12bfc109d28.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\Jifhaenk.exe
  C:\Windows\system32\Jifhaenk.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\Jlednamo.exe
    C:\Windows\system32\Jlednamo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\Jcllonma.exe
      C:\Windows\system32\Jcllonma.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        23⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        30⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        37⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        42⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        46⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        48⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        49⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        50⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        52⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        55⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        57⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        60⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        66⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4896
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        68⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        69⤵
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        74⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        78⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        80⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        83⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        84⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        86⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        88⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        89⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        92⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        94⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        96⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        97⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        99⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        100⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        104⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        105⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        106⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        108⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        110⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        112⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        113⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        114⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        116⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        120⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        121⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        122⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        125⤵
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        127⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        129⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        130⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        133⤵
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        134⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        136⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        138⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        140⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        144⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        145⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6256
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        148⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        149⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        151⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        152⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        153⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        157⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        159⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        161⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        163⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        165⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        167⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        169⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        170⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        171⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 408
        172⤵
        Program crash
        
        PID:6960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6660 -ip 6660
1⤵
PID:6740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
89KB

MD5
4ed83c5ab03615556837ca8714497fd7

SHA1
9ee75fdc95ef4046447d58014f3438ab0c9d2b87

SHA256
d1629073664fe41984731e34332b323921a58a44dc9aac96d6128f9d7dbe6003

SHA512
4276b9db8dc2bcf5c4bdb4afd0a7f6df8ebef6905140cecee1ac5a86e295f16f450905b5b4ae10e3cd91f1c3f3cab867d1d26f854b8f6cecd4232c3fd8794a04

Download Submit
C:\Windows\SysWOW64\Bjjplc32.dll

Filesize
7KB

MD5
65b8444e88f3643f97fa901af14fcd1e

SHA1
65132eb058aaefbe67c5e6ddb3f8b54862a5ed96

SHA256
a36da37d50dac67de9d5169e9c0fb54f3864828bca6b358ceeff118dfd76bf83

SHA512
cdeabf6b9a2f66ba22a339bcb1d9e61bf9ad3c872f29c03904ba2f38352434e4c68215a98d4a68d945755e0b13bc5f74cf72a4fa80711e4b4a81680f8f02c710

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
89KB

MD5
d91de5780999bbfed37595c7c4b6f556

SHA1
0b0ecb84471798fd7b2385ebce694285e1eb91b9

SHA256
2cf2d0497448e3d3997a10fa810c1cd91bf888191b16ee764feacb9a9b9cbb39

SHA512
b628173c5d490a8cf51336d8c3bb5abe6f6a7805863a6e55dc8d1f0afea994b6edce1d5ee91261a7d11379a80d2af56f36f18efe2447eb143eb5933504b3866e

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
89KB

MD5
0720783f55fe41e1237075f3fab8cdd2

SHA1
f1cf4305e8feb131e9edd2621c80829ccf18188a

SHA256
c0ec5f4b8720f1f720dcbcb74b405ab0f065149993b44ead81184a7a7e6d7fc5

SHA512
0080a1821bf787cb522d5592dea5c0e4a80ccc8f5e271b216c7f1eb1510f0f246b84a2c1c7e002ccdee3a177426b46227d6748751d345d5ca8acba1e1429d47d

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
89KB

MD5
41ab02e267dcbf7fb08bb0c6ed729a53

SHA1
dd1863b304b15a0d837239956949b7761f0c6937

SHA256
4dfd57125723f96078f04595227848bed89003ef0899031afe88fddc88ff8c36

SHA512
e75739eff2dbe3efea0afccfb64191e3d441fb811ffdc9d1d8a8fc5c9ce9669e52b7b64cfa17f1c7daa08e5c0394146ed27d023e3638819c0d6eea8794762529

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
89KB

MD5
525072ee472b58c01958fbd0edc8870d

SHA1
9afb95ae2efa73e6c43b5fe4472a793f58aa9a26

SHA256
7d76023604b50b45839ebbb2436ae094b759fee9e311c99cea9ec0a6beefd974

SHA512
63071e4afabd7d7c6beeff299634033eabc1029a4f1757d47087d64643ae6c437344080418cc9725e42fbfbc5520fa88be72566cb5ad884239f80cd2163aa385

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
89KB

MD5
3d29cb56adb115923fcbfe02f23ba4be

SHA1
d29f56ca96bbf20396bc09ef204acc1c5a144da6

SHA256
cb4ec05516344eb846a38b37dc65f5afc67027b184e04cfe52dab4a424b865f3

SHA512
3c715063af49b3c04acb8834f4dae186d50ef27e7acfb3b1ac4d6e653244dbffbf044b0b93ecde0c872ac14e021777dd7356c036985bd22a679dce141de08df5

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
89KB

MD5
8f2bc676d9d650f719ea40447e034de5

SHA1
a1ad12e12dde37729852ed880a3daa8022e7b482

SHA256
c1208ba3b1002840e9a7d8484bcb7bc9a19d7b8627eb06f1faa5ab653d5e546e

SHA512
1741cb6f75c30c49da24882ef256db9ed75c580e0dc319d1a7a2b23918eb25b84b290c878a76831b4a9bb16e589584275597c99ae82b2b0c21b476ed918b7c4a

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
89KB

MD5
20afbecad89734511e3af5a4737d5c95

SHA1
c79cb4fbeeadd3b10fadac2bf54c07f0224f15b0

SHA256
c96bd890a11266696dbad7c359264b6f0b77885ce604554033cadc37646834c7

SHA512
daa93f7d4149ae03c7268c4a65bd93fe110f550cebe3406dd2525b8c1bc80e39cb3ad5e7a2200c413107066bbd55ec102bea3992f0887c004319ede8b49e4f0f

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
89KB

MD5
64d90ae8aadb240fdc5ae359f7330778

SHA1
864512635a4121ad6d27c0670213da1b5e9c54e8

SHA256
3c17c15e9e7eabae183a1a9bd63d052063e73db38045784ce8b3d10da7dede54

SHA512
853ced446053607b0c6b86f58bf1174ae250a9b53b37337cb2adf5a6649118159e0ac7caecb754e7e47750ce523143fa5d9ca30e0a2224edac1bc7ef5c6f121e

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
89KB

MD5
9237f6a92578a3868aec11d5c35bb07c

SHA1
2c17a2d01ffdcd3758f504c885a0082c8ceade33

SHA256
dd20d89dd08804316420fc23679c12f9e7687c630601b65dbb41ba6df6228d39

SHA512
0f518cdcedabb16d62979541cc14fcd7e9b70faba2b35f9c03a88bb110d7300d46da88d7d458ef7c5abfaf74713633ed2b3a735bb053c094866860c94cef56f1

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
89KB

MD5
69a1c50fcbb719420ea2c09cc5180048

SHA1
04900197544c1d273642d586cb42b2e3c5beeddc

SHA256
8f3dcc033bd0626b67bf181ec38a1a479542f821a132a406458557808ca90e35

SHA512
e1dcf73cf37c5845b57e552f2b4874143cd3e0e44ac4b175448a3b2faf1efdbf81e007af62d800ea41d7af8ab4ab4db6a6eb05632bb19c413349399fc6dcaa32

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
89KB

MD5
da5d6dda7675b7731df3857de9d21dc3

SHA1
3209d3be4facb82d535ed68c91d7431085f005fa

SHA256
a0672cd5ad44d8c9d8b5c6bfecbaf750c51848a9ffcf07c45ccdd508b70f0119

SHA512
aabfb40a5b37e757d7d4028bbfb4bab984c4db20ffd32fdffb0283b9cffe6776e3b24fa8f272e169eab6f0775faa4224207525fb12d27344820dac05362964d5

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
89KB

MD5
b367fdff95b9ae5abd80e5816420ba79

SHA1
6f9a80aec4c7bec419e50260c683221bce55b298

SHA256
18946f5d16793ddc604005c13f9f6b50622f7f121f3b85e5aa47d279d0ee12d2

SHA512
d9f9d6365163fb8e64bfc03bdbbc0310060ad770363a9f1aaa80ba0f3331e810e32fe9f91098b3a7440f8b5f66bbfd0df57c87d12a96045f4dad9ec2a2232649

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
89KB

MD5
203231c2c57ddb9e1a9e70753cae2dfc

SHA1
074aa9a4697a614a4812841e289e9453b8110366

SHA256
350fe4a1f5eb4229c08f10fa727a4173d13bbb54758adaf30219bb7e4135bca4

SHA512
bea0b2a995c088911890dccefd122ac292a5bb42b9c50266628bb21193249162ee27d1917e99992bba7437b6f2525bcaaa4da4c5b04ed3b8e47cb6b0ce03706d

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
89KB

MD5
0197951366008214cefe85eec4390e5c

SHA1
cfade0103ac6a83459344e2dc8cdcb94b7d60892

SHA256
46ca95e9c430ac488d4979e5a05e6ef3968a6caa2140efbd08dbbec5323d4149

SHA512
94e3df32ce814c584cb175dac6937783b5a50c71ceb1a53a2218de27c10975db7298eea465733dd06127faf4f154751e771bb6cb58b07e37ca752a88a828a487

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
89KB

MD5
a23d64059c4fdc44b4e103745c975416

SHA1
92479419a4aadc339f53d5a4a160ab960bae1147

SHA256
d074889ba1b2affbc374bc30ab2e6bb622445c5f82b3dcb9e7440354d33846b3

SHA512
cf41a8f7e8f6f3c06917c49fcc5e704869ed98b864e0df8216a36e6007d71ba6311a7fa6c3e283893c734da269b5fd28ca4be730bb344b44c0437007322c470f

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
89KB

MD5
5ebd0a51f63e8602ebe3c27615b6c4c0

SHA1
4000884c2f5e77d5f2b5e5b54875c06c11592658

SHA256
90d44cc43fe6753018a03f93fa61aa38ff33a897b95236873901fdb3e48237ce

SHA512
afef49a7627683d714ac1c62835fbe9e5ba123008c3cc790a78b888a6df136eae8eb49b4674b289b2d43b7c91bf4a6e8a3127cbebc262910d0a43925ff17220b

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
89KB

MD5
340252110957e5a03fbca8707e4e1ea8

SHA1
eae380bbedd9770bc709f43008b46aea14632fcb

SHA256
84b4cd9ad081d416733156021177e14c9c480167427a9bc4df4c8e5b7b998cd6

SHA512
23b5d142a383d76269863c734da1917b8846b286373df565a0839371512d38c0e3c1673fd1382aae829aafc5b9f13412302adfca5264943dfcee98a2feb7670f

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
89KB

MD5
22e32e7f2bd860865c44230f74463b19

SHA1
563680d525da1c10a5e399d0a0220092ff6d41ba

SHA256
aefdac0cbeace56a97c78476ab6b61b5365ef88d34c453311955087dcc908747

SHA512
56e0b41794ed8d69da2d66089519cfad83aef7438ee1566e45305b18d2017a1551a27b9d1c2cd7421aef45c28ab7e56fa5b225b98a6f3db59ad4fdd24c7db2f6

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
89KB

MD5
4eecade2308e8bde9ed828988c8773d7

SHA1
fbcf1ef6fc8255169462b9e6f4243bf253dfa7f2

SHA256
1306bb6e587ffc23430799cd2dde805af5a563e7403e9388cb1b5b3d70dcdd17

SHA512
6505e5e1a5fc17ee7cb41c05426b3b05a78d8355440cf90ff3f67bf33b07f5697c5f2015a268c0cbc75cd8fdfcd18e56ea2ce2cfa40ec366e027baaa22c8607c

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
89KB

MD5
fa0c523fa517a4e25d21d4754fd6c8bc

SHA1
55f990906840dc6b9f55fb95b2d2dae5d953185e

SHA256
234fe620ade9b307546aa1b9f7b3c9c599d5fb14189279d29b5b774df3c7eae9

SHA512
e89235e484641993432e9be37f7338f97270101c13e9029fce646bd73f60ba4e0669bae88d0f16bc02be5965de0b64e673c652e6c7068cbb7d2fe49921584804

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
89KB

MD5
3f4f89e031f00b5303034d867f830e8f

SHA1
d8ee2558af4383523729ce20bfa068ded2a6825b

SHA256
25408cdf6cddaa14dc12f49fb85a6ee1eaac0c3cb35d3548fd1ecefb0686044c

SHA512
7b20cdb239ac98a06be9bb39772e97885a7343cb62cb97fbffb78a4007229b19c05930319f72eada16dd17e5f07c2a13b881daddf043b0cc11982cf06ee87065

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
89KB

MD5
ef6ccf13a7e94d6df34c1f28f87fd582

SHA1
5788cc8a3a07ea5a219daad6393a6266d882aa1d

SHA256
ee9d6cea6fce1d059ab7c500c057ba075015446624034ea9da4ba0f87ab6d041

SHA512
c67f07caa9520dd8266e011d7206e076a44f8689bc67237c88030dae0f92dcca4ffd457664970e2cf6b746154ed9c9d7ed79a25b863a1fb009952ca2c44b38f5

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
89KB

MD5
8706ab034695e244a6e3d664600bd2ad

SHA1
bbe296ea011adf73ea73e196163a9f69090a400e

SHA256
a42a39ed7116b0283291f8206d84c390f9429b38726de2436a31f0810f27acc3

SHA512
f0ea1b8facff3dddbbe9fe8c8a78e52ed60820edd31afafab6ec57c247b11ed25ae43e6890ffccae7afbe727bbd2a7b6274373c02a6bd5b3543ea7b21ae168bc

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
89KB

MD5
403a061fef21fc45e1ac0b83ee97e196

SHA1
b13436b3315caad4409c0958e6bdd1f6d7a56341

SHA256
809412b3384cd0b88fe8131d0c848eb9f252dfd6c7fc93d34d9e3bca7ef1cc16

SHA512
5ec0f19521d5dbd8c4af6b5c1991358c43b2d0e17c34a1ed1e0e6bad99a5edb86181c78b9bf4fdd25585ab7ad28a52cefa92aabcbfea3c0d41bfa23705c820b8

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
89KB

MD5
68ea63392101d1463ca3bf3a751ab163

SHA1
37c42eb0b6d88618401ef0021d16e4869d0d251b

SHA256
f741607ca41f5eed765a9a0213ce439a6e881a234ec20a25460644569c6972dc

SHA512
db3e67e7a48dfd377ec56a9610cf4306c8665d2dc02782d6ee94db2d8050d209378a647599f12c1187c0e7fdf4c1e30c3b24a978b8422a6e5ebc20120ab281d9

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
89KB

MD5
b1f568486371a44f8a6215fe00267a3e

SHA1
146715d22a00e97395168204365124298bbc49de

SHA256
81747642e1e73fde24c5ab1cda21124f6c371a45e0913f46712d2df8f42e9429

SHA512
027e909166cad2690a7c89eb772aa76e0c63a71da7de9393e50f8cdd23d5abf9c6a4c46dd2c1316f2a4db2ef39883e4b1367d0190724b24ff024aa6d221d2433

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
89KB

MD5
cac4902fed1103c58ab53d3e618cd652

SHA1
e3328a891665b314f934f6c9c46d8c82a3e1e834

SHA256
e71adb58c366186c3f4e5cd01ff77e294c14cd45ce63d9aa6b4d9fd2d7184389

SHA512
e75881720ab351f0a932693dbd9a2fbdf5511b848aa4fd8ed25eb3bd22bd802449475e47d35ff9dd202642e59ae52799a0c168dabb5c7ff49701aba1bbc1f062

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
89KB

MD5
564d445d314e1b9a371a3549224f3ca9

SHA1
707bbf6a42921fd1efd69a84df271192127ee822

SHA256
51fc50d0023e873e5156aef3699c48d112cd7b549fd62ed9f59f927f53dfd475

SHA512
27d1f5cc76ae1f631516e7bd1e3f70879218fa99bd2eda26ea6a3834cd11a635d12b008dc1d620607a29c9e6a72998e513dfa73c4c2b7505704ceaa001e586aa

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
89KB

MD5
c50692909b3c30a0ec7d5f6b80394174

SHA1
252d5a12e32a98865ab51f0dbc9217bef9b55c1f

SHA256
bec977c575f927c2ad0f99526c9c469d4536e7e610c1a2853560f7ae258daa7d

SHA512
774bb27c4b7ea5921b9e66d88244cef3b1bcb6259eac0e7c3e821dd0dcf8de41e4028bc31b38c97e8973b830b73f205a7781f07856841962c038c56f4dcf2cce

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
89KB

MD5
94df4baa52b337bbb1c571d154dbfe77

SHA1
a4b3b2b801d63fd82ca278f165e0f3499f9138ed

SHA256
b516ca609b66c83241715184925ffad10368f9b931a7fa7287794e8b228d6327

SHA512
19feabe57228aa76c05135739ff5fb2a96c9e4cdc250eee43d304963e54831c8e63496a447aad9b0e79d06cebb1386a3e40a2f20bb702e74a6aca0e6ccb96184

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
89KB

MD5
0265dc5ab01c761b7834e24791a1421c

SHA1
4504d29b4963d2bdc706c74fc9d61a5c716c487d

SHA256
d730c7991393bbd1d6c08989764fec7151c76b1bcfa969930deb3c8980eb48a0

SHA512
a761b9405b45641c6793d317a42535d704fd5fe5b8d497b12db55977835b2bbc8b5fddc654bf2889f4f3dfe15467cae30577a8940f38dc4c9317a8027397de3e

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
89KB

MD5
cb520f17a21c61b0795fc7c3b7bc6b43

SHA1
91cd76e6b5472f4205384173c7b862790649cc5c

SHA256
e18c42c045321282d6c59931314d90cb3471434c2b33c9a9ec17cbb0b87ca0d6

SHA512
6b66d39a9f47cd5b19a3831a5dff880c30ce0461dc576634f34986cccb3b0a947a0acf787d9c43772d7611c44e326f6a6db0826934070e78bb39ebb3efb128a8

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
89KB

MD5
3b7c6dec52fc057b5c7d45e81603ee12

SHA1
37f7eda6e3d349e0651f85cf26b8746f20b0678d

SHA256
02fe594a64028d665a35499bf8c3ace76a009d2f96dd4107546b690b5f87bd09

SHA512
c88d5f19928aacd4e1296db6dd33304c9eb486b74f5212252a6b1127add5da053394615b8ca7e0cad25235b080923602e6261a1650f9b7b1b159314c75c8f71a

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
89KB

MD5
389ff04731904264e0b1ce5c07642380

SHA1
16208b9dccba2be4fb03fd6d2f93411d43be2ecf

SHA256
28f440c663247796473f2c01b11a19edcccdb5e344a1a5eebbe95c3b48f3c56f

SHA512
16c472bff789062da5b46610b516947c0092b7f06ff98bfb7396a5cafd17fdd9ef18b835f74c69d49810066e9506ff318bc10cbb48406513de4977632a7871b9

Download Submit
memory/412-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/428-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/712-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1196-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1364-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2480-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3152-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3880-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3892-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads