b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b.exe
Size

305KB
MD5

714d711f9c4a1469db7b70fd0a839527
SHA1

32a1b725835d1b33d8580f439d70dacad23e31f0
SHA256

b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b
SHA512

ac6a6e03f87224492fc5d63065345614e9c6a45285359ce884e895bec5341a1a2eb6eac13aee6a6d6dbba0badfe57d63eef6a994baa43fa9b63df20768c49c7c
SSDEEP

6144:MKZoeDi0796tgWolc85dZMGXF5ahdt3b0668:12eDiezdLXFWtQ668

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caimgncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Capchmmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgdkeje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcopbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camfbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlgdkeje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe

Executes dropped EXE 64 IoCs

pid	Process
644	Caimgncj.exe
4528	Cipehkcl.exe
2376	Clnadfbp.exe
1392	Clqnjf32.exe
2172	Camfbm32.exe
2308	Cpofpdgd.exe
3956	Capchmmb.exe
4832	Dpacfd32.exe
4312	Dcopbp32.exe
772	Dlgdkeje.exe
2548	Dadlclim.exe
3384	Dpemacql.exe
4780	Dcdimopp.exe
2512	Debeijoc.exe
1692	Dphifcoi.exe
2084	Dcfebonm.exe
2232	Dakbckbe.exe
5100	Epmcab32.exe
1700	Efikji32.exe
384	Epopgbia.exe
3556	Ebploj32.exe
4716	Eleplc32.exe
4376	Efneehef.exe
548	Ehlaaddj.exe
1164	Eqciba32.exe
3108	Ehonfc32.exe
3968	Ecdbdl32.exe
4664	Fhajlc32.exe
5068	Fqhbmqqg.exe
1436	Ffekegon.exe
1896	Fomonm32.exe
1308	Fcikolnh.exe
3184	Fopldmcl.exe
4108	Fbnhphbp.exe
4876	Fjepaecb.exe
4788	Fihqmb32.exe
2988	Fqohnp32.exe
656	Fcnejk32.exe
4988	Fflaff32.exe
1116	Fijmbb32.exe
4772	Gcpapkgp.exe
2136	Gjjjle32.exe
696	Gqdbiofi.exe
3428	Gcbnejem.exe
4564	Gjlfbd32.exe
4088	Gmkbnp32.exe
4628	Goiojk32.exe
3504	Gbgkfg32.exe
3136	Gjocgdkg.exe
864	Giacca32.exe
1148	Gpklpkio.exe
552	Gjapmdid.exe
2360	Gmoliohh.exe
2196	Gcidfi32.exe
1572	Gppekj32.exe
3652	Hihicplj.exe
4584	Hpbaqj32.exe
5032	Hjhfnccl.exe
4568	Hfofbd32.exe
2916	Hjjbcbqj.exe
4348	Hpgkkioa.exe
3832	Hjmoibog.exe
3232	Hfcpncdk.exe
2200	Ipldfi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dlgdkeje.exe	Dcopbp32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Cichoi32.dll	Efikji32.exe
File created	C:\Windows\SysWOW64\Caimgncj.exe	b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b.exe
File created	C:\Windows\SysWOW64\Jilbbcha.dll	Cipehkcl.exe
File created	C:\Windows\SysWOW64\Llebfo32.dll	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Qjebnamp.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Camfbm32.exe	Clqnjf32.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Cpofpdgd.exe	Camfbm32.exe
File created	C:\Windows\SysWOW64\Jfifijhb.dll	Cpofpdgd.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Fhajlc32.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Fcikolnh.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Cipehkcl.exe	Caimgncj.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Eenphlji.dll	Caimgncj.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ebploj32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5740	5520	WerFault.exe	221

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccgkde.dll"	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caimgncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkkkd32.dll"	Dpacfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnpim32.dll"	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlgdkeje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cipehkcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Debeijoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clnadfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlqig32.dll"	Dlgdkeje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenphlji.dll"	Caimgncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjlfbd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 644	4244	b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b.exe	83
PID 4244 wrote to memory of 644	4244	b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b.exe	83
PID 4244 wrote to memory of 644	4244	b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b.exe	83
PID 644 wrote to memory of 4528	644	Caimgncj.exe	84
PID 644 wrote to memory of 4528	644	Caimgncj.exe	84
PID 644 wrote to memory of 4528	644	Caimgncj.exe	84
PID 4528 wrote to memory of 2376	4528	Cipehkcl.exe	85
PID 4528 wrote to memory of 2376	4528	Cipehkcl.exe	85
PID 4528 wrote to memory of 2376	4528	Cipehkcl.exe	85
PID 2376 wrote to memory of 1392	2376	Clnadfbp.exe	86
PID 2376 wrote to memory of 1392	2376	Clnadfbp.exe	86
PID 2376 wrote to memory of 1392	2376	Clnadfbp.exe	86
PID 1392 wrote to memory of 2172	1392	Clqnjf32.exe	87
PID 1392 wrote to memory of 2172	1392	Clqnjf32.exe	87
PID 1392 wrote to memory of 2172	1392	Clqnjf32.exe	87
PID 2172 wrote to memory of 2308	2172	Camfbm32.exe	88
PID 2172 wrote to memory of 2308	2172	Camfbm32.exe	88
PID 2172 wrote to memory of 2308	2172	Camfbm32.exe	88
PID 2308 wrote to memory of 3956	2308	Cpofpdgd.exe	89
PID 2308 wrote to memory of 3956	2308	Cpofpdgd.exe	89
PID 2308 wrote to memory of 3956	2308	Cpofpdgd.exe	89
PID 3956 wrote to memory of 4832	3956	Capchmmb.exe	90
PID 3956 wrote to memory of 4832	3956	Capchmmb.exe	90
PID 3956 wrote to memory of 4832	3956	Capchmmb.exe	90
PID 4832 wrote to memory of 4312	4832	Dpacfd32.exe	91
PID 4832 wrote to memory of 4312	4832	Dpacfd32.exe	91
PID 4832 wrote to memory of 4312	4832	Dpacfd32.exe	91
PID 4312 wrote to memory of 772	4312	Dcopbp32.exe	93
PID 4312 wrote to memory of 772	4312	Dcopbp32.exe	93
PID 4312 wrote to memory of 772	4312	Dcopbp32.exe	93
PID 772 wrote to memory of 2548	772	Dlgdkeje.exe	94
PID 772 wrote to memory of 2548	772	Dlgdkeje.exe	94
PID 772 wrote to memory of 2548	772	Dlgdkeje.exe	94
PID 2548 wrote to memory of 3384	2548	Dadlclim.exe	95
PID 2548 wrote to memory of 3384	2548	Dadlclim.exe	95
PID 2548 wrote to memory of 3384	2548	Dadlclim.exe	95
PID 3384 wrote to memory of 4780	3384	Dpemacql.exe	97
PID 3384 wrote to memory of 4780	3384	Dpemacql.exe	97
PID 3384 wrote to memory of 4780	3384	Dpemacql.exe	97
PID 4780 wrote to memory of 2512	4780	Dcdimopp.exe	98
PID 4780 wrote to memory of 2512	4780	Dcdimopp.exe	98
PID 4780 wrote to memory of 2512	4780	Dcdimopp.exe	98
PID 2512 wrote to memory of 1692	2512	Debeijoc.exe	99
PID 2512 wrote to memory of 1692	2512	Debeijoc.exe	99
PID 2512 wrote to memory of 1692	2512	Debeijoc.exe	99
PID 1692 wrote to memory of 2084	1692	Dphifcoi.exe	100
PID 1692 wrote to memory of 2084	1692	Dphifcoi.exe	100
PID 1692 wrote to memory of 2084	1692	Dphifcoi.exe	100
PID 2084 wrote to memory of 2232	2084	Dcfebonm.exe	101
PID 2084 wrote to memory of 2232	2084	Dcfebonm.exe	101
PID 2084 wrote to memory of 2232	2084	Dcfebonm.exe	101
PID 2232 wrote to memory of 5100	2232	Dakbckbe.exe	103
PID 2232 wrote to memory of 5100	2232	Dakbckbe.exe	103
PID 2232 wrote to memory of 5100	2232	Dakbckbe.exe	103
PID 5100 wrote to memory of 1700	5100	Epmcab32.exe	104
PID 5100 wrote to memory of 1700	5100	Epmcab32.exe	104
PID 5100 wrote to memory of 1700	5100	Epmcab32.exe	104
PID 1700 wrote to memory of 384	1700	Efikji32.exe	105
PID 1700 wrote to memory of 384	1700	Efikji32.exe	105
PID 1700 wrote to memory of 384	1700	Efikji32.exe	105
PID 384 wrote to memory of 3556	384	Epopgbia.exe	106
PID 384 wrote to memory of 3556	384	Epopgbia.exe	106
PID 384 wrote to memory of 3556	384	Epopgbia.exe	106
PID 3556 wrote to memory of 4716	3556	Ebploj32.exe	107

C:\Users\Admin\AppData\Local\Temp\b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b.exe
"C:\Users\Admin\AppData\Local\Temp\b94a976148836aa77f9583923bd1d6983128edbd82a5cbb53b5e17638eb6593b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\Caimgncj.exe
  C:\Windows\system32\Caimgncj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\SysWOW64\Cipehkcl.exe
    C:\Windows\system32\Cipehkcl.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\Clnadfbp.exe
      C:\Windows\system32\Clnadfbp.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
      - C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        23⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        24⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        25⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        27⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        37⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        40⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        41⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        42⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        48⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        51⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        55⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        58⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        62⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        65⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        67⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        69⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        70⤵
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        72⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        73⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        75⤵
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        77⤵
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        78⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        79⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        80⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3440
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4060
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        90⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        91⤵
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        92⤵
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        93⤵
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        96⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        100⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        101⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        102⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        103⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        108⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        110⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        111⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        114⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        124⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        126⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        129⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        130⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        131⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        136⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 416
        137⤵
        Program crash
        
        PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5520 -ip 5520
1⤵
PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caimgncj.exe

Filesize
305KB

MD5
76f18dd8cc5c482480bdf812f470ee7e

SHA1
e66679f6d0d680348be593828b129ab8a7e05afc

SHA256
6f37bd03e60fceb6bc795e9fe7a6bf4f98ceb1a0d6bae30cc3d57a19bf044995

SHA512
1c7046166905783f958619abc1083c2a76906fcb2eb38e2f3af77b135d25eb43ea55113a20450e802e0af30c01d85bc7d957f8db857df40467e2f723aa748200

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
305KB

MD5
0c55477843a1ad01672350a84e5281ef

SHA1
1e5175bb032a887f8f90951355c7c8e51c4ade1a

SHA256
d367099975a85aef0ebfeb7d2b81d507e6392c2eb1219a1efd4cdd8ce9951967

SHA512
44711a6ed786e371689855549b802ca4f9a6ebe5293436d3cd91a5d80170a1e062fd5a8326dea554b9c2ab46ab5ff09ceffec4ab99f3a98261ceb86fbb2008fb

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
305KB

MD5
c7c9d63cef5df00b628f007d9795d034

SHA1
df2981ed629c5f9dd257c5a9403b9ce6b24f5471

SHA256
1b70a32641b2e105cdf07f55f1832d018d15603c8b711cdfabf34e4ef2bf005f

SHA512
277ccf3315bbc3c8d9fbf67cb889f9d57c3df07df939271f651d41fa9dd3dac4bc67f8919caa763cffe789ca75aec6e4d5500d128cc4e67f677b8d864c491759

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
305KB

MD5
1d51b0783f88a95093318bddb74e2378

SHA1
02520fd15e4cce2df9539c179e382c85fd5d5757

SHA256
4ff6265e899409a45bfa16f291b3c5c87219b5e864199a4d47b80447836dfd0e

SHA512
766c539b7bf63fcb5642477410bce1d2d6b169dae274582d014b058434f653d1356a6ac8a215a4fde484aa88ccdbec22e98231250be6c5bacca22ee1c33c1afa

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
305KB

MD5
c9a384899c01d8867a35acb7d7bebf9d

SHA1
d45ad914fe6fd07221a8a9430789c58880e23d5c

SHA256
d4161a66d56434964f934f57bc1694dc056935114531b1e9b0a28cae1d5e5db2

SHA512
31e331c63a574027a949da65da91771acad854320634fe92882dc08439a38151409003d2148e09c063e47c4e67e6b09be66105c134e3a9a0cbe8f604e366d484

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
305KB

MD5
4a76f9133aa496e1a9569914615750d7

SHA1
e2fd9ec347c8d5721f5f5b86ee6616dc1eb4afee

SHA256
e1670c3b27c24e9369ed2222a96a752fd5f9f1795b4dd9af7036c2ad2623a585

SHA512
5b46255012a01b75fbb58005699e2a49049bc4b7c7626bba60bbbbde210039b5987cb066767705d025133cd90e1c37a0b034e01bc6a12edf691c400420120b72

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
305KB

MD5
9fac2154270dda080129ffeee1271481

SHA1
1aa511368e63ca9b5104ffe8745cbba471c1e94a

SHA256
406ea89b7d36e8f244d7763b40e78ac9fbfecce061011c3d1478ce6d45fba03b

SHA512
131c5ad0d380b092a2d200f48f120810fb4ddcb3c1ccd40eb030ce6c6fcbbfc23141af249b9069abafa7b2cd1412a3a9cec2de5588b226c6b00fb09dcc22c09c

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
305KB

MD5
1a8ae03200b4b8e0766186b27c7451bd

SHA1
38626a3859f725dd32a873323fd6ecec6ec1f5e6

SHA256
10c7d9d4370f1fd39b6f27a9e0cab69bdb1c0b663a13fa6ed243fdba3f9019e5

SHA512
c8344b097f3fc19f9a67cadff93790b007d71b1f0aa26fd0e1869790c7b4288d4fb423a3ae7cb804864a89c77a571f526be7e7291411e808237dc2e19372a82a

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
305KB

MD5
479807d22f3af224bc91af0a7caf65b4

SHA1
6e7ee208f719d3db10d2769a9667d2942210931b

SHA256
82fab36a4c3a63a34042a98d5280b411c299727cdf20fd1b0eabcc4fa7a9b8eb

SHA512
3fe3fed9d12d752342b1fd7fa1e45f363a570918bf08de22c9e9056b2e7a89f8e30c49cbd899de5c45941776220bd8f983d2bc1e837622d5666423c112c52ecd

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
305KB

MD5
85bfba240b1a9ac1c8fe5dea7c456bfc

SHA1
b71d83a2c6bae7185dd28d37ce3d6aa93efd979f

SHA256
f64d4dd49722a44f7299e68bf2ff7830880c26b78516b991b7f5d3cfbe1facd9

SHA512
082c2ce477a1a49d76620b1d620bc5ef868505fee34a2891d543f2c2a5aae47120675c30404e9f466007b2c8dccbedf46b10459e85938bc28c9264dcdaa52821

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
305KB

MD5
d192665c509df5dd9a49283903f6471a

SHA1
e774dafef5ba3b3085dd4c455712ec21ad63bc46

SHA256
06da71a3cbc49c1a4c00558c2981418716ee05e2f0379fa477a7a92f5b83bbbc

SHA512
fb80a4afe9a4e02a9437d7c38fa82047822b17da8f769c0efdc61bc9d6cd00b6224f4fbd5baa3ce3bec2c725b3e7651da706b1ad1a9652fe4da1e49afdd913ca

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
305KB

MD5
b56572cc3dfc611c39896c003df592b4

SHA1
b489bdcea6092c409db7ecb393de398e6ffc63e5

SHA256
c9e0cd6aa4ca8d9185cdee18b08232f97d0eb4d17ba918698fe859a0d6e43abc

SHA512
88c622505d33d56f3dba41fef0d809e56d78aa9d00e9576e18c9952a52a1512be23927fff1854011b4e1a0fa2994efbf9239e2e883f8824e3589de0a2f461afd

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
305KB

MD5
f7d1f4b619dd1a9fbf3e2134c0fd7728

SHA1
7503c9eb7031f931ff1228ed7fe3f64b6dc5cd49

SHA256
245c54865ea3026c70cef366d9dd1cc7e685bfc89d4e3a08fa8ebcd29bc585dc

SHA512
2a68e5beea220c331c65f8840cbee15c8507593accfbac7bfb54ca6372c394c9ec0dffe79e7e886e0bb38929fc2200f77aa56be434f6a4e3d77fe906c5e8d39e

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
305KB

MD5
362c478ef9e4fb0f177ade589c2eecf3

SHA1
e8c1385ea6541a513c4e81e52942fcbd80e29214

SHA256
26c6fe25ec986e68b271fe32783a595469e507a773297887fadcf741d73f4cfc

SHA512
c96ce4fa96a9a6d4a83276d84c760d697885df0ad5d8afe3967a04b350706dc2b937fa6fa19b02fa0cccdf4a2226a4b93c3a1b56a793c29d198dd284cc201ce2

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
305KB

MD5
36e432d1bb9312c07cc19e61d0dc8813

SHA1
21234dcec182c0cf96af7afcb22af84f7db4508d

SHA256
113b582ca186921856eecfb266d816fc94cb8b2987bf2e30c54da6fe086420c6

SHA512
0cb66f3c75a853d1ab9d997f40fc80553c5d93966c8290a0e4f2b9b9d715d09adcd3ffe766b575ec2d49112a27db0482d53df5c3fc12acf2164bc210b99f879c

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
305KB

MD5
fd61806b638421c53eb0fd8b94787376

SHA1
cb598a6430cea1a8507fcb428901e47fc2610308

SHA256
9610b163bfd5af54fd21fed5f4cdae814030e777c08fa8f727ea1d0d525e8aac

SHA512
b41eb25c7bfc6a4cd39b1790a28a73ae77e70982100c16f67211878c581424e8466d7c087a9e20c01c9e335841275482baf07a2704efcd460036604a58585bd1

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
305KB

MD5
a1de9befbc4d5de2adc90444757280dd

SHA1
21248bac16a4db7005ff47a22cb3dab0fb78062f

SHA256
14e0d2ebb1c4142162f8dce063d53158760ae8f2f94ea555ce3c42169155de4b

SHA512
745c2f441727a0ce6b9bc71ea4de5ec5c9a85759d29859b4c596a907da96a1daacffc9b78cb68d7a202a32b0d8abb3817d5b7babc3ea88ea9124ea94aedafd5d

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
305KB

MD5
493cabcc70310c5172150ae144a38d0d

SHA1
41f4c3e22c9972a5d8cdf3d17d3ff4ddef8fb5f8

SHA256
4f143d764ca7cea7d9fd53b76ff88e7dbbc89f7285c1abb2d4e01fbe39c46b5a

SHA512
f597bf3b732e25e5cd7aefa6175a979cec67c8718ca523ca2720a823a183051795faaba145803253d82635772405e2b0004bb961a3e2a9438ec8facdbb3a8e73

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
305KB

MD5
72ad881de730a320615335eb7b3ac744

SHA1
8928678d21ad4dc69a2eb5f8641856195d3aca88

SHA256
9a7ed815e4c229637e882e066b2388ec7707883e1bfba3596c3992ace7d66b32

SHA512
ee9e7c5abfd2f19035a11d38923cc1ffbc559debb6319b7e179b581d52a7d25ba5f736abd6224a61e393c68c810b94de1a33f9563176a0085c901595fb633725

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
305KB

MD5
176d7a58a30af05ff17a033562e5e31f

SHA1
438951202a2e7d50f16c6f1ad687d9064196d990

SHA256
2fdb7facdfc3cd2185aa66ee72215f075ba133a9cf3478776937d7b345d9b3d7

SHA512
b4ae46886d72eb951e60b0d7f36a8e112550934b40cf942b9ced9a1fee626dfdb316fdca39b52984c9956d948ad71436cbf6c9523051278bea6c937db719933b

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
305KB

MD5
547725f2503a5efa64500d5a94b39a80

SHA1
979889997f6bafb050e8d4537b361bb9fc878754

SHA256
22fd8171c7c392511daa90150282538fcccf739c2b4c622aa81f19fb50a56f27

SHA512
7b2310905612b46d677a4f211b2dcef076026201c5de5de84f250db145803bac229dc2fd02b9f9739b4d56d0fdf77a6eccfb1929fa45950782a48ab723027bcc

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
305KB

MD5
c99d2cbf13cb49e1b273425c54166512

SHA1
a2e5aa14393cac960cdd2937d55405a40ad2a337

SHA256
4dcdb97334d6ba2d3131f6b875539d036e9284193c83cfed2f8acca3b838f3ed

SHA512
c4d7218dadd0f5067c9089b086ecef25308703d8865679c7f708c28ced87f0ff6719110516136d0e50978f0e5839e24a4e12abc38e0b5c6881fedb67caf70c0b

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
305KB

MD5
1b6b0ed78ed82db3770cfccf55178907

SHA1
7f758c9db4fbdedc8f8f4a588903075820f63af8

SHA256
4ced37fd8d5da598e30447d8c2e31753c7ea5c105a787c7a29d1af6e8df80a79

SHA512
a8b5efd97af2bec90f9ac7235e9221bdc9476dc90e3babb1e97861a39a8cee14c0b015ab58a461ae3817bb43fe75e5a04b3be9caf9fb19f3d76189412a8e7c99

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
305KB

MD5
4a7cc4c055407eb2c4d8d102758ffe6a

SHA1
14dacf7fa2276041ae551aae839ac7115f18cf3c

SHA256
4a3a21e69896606bdcf3fb353402723eabbba125059dad6aa2d8ae0e71e3f892

SHA512
cc72ab69dacfe5db56ad46d6297401c786f20471b59eec016875513ccd6f6b60068bddff96692504c2a902615b5d2032b049c8680f8c689ace8f6ca88e45e70d

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
305KB

MD5
741cc5552147c9beb91100d5233a3569

SHA1
b2f21113c4a73115bd5efbd8afa6245783caad76

SHA256
400c455e810b6a972b9416d1d71f692dfc047c50f150683bf586bdf87bcf531b

SHA512
d491ac77a5ca415562db139ee210869c01e3697f1ceceda84af8367bc93205a680fb1ac0b0a3b35f7232dff503a276a489e22af72e57279da0e1a722632f17a4

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
305KB

MD5
b64b70cd160420316fb6deda4189f2b8

SHA1
1e42454505bf20319e24657065fcabe37ed4560b

SHA256
4aeae6aeb26cea757815ee344d01dc120ee139ca294dc72d3598cd41616a1513

SHA512
c1eeec61467b46a631b5a663a362496bdb9f3cf0169703ccfb81cbc82d1ed06650fc1ded1162c2cfc56d40d816eaa44fa3f6b2274a98df9b0789f5e11795525a

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
305KB

MD5
74e8eeb0c5c1f2e2d935f1ad0d45b60b

SHA1
d603fb2dbca3470f71970bf2009d01a8a72aa605

SHA256
9b986f67978e6d2e45a8fb1f1a4fcdf02249e488169e51784c3ea36d55031337

SHA512
4b2af671bcdf3c1f6a9da4a7c5c61699d7002898dcc147af5d3d969a7adcd606c6e06efd5c333038c1643d583e077ec85a05eb792fe7733dcbfb68e21f083849

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
305KB

MD5
544ec48f057a326870bd1d133a6548ed

SHA1
a97f74f1919f2549d65ae7268e87f78967ec7662

SHA256
f18989663480f501a39515f00db7d053b8e055d5a8e553a196686625ffe8bfb3

SHA512
bfe0a84a1b746569fd9a4b7bce6018f34bbdfeb6f8062ecd178839455ddd349cce8e5d9478aa5ed5fe504c5cf7721250c872bee03d183fad6948ccb007ee11f2

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
305KB

MD5
33454ca0bc6304b1bd54190c40d8c8ec

SHA1
0f420c9e9a29b91bc3b56fc7aa208c4b8c935297

SHA256
5b32d75c30b79bf76cd81d8b4f8b66b182802c457e5c0f0f7e1a06a0bb0e5d5c

SHA512
599d8f07eab5670da54357fd6a5b60406472df87ec7b395d24774299bf61b4aea1deba42336be4465ec148e1a4cac51aa6e63f3a3999d00a00469bd28f7fde14

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
305KB

MD5
b0f323484ea58bba3663bb3ccf673a48

SHA1
687a7f3dbdcf585def4ab2a50ac1473b70025b02

SHA256
8e2d54cc7bae126c76e9ee01622c6a362bdb84c8e11bedb4fc745e76ed188df9

SHA512
16922aed7eb6a28347c3be0716b0af758822bd669af2f0768626a8476399859c5f3a8bb79e42877b55424f36200f6f36aa78df1298dffa7bc6aeda677266ada9

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
305KB

MD5
f5594dea53eecbdb69f42fefbb54d075

SHA1
84a3ff13ac6b19440e58d47254d259ce86dba91f

SHA256
1b6c9f3eeb4f5f10c1e966e99f419393e7865a44eeb1ddf1b01287d980447757

SHA512
71d263da98f3c9142f71e228006b3b178f854d30f6daf83cbf344a5065a83434e86a212b8a192acd367741b1dd634b93c06efc703085d80fc8f8c16664539252

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
305KB

MD5
276dd52ae784b86f5bb9d20b28a7686b

SHA1
1c8370685ca32a579997465f27a661395df272bd

SHA256
706ff6ea67cfdfaef27261be42b816114828709e0ddd8c87af168bcfabb6c097

SHA512
f3d6eb82cbfc94a11802e4ab63e669135fb1d9c5ae5571bad3f83fb81d35abe0dd248ed2be4defb2a7658ee54fefc7865d9119415f3efecf5d134de4d970c100

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
305KB

MD5
e49910a3e1c4949d04ea707a89972d61

SHA1
d1b0e20ad38079ac34f653a078f63e4d83d6041f

SHA256
e37dfb7cb224a5a11bcefd24dd0b943653f242b268c961366ea15e2247ca3953

SHA512
a19fdf9b4af4fc94ab60be2296b619b1207e0a9e3dba865bbcc13380ff0f11c7c1324fb1a85076a31af202a272bb7c9801c040e94d6622072ee04c290050f903

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
305KB

MD5
6157ead0c8beb41cf258e32a4cafaf85

SHA1
bb9a16af414336be07dd379b3911e89bf25f3308

SHA256
57e4d91cebf847f4d963b390351cd5201972c151b8953d57aee68de155b072da

SHA512
51ddd5daa82514a4b28c2118f4f54e02c2de52c184823b850187907d9284e0476ec40ab67b0fbabf24bd7782579b10c3bf84e5d9e363f89715597ed2d6893e05

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
305KB

MD5
54b08eb5e5c3b1afa00493980e4c0ac6

SHA1
6e2b1e71d208d824f10fc2452d3c47a580084e23

SHA256
289710efd60de159d0f7d1e6e12f1433f7431950b5adc20697c9b27ee44c9ba7

SHA512
259b5942c71a66eb590153c5cb670729954d361706d2b1ac85ac9ec1a173d82d5e040a319f34098937f627167aa9987d41ade2c9616c64d5e48b1c376683feb0

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
305KB

MD5
7d11234a8c87a3038ff5ec83823080fe

SHA1
27ef0d1a13a95973694914c04dec65283d1994db

SHA256
e1d59a815adcb72cba99370a6a32d820d4aef806a35017a6a6f532dfcd8bb4e4

SHA512
3fc8e2fae239071bd09f5fc28b29123ca258191513aaa6aa5165d6038a29f6bbaf44ba6385e4a25080c6969bfb39845fb13b12cbf08f366d69020a7a4db18a5f

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
305KB

MD5
c99669780d749c24576a1e3d3ab60977

SHA1
b8ad6be1b9abb0a3679643cfe616b6aae9dd7e7f

SHA256
137165c2eafff175a7b21d706d09d64b6cdc8d03f9c61afde99e8bd9439146ad

SHA512
19932bc10a58b5cf9e30dd9319090fcec3dfd22867a6c131e66cf4d636382e79abcff784f20308f402c4d01de199d5ef1e30521e846c4efddd9be5b11fa066a0

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
305KB

MD5
ebde6151b7c119200ac01ad993e435fd

SHA1
645808de8bb2db1cb0c6d797ee06a0b8a3abfa33

SHA256
59685e3db4ea36aeae2110b03cef4c4c46e68cdb8bc813e8e70d0e96e80712a9

SHA512
4bb42625629d5ac8f3926abf2626d131ec8406cda00d0bbdbf8d8c93a9df852e7ec82a4e8a5422c0967043a0ac3e6d5da0066cb97a7cb28f6d2e73cae21f2f33

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
305KB

MD5
91e33244c4a09e8de0de4e0dc8e69ded

SHA1
a4fc320b73a332186f2ae867165c5b60b69a671a

SHA256
82d1ef33528ce6426e8328b8cfde5e1f5f6835e641ff9671b86e325d0df382c6

SHA512
ca85429aa96d48a160a1525f8e4301d9daafbb63173dfa29fe6f4774fc0ad0e9821730da844efb45a1657ae379a6e224eed952b704e8701102a68aff73d0b96f

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
305KB

MD5
2add53e4a2d834ba40fa9e4d9f3de1c3

SHA1
3427c181ae423810a0335dd19fcb2dcef2b86425

SHA256
2d2b66c3f2a3c602c0ca070aabc815e4d2a7f887db8d7114495f9ea9876ee43e

SHA512
e3b0fcde9199b79723015d1e24ee5d5d6d930421fa67711cdb48498d9981040be9e2c99f7c8a57609897ac6d2c665151a80e97e4713dd0c46c0d358f478cf242

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
305KB

MD5
67b866e6311fec1ae4fdb0676fcd3faf

SHA1
dd53a4584fef96510699c80428efcc85e24a9ea1

SHA256
98548f9c9c3aaa002c8ec41fee81f477c8cb4a38debc45c7eff1814f0be3e307

SHA512
6354374e0734547b265c2d24dbeaba2ac5b4581eabbc005bc788260644cba374b23fd8da101b38d0488666927eafd7d1365454d892d8d0d98ea14c98aea2b555

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
305KB

MD5
542b81262a91d3bbf0ffd4b35b58c627

SHA1
1c856c4c698a1e881c43ea6baf77683028479903

SHA256
d2470c5803f407e7dc3e0b5d1e9a289febaf4bce91c661aa6f889601b544bf33

SHA512
7733295f418aa56dc8c910611138cccbcdf740785249fb7168fbd2e05fdd6fbffc1ef5254def6f2b1c07e08a05ae37ec341492651531fb9486ae96b523cbb3bb

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
305KB

MD5
4b2d8d076379ac9fe0f40af5bc72ccb5

SHA1
c37a4086d832b79c151cb0d36ff80d55b0654721

SHA256
6ceb82a58ca19575668af3e8b89d8402bf6e145e352d359bedeb25d53b4e85c4

SHA512
ef1c9a7f5e91e9c0eddc06141f7060fe25fa44748e13a18789b65b2c3af3986e7d478e8151a1c73133c3c712c122602ab6504080be0cc2b6ee89f355933bd922

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
305KB

MD5
ca2f9cbf99c3c79453642c62f1a85b4e

SHA1
bb462c8b76f419a58665f2554538270269404c9c

SHA256
c1775c532c891c581fa843323380f9414c3f1ee5589ad931baaa6537fd366e0d

SHA512
b532c6839bc7be63c48ad5b1718d81ad1fec3c6e5823a20d569e481d8d5829544fd9a6e991f28256feaeaca65bfe2e1b4a5985d263ce4baec127fd145b0c14b4

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
305KB

MD5
6642442c7a9e1d19897622e7d5b643c9

SHA1
213c990d956d7cba1dd469b8f1a8913e084187bb

SHA256
3ab74a1e7871b40a5d3f0bd04671e1b5bd22be4f12ae2ba7117026cc3f0278ac

SHA512
bcf59050642a3613aa0367848a6ff8f4600e99175466e27d0f1f92d180a2b5133d6e3732bc888c2a893de520e3ca456b222f4aaa8514b124adf4762dcba6b775

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
305KB

MD5
c01140627b06cc93127a0c3a1548caac

SHA1
89b2a2d8cfbc3bdfde614ed67ee0c618a873ef13

SHA256
388328dceb3feb62e839f913c342761c1bcf127f497bd6ccff4e6e3f2c910182

SHA512
1166d257c42ac0153fe7ccd8a07a9a060142b09189394aad2e7dabf60e8568cb006df51ee91cc4c10e6de57c5e69c507672fbfe67c6fd7197ce845b24bf789de

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
305KB

MD5
bcacfb3df27c03ac3f4db7a54e653b92

SHA1
532d4269828525dd31bbf4b09f306e117a360ff4

SHA256
9c6b854eb3c3de9ae24b5106d9dd4062469fec55844ed95d332dfbb14a2d7aca

SHA512
2e8efec16a900dbe4a7a782c2c2e6750b6937d8c484cee252b4ede37698361a848c1acec6ceca61fe76a0de7b71f7a5e738855c98f291e450287d52c1fde2d47

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
305KB

MD5
9f1df803e98b8213ad10d150d67f4ab9

SHA1
24ca1d3c4efddd7f17dfb72fea8acaea27a47450

SHA256
d018bf5214b55116b6ef17f98e21a9d941d3000fe2d8de26cbf11479a5192107

SHA512
d23ae6a1f6972a2c18ea250dc6970adeae7df83c39398050d179bcf81c525bc8df648a0e50b9481e2d45c72d11bb4b35cea5b2b70a1c7242c499abbf53285f61

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
305KB

MD5
9bae1bbdc170264d7a512dd2692a67fc

SHA1
ce0662f76f96d7cf7e3a2a9a02aea7f60560f75e

SHA256
c4d355d1c6a6f3bc45d2c8329e48b75ad5a8bbcaacb9b0c15572674acbb17c50

SHA512
99c5c6e7e1cf7e6ad54c6932d996479fed4ba93ea6c20dac097090ad7da88a93ae23ddfe30d074e17ba875dee9376e283c02602fd2fbd1849ce66c9dfe021d76

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
305KB

MD5
5a8426b67a4e240e03c3a0b054a739ab

SHA1
784af986716266ad7d4cb97f5b69b398783adfc6

SHA256
c3cc8a8c6bc2d3dd697d8bf467b5f6a9255acdb1eb41d00bb02f05eb1b829393

SHA512
d376420e31267fedf921f2f8d01f3d452fd9b0f817194c2bc9b93de0dc9d9f670b5089cdb5b4e46fedf22913b4ffb5b37b3c3416de8cd35eb9765101e15bc1f7

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
305KB

MD5
d13b15fbdfb2c82cc6caaeac3579d48e

SHA1
55382ad4313211343d753b512a3b30c2366c6c8d

SHA256
7312c9be70415e0f024d4d96341ca75b80955257825670062f1e9ef5dd7f7a55

SHA512
cf4598a3bb12406518551531cd61ef29476c31cb3a3c33bc73099ab9a66f827608dce8ebc3aefe342b132d182230813dac5496af0590969a36a5fbd8a8a1d6a8

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
305KB

MD5
f95483d9a0986fea10b3d3fc55836b0b

SHA1
defc66a0536f2e894e7d95140db919ad85606646

SHA256
a3ee31f07dc4f602191a2ac1bb083b2ebdc5f4e3dbcebc21a782e21f71b94b4e

SHA512
8e1e428fb40dce4ff61b5713e9c0cf83adde8719b51e0523fafdd5e9577a92c040db360b65fc55d9fbef0fa2ebc342b46dc1406b76c558d6cf6dc919ad52eaa5

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
305KB

MD5
c374d2e1835be98196b2d220e3a77581

SHA1
12d6657e3ca1619b17370c1a3da094233e455922

SHA256
0b6f19423fc0de01f6a0344ecb6d36fd32261df99efe6a13b01e1558dda78e6c

SHA512
4e23707ede51889426aaeca20f5650707509e20394a7a12682178932ccb962c3d27f1214ca51388a558c04fed163f3631cb3872a6a7a5c7154abd35023827ecd

Download Submit
C:\Windows\SysWOW64\Ofnpim32.dll

Filesize
7KB

MD5
e3c52918d66c8179ecc63759d04ac96d

SHA1
a5047308d21b2ebe18cc3b1f7001928fc589b266

SHA256
0fb16631e08efa7ca49646cb2286d90e32dc02411ef68e2b535dcda66f8b8869

SHA512
5fda65a156475455ad30ff4bba198b0573880223123a8e48e46d5f4ffd9a6191982e82e799e6ad722832f275dfb02a13ac362f79546605a3b1d1135e3e0034bc

Download Submit
memory/384-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/548-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/552-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/644-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/656-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/752-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/864-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1116-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1308-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-525-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-570-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1692-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2136-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2196-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2200-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2300-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2308-584-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2308-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2360-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2376-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2376-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2512-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-457-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2916-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-564-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3136-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3232-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3384-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3428-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3440-557-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3504-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3640-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3832-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-591-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4024-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4060-571-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4168-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4244-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4244-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4312-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4348-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4440-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4564-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4628-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4664-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4788-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4832-598-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4832-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4852-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5032-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads