12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718.exe
Size

224KB
MD5

129d61dc04e709e2f2a561e85746de80
SHA1

ce56376079d8c05e4f9851d012f2aafd9af7d7e5
SHA256

12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718
SHA512

af66e64c19e1c6bfae0636045e4eb056bf73900c9efa63f7f39566189518f6b66d88a36fea67746da9315d8a0fd466487b269bd2a07d8831fcf172f47a4af5d2
SSDEEP

6144:SgeoByBG6LeFYp9Dn9L4rQD85k/hQO+zrWnAdqjeOpKff:SgupN+rQg5W/+zrWAI5KH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kebbafoj.exe

Executes dropped EXE 64 IoCs

pid	Process
1748	Jifhaenk.exe
4400	Jpppnp32.exe
2084	Jcllonma.exe
4528	Kfjhkjle.exe
4852	Kiidgeki.exe
2904	Kbaipkbi.exe
4344	Kfmepi32.exe
4972	Klimip32.exe
5068	Kbceejpf.exe
244	Kebbafoj.exe
3096	Klljnp32.exe
2060	Kfankifm.exe
4860	Kmkfhc32.exe
2736	Kpjcdn32.exe
4232	Kbhoqj32.exe
1988	Kefkme32.exe
456	Klqcioba.exe
3484	Kdgljmcd.exe
1820	Lbjlfi32.exe
4364	Leihbeib.exe
4452	Llcpoo32.exe
64	Lbmhlihl.exe
4376	Lekehdgp.exe
2072	Lmbmibhb.exe
3132	Llemdo32.exe
3884	Lboeaifi.exe
2600	Lfkaag32.exe
2756	Lenamdem.exe
2844	Liimncmf.exe
4564	Llgjjnlj.exe
4956	Lpcfkm32.exe
4864	Lgmngglp.exe
3796	Lmgfda32.exe
4900	Ldanqkki.exe
2740	Lbdolh32.exe
4672	Lingibiq.exe
3996	Lllcen32.exe
1568	Mdckfk32.exe
2128	Medgncoe.exe
4064	Mmlpoqpg.exe
4556	Mlopkm32.exe
216	Mgddhf32.exe
2916	Megdccmb.exe
1352	Mmnldp32.exe
1632	Mplhql32.exe
3736	Mckemg32.exe
1048	Meiaib32.exe
408	Miemjaci.exe
768	Mpoefk32.exe
4708	Mdjagjco.exe
3020	Mgimcebb.exe
4928	Migjoaaf.exe
116	Mlefklpj.exe
5032	Mpablkhc.exe
1924	Mdmnlj32.exe
4352	Menjdbgj.exe
3708	Miifeq32.exe
4164	Mlhbal32.exe
1700	Ndokbi32.exe
4436	Nepgjaeg.exe
4304	Nngokoej.exe
2268	Npfkgjdn.exe
3880	Ncdgcf32.exe
3960	Nebdoa32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kefkme32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jcllonma.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Anmcpemd.dll	Jifhaenk.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Kmkfhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Jcllonma.exe	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mckemg32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nggjdc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6908	6760	WerFault.exe	253

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll"	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1748	2332	12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718.exe	87
PID 2332 wrote to memory of 1748	2332	12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718.exe	87
PID 2332 wrote to memory of 1748	2332	12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718.exe	87
PID 1748 wrote to memory of 4400	1748	Jifhaenk.exe	88
PID 1748 wrote to memory of 4400	1748	Jifhaenk.exe	88
PID 1748 wrote to memory of 4400	1748	Jifhaenk.exe	88
PID 4400 wrote to memory of 2084	4400	Jpppnp32.exe	89
PID 4400 wrote to memory of 2084	4400	Jpppnp32.exe	89
PID 4400 wrote to memory of 2084	4400	Jpppnp32.exe	89
PID 2084 wrote to memory of 4528	2084	Jcllonma.exe	90
PID 2084 wrote to memory of 4528	2084	Jcllonma.exe	90
PID 2084 wrote to memory of 4528	2084	Jcllonma.exe	90
PID 4528 wrote to memory of 4852	4528	Kfjhkjle.exe	91
PID 4528 wrote to memory of 4852	4528	Kfjhkjle.exe	91
PID 4528 wrote to memory of 4852	4528	Kfjhkjle.exe	91
PID 4852 wrote to memory of 2904	4852	Kiidgeki.exe	92
PID 4852 wrote to memory of 2904	4852	Kiidgeki.exe	92
PID 4852 wrote to memory of 2904	4852	Kiidgeki.exe	92
PID 2904 wrote to memory of 4344	2904	Kbaipkbi.exe	93
PID 2904 wrote to memory of 4344	2904	Kbaipkbi.exe	93
PID 2904 wrote to memory of 4344	2904	Kbaipkbi.exe	93
PID 4344 wrote to memory of 4972	4344	Kfmepi32.exe	94
PID 4344 wrote to memory of 4972	4344	Kfmepi32.exe	94
PID 4344 wrote to memory of 4972	4344	Kfmepi32.exe	94
PID 4972 wrote to memory of 5068	4972	Klimip32.exe	95
PID 4972 wrote to memory of 5068	4972	Klimip32.exe	95
PID 4972 wrote to memory of 5068	4972	Klimip32.exe	95
PID 5068 wrote to memory of 244	5068	Kbceejpf.exe	96
PID 5068 wrote to memory of 244	5068	Kbceejpf.exe	96
PID 5068 wrote to memory of 244	5068	Kbceejpf.exe	96
PID 244 wrote to memory of 3096	244	Kebbafoj.exe	97
PID 244 wrote to memory of 3096	244	Kebbafoj.exe	97
PID 244 wrote to memory of 3096	244	Kebbafoj.exe	97
PID 3096 wrote to memory of 2060	3096	Klljnp32.exe	98
PID 3096 wrote to memory of 2060	3096	Klljnp32.exe	98
PID 3096 wrote to memory of 2060	3096	Klljnp32.exe	98
PID 2060 wrote to memory of 4860	2060	Kfankifm.exe	99
PID 2060 wrote to memory of 4860	2060	Kfankifm.exe	99
PID 2060 wrote to memory of 4860	2060	Kfankifm.exe	99
PID 4860 wrote to memory of 2736	4860	Kmkfhc32.exe	100
PID 4860 wrote to memory of 2736	4860	Kmkfhc32.exe	100
PID 4860 wrote to memory of 2736	4860	Kmkfhc32.exe	100
PID 2736 wrote to memory of 4232	2736	Kpjcdn32.exe	101
PID 2736 wrote to memory of 4232	2736	Kpjcdn32.exe	101
PID 2736 wrote to memory of 4232	2736	Kpjcdn32.exe	101
PID 4232 wrote to memory of 1988	4232	Kbhoqj32.exe	102
PID 4232 wrote to memory of 1988	4232	Kbhoqj32.exe	102
PID 4232 wrote to memory of 1988	4232	Kbhoqj32.exe	102
PID 1988 wrote to memory of 456	1988	Kefkme32.exe	104
PID 1988 wrote to memory of 456	1988	Kefkme32.exe	104
PID 1988 wrote to memory of 456	1988	Kefkme32.exe	104
PID 456 wrote to memory of 3484	456	Klqcioba.exe	105
PID 456 wrote to memory of 3484	456	Klqcioba.exe	105
PID 456 wrote to memory of 3484	456	Klqcioba.exe	105
PID 3484 wrote to memory of 1820	3484	Kdgljmcd.exe	106
PID 3484 wrote to memory of 1820	3484	Kdgljmcd.exe	106
PID 3484 wrote to memory of 1820	3484	Kdgljmcd.exe	106
PID 1820 wrote to memory of 4364	1820	Lbjlfi32.exe	107
PID 1820 wrote to memory of 4364	1820	Lbjlfi32.exe	107
PID 1820 wrote to memory of 4364	1820	Lbjlfi32.exe	107
PID 4364 wrote to memory of 4452	4364	Leihbeib.exe	108
PID 4364 wrote to memory of 4452	4364	Leihbeib.exe	108
PID 4364 wrote to memory of 4452	4364	Leihbeib.exe	108
PID 4452 wrote to memory of 64	4452	Llcpoo32.exe	109

C:\Users\Admin\AppData\Local\Temp\12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718.exe
"C:\Users\Admin\AppData\Local\Temp\12cb95255a0a095836c3b59480f907eab7e850ddd41a3b00f41ed6dfcdc01718.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\Jifhaenk.exe
  C:\Windows\system32\Jifhaenk.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\Jpppnp32.exe
    C:\Windows\system32\Jpppnp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\SysWOW64\Jcllonma.exe
      C:\Windows\system32\Jcllonma.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        24⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        25⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        26⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        27⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        28⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        32⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        34⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        41⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        50⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        53⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        54⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        56⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        57⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        58⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        62⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        66⤵
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        67⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2392
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        69⤵
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        70⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        72⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        76⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        77⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        79⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        80⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        81⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        82⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        83⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        85⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        86⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        87⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        88⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        91⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        92⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        93⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        94⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        95⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        96⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        97⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        98⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        100⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        101⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        106⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        111⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        112⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        120⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        122⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        123⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        124⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        126⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        127⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        128⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        129⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        130⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        133⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        136⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        140⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6588
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        144⤵
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        145⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        146⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        147⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        150⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7032
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        155⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        156⤵
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        157⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        159⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        160⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        161⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        162⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        164⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 408
        165⤵
        Program crash
        
        PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6760 -ip 6760
1⤵
PID:6868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ambgef32.exe

Filesize
224KB

MD5
4be8c13264bdaf3f1bde05bc25682c8c

SHA1
d5772e2a2cdf46b637c6529943d3faaa9aacf4ae

SHA256
1a1fa6308e2e1ab3112d1d75e3de31a660a424dbfeeb4e2fdb43cdad427e3f86

SHA512
2db91f9ed9f02297020614437320a193ab427fd89fc98c7cd2174aebff9bbe80b961921391f58eb8ce2db51bfeaecaa6f9db5db58149b5c39b956a4a0b7d7b0a

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
224KB

MD5
17d70174d67f0d5d626271c780e93582

SHA1
3273ed1e5f6b5a30ad0747e49a51285f5f350b62

SHA256
199d60ee2c6ecd2b6a0ffa54d7a418dc9198bc6112d0fee725b46e7412457206

SHA512
8f65d2a35bfcf7cf65ff2ebd426ad322300c065417de253b02aea776a8a910da1d119064490d6860b78047b501815b6c7fe7b129b5a635fc4791dec443d0f0a1

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
224KB

MD5
9387c2406736ccd47fc006a9ec75ce97

SHA1
df05c7fb7f282aaa5ae8fb116668910da8f1afad

SHA256
a084cbab77a479fd9f134d4667cfb3a93ed7200bf193f704f81c762d5568e116

SHA512
2fd8f19302dd8689dcf65d3df5d8111985acae36a1b8847d0dc0210bfb824388c091c7c548f85114275572d12bbce1b66d446893bc3e06fad13f8e4df0c0dec0

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
224KB

MD5
8146f7d10ea2b622b598488f70713e28

SHA1
706754336db667dd6969c8bd29709abd2253fe6c

SHA256
9a81d286974a7e846da968b0448db1e21e700302286e98ec63cde4d88996372b

SHA512
1a4eb6038237b9a780da270319d2e641a1c3fca66424823c47e15d12b3b7fc94545526f4e40c1f4759ae204610c0609ac8ca6249aac9f6cfa867e075fce0e2cf

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
224KB

MD5
f6684aedbd1f1c129275a5995ea95adc

SHA1
a8fa7f099d0c7f69f95cff99e0c4fdc414b066ca

SHA256
18b287cefcfc6b853a207f0a1757356864566b1792674cfbb767046fbb42147a

SHA512
407a2a6d81d45069a0d7a5e7a26fb495e15e1f89bd3f09bbc90aaccb25185a0f684e0b78f395a3c4f9e508bcb0cefe2fb20428a7327c066ebd7877339a3c4586

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
224KB

MD5
3d051b5cb0cc47b61fe0713f20b32cf3

SHA1
0be2756feb8bb7eeada6f9f25d547588c714760b

SHA256
178006b55fa182dc4f2fc27914c800dacb3280dcb3701d07d243231512328fd5

SHA512
46f8290d41c798f9a8e944c14832f44599606bf43da5fb8bed4025e79385d1fd5162f33bd8bd70a25c2dfdb7545b6751f5a4d9bc37260f1c5019e346efa9653e

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
224KB

MD5
ef09db5444ae01064c5f7a181736cf76

SHA1
295c6f1d189907e1a301348c10ee9ca45f915179

SHA256
81c9380ab5acae9788f2bb4bc2e0202d9b01440b597440ac696788faf0bf4dac

SHA512
3db7f578117245bafcd51a3e2274aa6ea84ed29874ac59c7d869982699a70b11ef245015eec908892e1d288622ed4e00d366b6c33eaa1e0f4bb992de568bbfcb

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
224KB

MD5
58bc7723d05f077dd8632825dc7005af

SHA1
bbcd1bd0793bc544db45e7cc50cd04c512e58e74

SHA256
ed7a8a537bff47e9639c19b41c2f9ec88a9e46ece9a9cb2c87c3ea9ddcc4b53f

SHA512
71f05da062d657a72545b6707b9b5347ded2f73a0b6885b3ee1c7a2392ed6c39c6d0782a8634c75ae029f0d449a508e52545c45b8bc8235caf69f8492cdd4db9

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
224KB

MD5
075ee4bfb20a3e2f58546ced6b805b11

SHA1
23381c2673f50bfaa31aaaea96a5f85a87dbdc66

SHA256
df51323742e48a095cb735eeeb43eb716ee96e6a6ecd0628f92e8db86b5cddd7

SHA512
76d65779ef62e66a9f2245f2a0b8d86e47728ef9c255c7b404a34c64bddaead846f8aba93c3ccc2f48bd3d7c476177531d3b2e607ed45de14b946a3373b76d25

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
224KB

MD5
e0cb1d2ba2427824c475c2ac0a2f76e7

SHA1
cfbc3a9a852213fdb9e3acacaebd00ba2f06e116

SHA256
b33411a496a4d0c83b735ca9f67bd5116d3a262aad3bb2b60cbd9d9c2a452569

SHA512
34ef64f4f2f5e47551c7c8853b252dcfd53b15b9fe86751fcc6fbd2bd7d4b272af42d656b7830504c642d4b62064e43b3aad281d05b8ae32897143a50f9e1d10

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
224KB

MD5
b031c1e37247c820dfa7e161f6de6080

SHA1
9d3eafa345991646e60a692e630f3f1464da5278

SHA256
39acf5a3ccd1e6f43ea58c4bfc79c5d657d3c8fd0667f66593d93920258f4ac0

SHA512
77b409d2f94b5a1335e2e935dea71ba37e9e4ada50233399a4ecba169f563be17309e14e10c618e69d1ba0c155a504da0afb71773e0192952df08293967a69d8

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
224KB

MD5
0d33df77123b1e30f3f037df1c03bae2

SHA1
9eef6f9ac879192b87f2edb69dd9adbecb977a19

SHA256
90e5a31ad7d70e67e1b2ad8bded294b09e67c5f7f3c25934e4c6d47aeca91f06

SHA512
f61c9438be740992122e1a75f3e2d3951ee24ee616f38aead8a6d4d6be14083f504983fb0259c7faf901193ce371691169a287f6c8c3a1ceb5e7c0f27ddba388

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
224KB

MD5
f277b22d4f122e16e44204b7ce99db02

SHA1
f6b618034237ba5fe15a6503a2d642137b09a583

SHA256
e2b04c64b7773b872c30bcc5e17b0a6b1fcd23f1e1c9ecabedc7bc5cd5cff603

SHA512
23d354528a8e8ea269a1de76ca0afa50973789c2af486db0960a23900fcb7866d6c86760baafc76c2a5a5c1a86149342b11c2272fd288e2e99dbe02235817870

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
224KB

MD5
d87be5336435854c29ab9b7a56939fb5

SHA1
437b465dac2616b1422f2b7b8dbaa3f0630afe96

SHA256
f68226181ab94c4caa0786ae96e536621617f1c213b99b76db670eafd06f3bba

SHA512
83958f56f54a8bf999db23bac4ae683680708aa63a00b611599fdc991bd0b03f8079190d1d642ed9e1c84e4b727da439c9af9bb70f8d6677851376f286d96a7a

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
224KB

MD5
b7d7177ca9048a4799c4ac9f33b2899e

SHA1
741a3acc34d7333e71b83696869602643d0980da

SHA256
3c5b4d5550d59a87da5e888d976677bde92fa0052115e1f0cf500f35fcf5f1b0

SHA512
dc3fa401c9d8ae68263accde2c95b273665a04f0d029ee672a1935214d663b210056f55c8cf59321b78794c8dbf737724b656761530f621b5d0a7a4a6d45ea4b

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
224KB

MD5
a9849b2ea5a7dd9bf18f1835152f7095

SHA1
2b3aff82e78d02f9a1976b196a270e10d9696061

SHA256
176a73af591ce0f5890bda2a87b354b5ca066b497d539f08378f24dc086eaf48

SHA512
1f1841802e3c30000ea623eabd18c1a3bc4dcaba3f9be5553a809d37a0417ab8bad46215d28a756d72af72e1f92d350f7f09b8db09f1ad86a6b8c08fafb95227

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
224KB

MD5
cac62c6f9ebb3b901609c59379c1d4ed

SHA1
0cefeee59be28f48643fc0ee803c53bdd12452be

SHA256
d3138ea0d80813439f253522c90129558447a87386146abd5b939f27378426b5

SHA512
af90f2cf9ee91e1a6a27fb5c547f92493ab3edd692b60de24a012af624713328864c82e0d9d270bd3d7380a38ef0fef965f1c1f6e207964451fc8f292ace1d59

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
224KB

MD5
accfc48ed0d8bc14f5ad8bfd353bf489

SHA1
61f23a08ac7deb92f8a9673208946954d985064f

SHA256
155e79e56222cb3f02fcb359cf699302a4ac1e1b2c71bda0a58138e61b700382

SHA512
9e0f4fe09cbb9a84390923695793c5635391a343eb85a3a949e49bc18bb9763fa2a1eeb1ad50c224ccf89bc41f66d8b784b8b6a56c598b1470ac2c07e0a04188

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
224KB

MD5
d0ded22de9c5e7523b063b4e9fd64f73

SHA1
78b26996d481220be357e7e7c09eded7eaf41cba

SHA256
6c83117bb2013006ac74e91b532c1eb3049f9a0bcec5d70502d963cd6f1e8474

SHA512
2c865cfbbbb1538532d8c9d4e0d8cd805df989a557f95e4323addf5feaece288c22ca87acb4c068f849ff7cc557a63bd00a37984d8a9dfc05d50705b6c8afc51

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
224KB

MD5
bbc615a8c9264db060c0074dfdb825c5

SHA1
3670c3188081c5b6f6205aaaafffcb75e86df3e3

SHA256
2bbef810b37a9d752efbf7a7f6e27e6e44b84edb7fc7aeab66030e6333c2eb55

SHA512
180ef7348a7f9da37d8095ba64b5f068dc34a655b7c0c6d39e2ca772268f55cc6125f24f511e3027bf53eccedb8b00d2f3aca034e200db2ab227ad3c10462c85

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
224KB

MD5
bfce24db3a2cb1daff15c9c9529477fe

SHA1
aade204cf2c0a13de65fa092819537d81683183e

SHA256
7cd18b8be0278e7a4b6244763ca9c07ebc06702542ad886b68a030a8033c9652

SHA512
65adf5b0fa127b783de6817695eea158a71772d4578c3018209a069f5c201965a54d351fd7369128099fb0b826c610fa15985e2518f8d2949229bee67541d3ba

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
224KB

MD5
a6db3e2e5bbf6f9cdecd6663382515f7

SHA1
7eea3e5a7e3809462ea4d075dab8384e0de69c57

SHA256
e45801ba8869cf7300a0ee0872d3105a9612a02a1244330d611e8e7a031ffb81

SHA512
07891bb459a82c48d8dc7fbbd5b995f8b246ec6c2dc6ac51cbcbdc1f91210c919578e360c3c43093326e2e4f8ff6c1f571850b9c42c1e9ec6c0ee232e6ebb6a9

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
224KB

MD5
0e51e806c2dc1280615d202de062074e

SHA1
240616b7d33ea06079dd70c4faf5988ff337e9c7

SHA256
8018b9658b6bd5dda9273cac8b7789a13c0b54a810826c824f751667a08258e6

SHA512
5cc048ddbb38dd5e384912b24f4889f8923285b92cf9adb855a5a2cbc281f352f21180c0204f4f4142e0a9e511a7596dac43f08afed340615441c3a45a552dff

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
224KB

MD5
a3ff7545e5d04116e516c0e44fc2bffa

SHA1
2e5719c468271eeb2078d76cff2ff840ab42442b

SHA256
0b3e55887a13686a40fe19cc6505707b70c0f7b1c5d4e4441f1d0055eccaf146

SHA512
3b70fd39dfad0b0db01c1c1b204bc0a6c73c1d89885cfe4f38aebbdc069b5ed76ef63c529050bb6cbf2ec4ad2715a4c7c88b86004359771c92f1cbfc4664704f

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
224KB

MD5
cc6d0b67b1f1741e46165208a46a99b4

SHA1
8995ff28db501a60b425cf80cc78a40c5f0deee2

SHA256
c90b2b7d3f9cfadb0e97f9557993572467fb5b063b60512001bcdf0aaac333ed

SHA512
14e9384df28c0027d395f39e4cbd1b58524486af7d4a220791b4f0185987faf40b15409dfa218eefb1116e40dc4553973d1f80f6308a7310c609ba3e16451e39

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
224KB

MD5
f1cdf36b0559fd81c49caa2f188850df

SHA1
8830f860a7de407628ae1ad629960d5f80eb36db

SHA256
80b8e1f1467c9142adbe483d9fddcbfe4d35e6d0d0bd8b847d03f2527c880cf0

SHA512
7f7a9348e535bb60e6797aa0d7d60758760d17d489b217811053802b78c3ee67e9da04bcfe9dda4e5935a55a995468badfb2092ad8862889adeddf0ac827daab

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
224KB

MD5
6eba3caeca29d70257155aa402c20f42

SHA1
4a926c0dd8bd31f86b2a55c4cc97472cf8e6bcef

SHA256
a62f28bd93d7af7374d052941653eca97c32f064f9c32d4699ca98e8a6ff9518

SHA512
8d79781c941e8673be35123016c7984995eb6ab226a500c9b40df34ea2b1bb57debc07b37f2aa03a39ba92a8434876143dcfd64968bbc3f25dd24603695e7acb

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
224KB

MD5
657c88989eda394f8e64cddaa5745d9e

SHA1
80560ee3bb89b08e7c1eae7131d8f9d905e98df2

SHA256
68d79b97af0ff0dec45057742fe215cda11c8dd9ad6812ad78bce09aad63e4d8

SHA512
777e0d9e858f0abe64acb710557a033c4f90b3ceddcf10ef95987c626cb859fb4ca8b2b93a43772d347df50e4ac6de7adf39c8f19a5415bd2349f4c726a66c02

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
224KB

MD5
7256f0b724d6a9166098fd4d45188d5d

SHA1
5a6278b6f794c9fe64b1766963a760a9fbbfa0f6

SHA256
cf710333ba3750409766a4a17015d2dafb8b3ea315f2c21970dee56e985bb300

SHA512
1db408f85361ee1f61c1b2bdcf0b6df5428094262557f9b3605695554ba0dbb084f6214e53efebefb0208ab361d09bf68498b1a7f78b78cbc35a012a1a7423b5

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
224KB

MD5
72c7cc6c40526fb003d048601ad4898a

SHA1
3200302a55453df6ad1dbe0985c46e162c2ea211

SHA256
d3ffcd5139c5b44e38240db9a1bc7fba84390246a2f99fdf0ff09c4a436dff84

SHA512
debb2706527889b42af944f9f8e8abc60a73528dfe89e4199eee726e981d3104ecd2e13ca66c9b554117866b462e4d85c2723bb9d209866a7daec028bc1d12b5

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
224KB

MD5
dd983501600c69510750696c10ca382e

SHA1
87b86ff2262a9dba11cb98f336803776de6d63be

SHA256
6ae1da22db0880c8c57927ee3d95bcf132ea0e4a7fcf9d2ac89e95c394f974f9

SHA512
a5a30ca53e5a3ad3b7e5b8d56cb859e07b9c038936dee92a561e3d6bcd1d9e98d4b9eaf3e7532f4dc8182033963cee6dc81b69965997ff775b94527f8b35845d

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
224KB

MD5
1574f48b0cd2df0fab83f23468c730c7

SHA1
f4404e0379ddb57b371abf2ed2420ffe771104b4

SHA256
7f9f359b23fd03eb91d588e91cae62770026996fc88b2217fdf19dc5005c47c4

SHA512
e9d7ca0d879309d6f28f4023fe16fc25b50aee994bf1bb35058682f8b02027f7f5fb3ccc0b51149f21d2ca842a5e760d6962084dff5c501ed37f94fa70a2cb65

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
224KB

MD5
790f56385fb633ba02c7926ff2ed63da

SHA1
7e893d094865351c38068b7ed5df8a069cb3c607

SHA256
44829e224f18b32b4e1bc23a323228087ed45fc20a455ae7291d927c9054930c

SHA512
b4040a9db137205fea50374a7b5cd23cce88ac871a8c75b358ab6ea4d0d93fe33c97d2a68795e06980bdd052947c94583721f608dd797c922e72418c3b191c90

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
224KB

MD5
2b9caf28b194d74641688848c495caf1

SHA1
0086b1e9cf2be8ab79833e27d18f86be6ceeeea5

SHA256
1c26866e7cedbb8761443984e5a29eef280ae7a82376881c7c7f92d16e5cea67

SHA512
758e71edd5d3525a12d488d7eab8f8b4a1c732fcad8294d878e3b436cc6dcf5d94d1d7199eb9565b6a55f1910c4d86ab433f39028468e73857e3b0cdf597e3d9

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
224KB

MD5
a64e7a7a0c701cb17ae2d74e28d9a5de

SHA1
cd20a46e9804d371b3fe7c3fc1964b017f0e8e26

SHA256
a299593c55de784324833e2c0a37d547a792ae6c4b1f84138c4c51a4aeca6a87

SHA512
d00f862b331d5c8e5da139643664d277c9db8f2617be9daeed0a21bdb9a9665c0497ae45956f15a34f9edac350769b89c3b0e4a188117c0abe21671e053b8300

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
224KB

MD5
f6b25379902cd567fef6a2244bd46fed

SHA1
ce3288950ab5ebac41191f44177a17210bea53fc

SHA256
a33eeb687959edf25b31a765a3ea01b33c369afd781fd53fe3e45e294346cce2

SHA512
65d5267973e04e4415d154b44016b7022fc218e603f8177ce6c10a207568b566bd43f6c42b90905e72b277c5b1f3f3975e547fd847ab683a73c5da0c780cbf0e

Download Submit
C:\Windows\SysWOW64\Ocdfloja.dll

Filesize
7KB

MD5
b66f9627936cf285d7d13070cc999f71

SHA1
c66766b248993ad5bc1a46d0f52646301285911b

SHA256
8d3174e8439d3046ecbf680fdefc80f612f36305ff416022e3b629e5a7191258

SHA512
32145e1d84d5d26a4eb55108e795a4ecb69712404d2aea0473b660c461a624b984bbb84aefed2ad5e1278d252ffc232c0d0533cb74005df53e17ad2f88474222

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
224KB

MD5
d01961fe2d1fe0417ee990fda066e386

SHA1
be83d20382ebe7edb7df36b64b2fa2d568276e90

SHA256
11a1c57c96342e2af31fdcbc08e2dc67d68ea253f923156b7058e7b06ce4119c

SHA512
5d713e0dd143fda63ceecdfbcf1f76fb5ab6da457f90b7af1d1dc425f8f516fc621296ccc02adad4521db455ed95c2e51893e50586925277d15cca4d0d8304a8

Download Submit
memory/64-191-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/216-338-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/244-85-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/456-148-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1352-349-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1568-311-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1632-354-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1748-88-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1748-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1820-166-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1988-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1988-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2060-104-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2072-246-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2084-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2084-26-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2128-318-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2332-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2332-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2600-255-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2736-122-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2740-293-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2756-261-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2844-262-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2904-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2904-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2916-339-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3096-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3096-186-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3132-253-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3484-164-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3736-358-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3796-284-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3884-266-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3996-300-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4064-320-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4232-126-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4232-283-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4344-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4344-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4364-306-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4364-170-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4376-326-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4376-195-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4400-98-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4400-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4452-178-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4452-317-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4528-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4528-119-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4556-332-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4564-263-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4672-298-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4852-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4852-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4860-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4860-210-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4864-277-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4900-286-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4956-270-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-63-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-161-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-168-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads