0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9

Analysis

max time kernel
133s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9.exe
Size

344KB
MD5

5e3cf0e204190bb745510fec501a251e
SHA1

13c08825cedf85789f75218d8c6f7473bc033e42
SHA256

0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9
SHA512

f79ba2739c05de3d9002ec551e719c0b1ed5cd1b84306e708a807b7f20d40373c0e5c465f0d7605011585ae695baaf946e6d1def5a5be40a001eff200fe3c3a9
SSDEEP

3072:hYmRH8shQCpVrV2/VknbzvxPLaD6OkPgtz6MjK7aIjCqjRrz3QFn:hu1CpX2/mnbzvdLaD6OkPgl6bmIjlQFn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe

UPX dump on OEP (original entry point) 48 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023289-7.dat	UPX
behavioral2/files/0x0007000000023427-14.dat	UPX
behavioral2/files/0x000700000002342a-22.dat	UPX
behavioral2/files/0x000700000002342c-30.dat	UPX
behavioral2/files/0x000700000002342e-38.dat	UPX
behavioral2/files/0x0007000000023430-46.dat	UPX
behavioral2/files/0x0007000000023432-54.dat	UPX
behavioral2/files/0x0007000000023434-62.dat	UPX
behavioral2/files/0x0007000000023436-70.dat	UPX
behavioral2/files/0x0007000000023438-78.dat	UPX
behavioral2/files/0x000700000002343a-86.dat	UPX
behavioral2/files/0x000700000002343c-95.dat	UPX
behavioral2/files/0x000700000002343e-103.dat	UPX
behavioral2/files/0x0007000000023440-110.dat	UPX
behavioral2/files/0x0007000000023442-118.dat	UPX
behavioral2/files/0x0007000000023445-121.dat	UPX
behavioral2/files/0x0007000000023447-135.dat	UPX
behavioral2/files/0x0007000000023449-142.dat	UPX
behavioral2/files/0x000700000002344b-150.dat	UPX
behavioral2/files/0x000700000002344d-159.dat	UPX
behavioral2/files/0x0008000000023424-166.dat	UPX
behavioral2/files/0x0007000000023450-174.dat	UPX
behavioral2/files/0x0007000000023452-182.dat	UPX
behavioral2/files/0x0007000000023454-191.dat	UPX
behavioral2/files/0x0007000000023456-199.dat	UPX
behavioral2/files/0x0007000000023458-206.dat	UPX
behavioral2/files/0x000700000002345a-214.dat	UPX
behavioral2/files/0x000700000002345c-223.dat	UPX
behavioral2/files/0x000700000002345e-230.dat	UPX
behavioral2/files/0x0007000000023462-246.dat	UPX
behavioral2/files/0x0007000000023464-255.dat	UPX
behavioral2/files/0x0007000000023460-239.dat	UPX
behavioral2/files/0x000700000002346c-275.dat	UPX
behavioral2/files/0x0007000000023476-306.dat	UPX
behavioral2/files/0x0002000000022abc-335.dat	UPX
behavioral2/files/0x0007000000023488-365.dat	UPX
behavioral2/files/0x0007000000023494-400.dat	UPX
behavioral2/files/0x0007000000023496-408.dat	UPX
behavioral2/files/0x000700000002349c-426.dat	UPX
behavioral2/files/0x000d00000002338b-443.dat	UPX
behavioral2/files/0x00070000000234ab-480.dat	UPX
behavioral2/files/0x00070000000234a9-472.dat	UPX
behavioral2/files/0x00070000000234b3-502.dat	UPX
behavioral2/files/0x00070000000234b7-515.dat	UPX
behavioral2/files/0x00070000000234e3-662.dat	UPX
behavioral2/files/0x00070000000234fb-739.dat	UPX
behavioral2/files/0x0007000000023509-788.dat	UPX
behavioral2/files/0x0007000000023510-815.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
4908	Hapaemll.exe
4572	Hcnnaikp.exe
1424	Hpenfjad.exe
2072	Himcoo32.exe
3320	Hccglh32.exe
5048	Hbeghene.exe
3260	Hippdo32.exe
1512	Hbhdmd32.exe
952	Hmmhjm32.exe
1868	Icgqggce.exe
3096	Ibjqcd32.exe
4440	Impepm32.exe
4840	Icjmmg32.exe
4380	Ibmmhdhm.exe
4660	Ijdeiaio.exe
4864	Ipqnahgf.exe
2368	Ijfboafl.exe
1592	Imdnklfp.exe
548	Ibagcc32.exe
556	Imgkql32.exe
2648	Ipegmg32.exe
920	Ifopiajn.exe
2232	Imihfl32.exe
4668	Jpgdbg32.exe
4932	Jbfpobpb.exe
2344	Jjmhppqd.exe
2148	Jdemhe32.exe
4540	Jjpeepnb.exe
2508	Jmnaakne.exe
5068	Jfffjqdf.exe
316	Jjbako32.exe
5076	Jpojcf32.exe
2308	Jbmfoa32.exe
776	Jmbklj32.exe
740	Jpaghf32.exe
4508	Jdmcidam.exe
1732	Jfkoeppq.exe
3764	Jiikak32.exe
3896	Kaqcbi32.exe
5064	Kdopod32.exe
1072	Kbapjafe.exe
2304	Kkihknfg.exe
1576	Kmgdgjek.exe
5080	Kacphh32.exe
884	Kdaldd32.exe
1736	Kgphpo32.exe
3784	Kinemkko.exe
4160	Kaemnhla.exe
2456	Kphmie32.exe
680	Kdcijcke.exe
4724	Kgbefoji.exe
888	Kipabjil.exe
4320	Kmlnbi32.exe
940	Kagichjo.exe
2796	Kpjjod32.exe
2220	Kgdbkohf.exe
1528	Kkpnlm32.exe
3548	Kibnhjgj.exe
3204	Kajfig32.exe
228	Kdhbec32.exe
1824	Kgfoan32.exe
4960	Kkbkamnl.exe
2320	Lalcng32.exe
4760	Ldkojb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Feambf32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ipqnahgf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6076	5928	WerFault.exe	206

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 4908	3292	0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9.exe	83
PID 3292 wrote to memory of 4908	3292	0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9.exe	83
PID 3292 wrote to memory of 4908	3292	0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9.exe	83
PID 4908 wrote to memory of 4572	4908	Hapaemll.exe	84
PID 4908 wrote to memory of 4572	4908	Hapaemll.exe	84
PID 4908 wrote to memory of 4572	4908	Hapaemll.exe	84
PID 4572 wrote to memory of 1424	4572	Hcnnaikp.exe	85
PID 4572 wrote to memory of 1424	4572	Hcnnaikp.exe	85
PID 4572 wrote to memory of 1424	4572	Hcnnaikp.exe	85
PID 1424 wrote to memory of 2072	1424	Hpenfjad.exe	86
PID 1424 wrote to memory of 2072	1424	Hpenfjad.exe	86
PID 1424 wrote to memory of 2072	1424	Hpenfjad.exe	86
PID 2072 wrote to memory of 3320	2072	Himcoo32.exe	87
PID 2072 wrote to memory of 3320	2072	Himcoo32.exe	87
PID 2072 wrote to memory of 3320	2072	Himcoo32.exe	87
PID 3320 wrote to memory of 5048	3320	Hccglh32.exe	88
PID 3320 wrote to memory of 5048	3320	Hccglh32.exe	88
PID 3320 wrote to memory of 5048	3320	Hccglh32.exe	88
PID 5048 wrote to memory of 3260	5048	Hbeghene.exe	89
PID 5048 wrote to memory of 3260	5048	Hbeghene.exe	89
PID 5048 wrote to memory of 3260	5048	Hbeghene.exe	89
PID 3260 wrote to memory of 1512	3260	Hippdo32.exe	90
PID 3260 wrote to memory of 1512	3260	Hippdo32.exe	90
PID 3260 wrote to memory of 1512	3260	Hippdo32.exe	90
PID 1512 wrote to memory of 952	1512	Hbhdmd32.exe	91
PID 1512 wrote to memory of 952	1512	Hbhdmd32.exe	91
PID 1512 wrote to memory of 952	1512	Hbhdmd32.exe	91
PID 952 wrote to memory of 1868	952	Hmmhjm32.exe	92
PID 952 wrote to memory of 1868	952	Hmmhjm32.exe	92
PID 952 wrote to memory of 1868	952	Hmmhjm32.exe	92
PID 1868 wrote to memory of 3096	1868	Icgqggce.exe	93
PID 1868 wrote to memory of 3096	1868	Icgqggce.exe	93
PID 1868 wrote to memory of 3096	1868	Icgqggce.exe	93
PID 3096 wrote to memory of 4440	3096	Ibjqcd32.exe	94
PID 3096 wrote to memory of 4440	3096	Ibjqcd32.exe	94
PID 3096 wrote to memory of 4440	3096	Ibjqcd32.exe	94
PID 4440 wrote to memory of 4840	4440	Impepm32.exe	95
PID 4440 wrote to memory of 4840	4440	Impepm32.exe	95
PID 4440 wrote to memory of 4840	4440	Impepm32.exe	95
PID 4840 wrote to memory of 4380	4840	Icjmmg32.exe	97
PID 4840 wrote to memory of 4380	4840	Icjmmg32.exe	97
PID 4840 wrote to memory of 4380	4840	Icjmmg32.exe	97
PID 4380 wrote to memory of 4660	4380	Ibmmhdhm.exe	98
PID 4380 wrote to memory of 4660	4380	Ibmmhdhm.exe	98
PID 4380 wrote to memory of 4660	4380	Ibmmhdhm.exe	98
PID 4660 wrote to memory of 4864	4660	Ijdeiaio.exe	99
PID 4660 wrote to memory of 4864	4660	Ijdeiaio.exe	99
PID 4660 wrote to memory of 4864	4660	Ijdeiaio.exe	99
PID 4864 wrote to memory of 2368	4864	Ipqnahgf.exe	100
PID 4864 wrote to memory of 2368	4864	Ipqnahgf.exe	100
PID 4864 wrote to memory of 2368	4864	Ipqnahgf.exe	100
PID 2368 wrote to memory of 1592	2368	Ijfboafl.exe	101
PID 2368 wrote to memory of 1592	2368	Ijfboafl.exe	101
PID 2368 wrote to memory of 1592	2368	Ijfboafl.exe	101
PID 1592 wrote to memory of 548	1592	Imdnklfp.exe	102
PID 1592 wrote to memory of 548	1592	Imdnklfp.exe	102
PID 1592 wrote to memory of 548	1592	Imdnklfp.exe	102
PID 548 wrote to memory of 556	548	Ibagcc32.exe	103
PID 548 wrote to memory of 556	548	Ibagcc32.exe	103
PID 548 wrote to memory of 556	548	Ibagcc32.exe	103
PID 556 wrote to memory of 2648	556	Imgkql32.exe	104
PID 556 wrote to memory of 2648	556	Imgkql32.exe	104
PID 556 wrote to memory of 2648	556	Imgkql32.exe	104
PID 2648 wrote to memory of 920	2648	Ipegmg32.exe	106

C:\Users\Admin\AppData\Local\Temp\0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9.exe
"C:\Users\Admin\AppData\Local\Temp\0d52d83fde52fb5457181b05d6efdcfe28cadd8dd1f53b2bac722f533888b4b9.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\SysWOW64\Hapaemll.exe
  C:\Windows\system32\Hapaemll.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Hcnnaikp.exe
    C:\Windows\system32\Hcnnaikp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\SysWOW64\Hpenfjad.exe
      C:\Windows\system32\Hpenfjad.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        25⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        28⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        33⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        36⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        40⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        45⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        57⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        59⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        68⤵
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        70⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        73⤵
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4064
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        77⤵
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        78⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4776
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1692
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        81⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        86⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        88⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        91⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        94⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        95⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        99⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        102⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        103⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        106⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        107⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        109⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        110⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        113⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        115⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        117⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        120⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        122⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        123⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 400
        124⤵
        Program crash
        
        PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5928 -ip 5928
1⤵
PID:6032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hapaemll.exe

Filesize
344KB

MD5
fa0bc190df7327da72f900497544a668

SHA1
9e60b1060d5a9ecb2d9bcf97ddb7e82dd58a6f4c

SHA256
5a43cc140612e12220cd02d518c00d327fdb64ecf7f47f098a49312e7ca86688

SHA512
7a95ae5748ce82b3aecef2a70ba00eac5a50636a5368906a6663434ecc70ffab962517edbcc0d9f5ac9d4dafefd4b9ad9beed783b6f9525f888cbb02b723327d

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
344KB

MD5
4cea3eb0353fbc253c90065f8f6c1192

SHA1
1c7876c3084d5ce6cd371847b5df33fcdea7b21d

SHA256
68ebf05b4a2df23fb259ca2393a2ddea9c4de66f2c4f2214a5f918a46e6b7de8

SHA512
c99ae9a794b1aaf46d970f7db6acc21fabec5ca24c65c2d0d9037cca0b8306396c0b271f1f8b5676791750f16954d6f3f9f3d5a161539a9e3025e641f87dfb58

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
344KB

MD5
0f15286cad891f644eca93cf81b4a2e3

SHA1
03067d3b0b02bb51f6f0e810503d0177e6e6a7d9

SHA256
71cefffe16912623df0850077c2e92d99041f9ead49e71183204b249a1ba46d9

SHA512
36ea81ef4809356f8853579637cbeef78a2630702ff388c11cd2b34924acfffdc0ad8bbd18cbf64727d0b621d7ac3e86502109ad787e0552acb7dd2b940dca2e

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
344KB

MD5
19feb243e224cd9b5d73e6036cf15740

SHA1
6c2b6de6f4f4bccd7a86af81e356c9fe50837e4a

SHA256
080d73c352bac437f70eca363a1aff9e62e9df3f3ddb7359ad472f2a0c617a14

SHA512
70dae3a703c583cce6b62b8e4105083feac86dc944eeb833cdab003e05267f3e6d5b81af921d59b96f6d8c8716b0c65f281d1d45432fe61dd0df50393d4e824c

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
344KB

MD5
0fb17911d806e98d6ed075584c39b879

SHA1
bc7a83698b2244a7f4c61d7459c4b601a9986a38

SHA256
7f5fc36e02490236ddb503dd5b483e5d78c3e996e950cd8aa2695a326efe9b79

SHA512
5171807e6d2fe9fb9477f44c77555fbbbdcc6f9ba904a087b0144a92dca9c6b77bc9e373e1df409d0d53a27d0ac513bf07c0550eabfd1e1bac5d82c2719296c4

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
344KB

MD5
fd8489a7cdca05c44453d1dab47443d9

SHA1
7d9ab70ca75c4de7873bb1ffa6deaa49e32caa6c

SHA256
d95c92b75dba8c6787d294e3de7bfb5be72aceda45445a83a09f25780c9a0589

SHA512
b4dd65f81bf7fdb5e621c7de8bc12f84f17005601f4c34b82e3b9e8aa3d7dfee48ef74cacd3dead940131578275fa97955a9922d84114e77c2c68ac341bae1f8

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
344KB

MD5
75287a92f44e424d926d2dd58d6ddca4

SHA1
190c99fe06f6af5009f5a13ce42d4671b50701a0

SHA256
ce87318e2becf396eef290311ef5733c671a09dcc2dd9b0511ffc0e771ce8141

SHA512
e7b9305d93b95af2a98626adf827516bbbd7e92a2d2a96a8e8a70ddafa1b3ed1d1644ac4dcd8e83c9a54847f89c80783b588a241f3818ab79c1a9c248c51b233

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
344KB

MD5
64fbe9a459e9cb698a2242aaa6f6228e

SHA1
e61a70fb325afe17991972335267377046ed7c13

SHA256
cf63981d4473b187c4709ca993c087d0f84f2771a9c7c77054be1d05446a0a70

SHA512
760a61eff0137edee92b05b26380526559ddc930b114bca13baf1d58a7e313ca4cd8c6faadd63573efd4b54ed86bc1789af1b969dde5284d683bd8f8c7d0b530

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
344KB

MD5
2b5e2347e034ba79f3a7c76de91522e9

SHA1
d3b55421b19b43020133efee371a81809aec2c22

SHA256
d6ad2a7d5cacce57835e6e87f13beb1ff2c1018a9a1ac5835c0ee7033f8766eb

SHA512
9d6e597e41029c53efc7274addd9415e7b7a72df45730a87de6374557c1b4fc9dfba87f5a83b83ee43c7bfbdecd202997c5b9ede271c6fff5b6c62dcb8e90a9a

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
344KB

MD5
624033ffb84246f6d37b7c3a1d8613f0

SHA1
5513bbdc65346f3d955427daccf8facc4e053619

SHA256
6bb4595b967f9448dad1dbb85e5ee84e58ff345a7ea80171775a518969ae57ee

SHA512
fa9b7e72dfc946aedcab59f70bbddf899648681f3522ff392a937a2a26e0e71e1d35cd9c7d3225b6f5abe0c13626d424d8c882c81c4e1a8f188ef2801c6d6708

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
344KB

MD5
100f509f5d11af1ebd6823f991b2b4fe

SHA1
0514ca78cf56d33137bc199f144af1185ef18c29

SHA256
512bfb1f94c1ee44e3d27901827d5eabc3a2b3fe3b8c067e0867faf0ab7bc37d

SHA512
9c06a0b00e339018727faec40bcf95c7f03db64ee63ed44c34bb0b31f72490951241bac23b443bcb3cffd4044be62075abc8e6a13931a025a5499d056303be87

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
344KB

MD5
03ada52b70c18f7f4454ef598ae0184c

SHA1
deb9efd03fa5a159fa8f4a79afdb2809dd3ee979

SHA256
c0f32541013b09446117d58a14e5d6781a297bff2b99bc6305a0280433d6b99a

SHA512
e8be069b2127797f99bb65907facc2ec1c8c0d6db8695e5754382de663c6dbbe791166f7bcfc7b39d7848c6dd8dc56d4751a819db6663ddc40d2aa86930bcf31

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
344KB

MD5
f7e4803e4b3f7dab603951e1b5d30f3a

SHA1
a5a1548930a2a48227747009a47f1cbc3ccb33fd

SHA256
bacfa6a5d6957bc50f9bd8fe8873376582ed41b201df01ccbdb10463e9dce7f4

SHA512
8067a59deec3c950109a61af80bbaa3ef007a45ef15676db0e0aca84e6b68ff638aadf3e77dbe41b4163f749f4e4e0d93bc869cf5eda08d71cc52a4fc0530d6d

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
344KB

MD5
a98541022606baaea43675762c6ed589

SHA1
5cca37554b03a465e9d2b8c712c9c1685709d9fa

SHA256
34631cda2ac67d09b1eff65de2873763945773a86b6c891d33d540380abb345a

SHA512
6d121063f53fc40cfb995993d6326794c518f8601c18c5d5d2571f6deea47834c2fb1be5746597c1c2bf92699b779c91bbd5ad40ba55bca4693cf94afc2e8e46

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
344KB

MD5
de037e278cfde2604bbc1cadda24d909

SHA1
00775f5eaf1dee4fe0d2876b95771de6f0bf7348

SHA256
db10fa036595b967ae57ff864d78c09bc75e49f490804091229c140d8967938c

SHA512
c83fc8335c8ac88ee367a653ff883d6ec5ad9a4eb30c7f82b7384a99f0fa48969d41d7e52a46c65b26fd4e46ae61f618a7fb383fd891992bed0783cf2e9b42ea

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
344KB

MD5
aafe24b844e7146b5be06daeabe35ba0

SHA1
9847bf1b917ea7a288132f10d561ea3555c7982b

SHA256
0d95945a86eca47993c1919cd555653d40ea75482be3753cd20cf74fc5e4ef28

SHA512
9cc847a1358a01276f0efd62bdf38bfe421004b8a3c465af2c268999a922744481ff52f1481d1bf1e8eb51a3e8693edf62ed779d020d50d5988b4800d8f27c72

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
344KB

MD5
6180f183a2698571dfc0cca66124ff91

SHA1
ddb54341df9c59043c58ae16b9190c1fb6976314

SHA256
59360c91856fce63a091e6f9f39e7598fdc5a4e8025e8669fe211e06e8c048c6

SHA512
2675305f3d0094d46dca9ca35d16a31caffc6edcc68fc12457aee96611cf73ae6395c6ff20d66188a00cd80ed552939aeef3677af136263d4864a10fb141351e

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
344KB

MD5
e9267d48f158e39fb7c9f50e5e0e2fc1

SHA1
561102116f522f3a89add8c3a6aed3f74702f01d

SHA256
b3cdb16968df1127a89ed64f4a58b878e199c741aa92f2e96e8407b901c1283f

SHA512
840f44dde4686381222867b31930ac6aec58a7d154afd6b8091c0b1d6105f95560bbf42311e200723fdf9872a582e9632a0e85410f60d4bed521ad4255620642

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
344KB

MD5
fd4b5f7fa0867ac9b77ae170128ec475

SHA1
8a3a527b1ac7cec357c8c63ff439a40923fc38f6

SHA256
8752f3703fd9c4ad7ece217040dd4c78087802a9496a2f830866634d0598aee2

SHA512
ed876bd4df4a4734bd207895c286188b898e196a032b9a2d4832cbd66642be57784c384215caf5966b55834077d466c55328068c0ee21a676aed6a26b9ef0000

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
344KB

MD5
13cc4827bbb42a128ac616b158fd7862

SHA1
ca4b5e05b1df66c9428e41313467339b979772ee

SHA256
5fdcc9d3f312a58186c09480516cf2bb4a15ae9b71f0b292d8e61a668184333f

SHA512
fda67de6ef65c9d8a65e716c5cd981bc8b7d4cf211107d870c1787aea6436ebb9787ec12b0776b5b8386cb8b96ec39c4c5daeb04811773c56dffc34949fed295

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
344KB

MD5
61e028253fa435f61209578baa2aeee0

SHA1
f4e45a86d52bfcfad072ab9f8406125b8d77eef7

SHA256
9ba76de1a8b218967f9f4bf869e64e3031cfdff4cb3539a5a20fc12abc736ec9

SHA512
19aa9070f87088e4f8c5b1eaf1dba490ffe452b8c947632e1b1754c126cb2e041bdd4d8b10aa0dee29d34418b769c3ef619a532fbfd58adcfaa93416b6a7eac0

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
344KB

MD5
6bd497cfc000e7e58ab6ac2da6e5df05

SHA1
f4090bf783e66cda406baebf609ad0e737967e67

SHA256
f399c9d0b8c87ad66b028389974a465a950414907549b28a86a0722aabc107e3

SHA512
1e16d6a81c0111e376af93ad98461f4a067c071b3c381877572ffbf6eb0b93cef65cb6b094357e404df779232b774690c26787f6507789561b8005a094c1b2e9

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
344KB

MD5
d9eeffc7608d37c06178af8f17208831

SHA1
feb267802b5719d006a9cd9c2589beb6512159e6

SHA256
cd92ccd88b635b98ecff494c5722e16005b0d44cd5893b4a1e96c94688d16e70

SHA512
5c4a892ff2ca3e042fb6cac9d78484ad030cf5747e0c3fd19c15864c0228e328c65a58bc4426f9b624f9a5ac17d09aa66d4b5c280f02938091d5bc0ea98bcc31

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
344KB

MD5
281e13a05d7bff0b1c8294bedc5f8f91

SHA1
9c28e9bd4cea8c277eb13ecdf15e91bdeabff01e

SHA256
36f55c7468c946ca156e3bfa19635b6909d4cbea43abd5f32dcbee8e863839e1

SHA512
e382af243509e20bb5b05d5460289ecbe5def836824cc8d1029cc747733554f25c91c2cb1c6b81a632ce218bd989d2e06f0f3704df03046aff77799ebfe0415e

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
344KB

MD5
dc57347610e71111ba5317cedcc93ce5

SHA1
5266bc33869f59e5a48363eee5b3e8ec370eab7b

SHA256
c5030b3f9f7c3f62dd4de97c841b3ca10c26684aec9186e941000e6a9e52bb33

SHA512
29dad0adeb44d66f258abbad92875565cd14e9ec94a3246eb81cf96358fcc6e17290d79e46b35c4e0f969f12919c2e1be1030163531eb27ca867068d9e16e705

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
344KB

MD5
ff4538e91cecf3f98fb1e15fe0e7755c

SHA1
53a77294bff028efb19ca7fbbd0734c6b5b6f69e

SHA256
500aa52a5b297a4dcaba72cfe7c0f0d4b0492dd4e130350406f82b9f8e1d78d7

SHA512
84de0999b02bc94c65ab0c5d26a5a43bcd84870f55aa5dee4cbdaeca61f3e99fb73b5a823a7e8d82bd2cd8735b0e0b6a61f1b6993dc6c701ed31a4e8999c2747

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
344KB

MD5
f2321080e16cbe6e77f38ae4a723f329

SHA1
abd669575d5ebbbe91bfaa643cd5382dc31692c3

SHA256
ba4b657b3659f20d4fe6c6b97595fcdaf14f42cd5cb85825c8273a1b8551d6bf

SHA512
26a92632c22eb2aaee491d071413b6c405edc7d3d17d01c2a857b44f3ec4d9e39a9bc99a6ff5444fc1adf2ee5a317cc4442052fa0483910b0a8c47e05ac517e2

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
344KB

MD5
003abc161e065be8408dc539bbe31dd2

SHA1
727e1bfe254f8ac345af6fb3a826acccfe16b305

SHA256
b0aa1f0acfe183c62d6e4f5876036f98cf2cb593e80c390fe882def644f61e76

SHA512
979e46d38606ba2316531eca9bfe15e8b0adf2428876d00c4355f7a47a55b89a5f04b0879e9e73a5b961f6745d2a870dabe9f4fd91ab09ca309f16176a3e4ac9

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
344KB

MD5
b76497d32758b15c12d4aa7839be37f9

SHA1
e9a2ae2c8240609634fd4c06db0492bd4bdfbbfc

SHA256
4ca5677916cf168de09ddc647c52a5f1c01f6e85541d7daa31f99c4c6f428279

SHA512
fd7f4c9990371e9ea600135f470355f11110d23933984d44222a899dd6e80eca8847b41bfbe11d8ee81dd5ddf009f6e01159d3a19930740df896d46302c0fe45

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
344KB

MD5
b674ffbfb3e48fb7a3672675321f77d3

SHA1
9b90dd795e579f98a6fb5d7ad2f92183bf000e5c

SHA256
93efad560d24babf791db3b6110df1dff9f8935de01eadb0058130e0eac54050

SHA512
94bac3e2deaf772f03b7d17b4b11fd30824ce1794fb0133be508efa22d366cd62aa830612c08c0a33bae8a0ab0aea166ccc96e2281377222d0102ad2ecccd992

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
344KB

MD5
3dc81f389e52adc456d452d1b2813237

SHA1
06559ee000f9e9e15a9d9682b25836448787ca90

SHA256
e356c7483ab34fcc867c9e4eef18fd4cb0122daa2428151be249671efa29c9bb

SHA512
ff21928222f7688eceb46ffe513feb35c0a1e3a14a9dbe3226bcd309a9e10b79b054303cea03a4050bac616c8297fbd8f5893d484946153ee109d3bfe6532b6f

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
344KB

MD5
cce50d1176a57f461508aa2ea444eabe

SHA1
0ee223bc86e0fbf8b2fba7455ecedc136b9533da

SHA256
0f6cf676cf182b15c7a0a6d9eb5ccd62cab64fb70149772438d48184e9c8e5e3

SHA512
4f6afac3daaf576ff14e8bb918d937415fd93a6d4864f0e6c8ee3218b0a518b840b3ff9941c7d3f612539458227244a1b1e1da48bc34f27660774d894c97a96f

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
344KB

MD5
b52b528b28848df0f81a95a5a78dd3e1

SHA1
e7b008a0435da86163dc4f59c552b3c44a067cc3

SHA256
15c837c13ef6534f503192c0acb8a81648dda9c27db00deeacd154a4d1aa96c2

SHA512
1c2b67b2865231a604fbd2e1b016552a30548571765365b6789a7792b6fb4cc1cb4ee9807c18805352a16d8efcc7f943736e6b153a65369e795a0e81d1d20f5d

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
344KB

MD5
1c351c958aaedfff5787406e6c151c66

SHA1
a587fa3ed17b2ca319beab3941eff8ed0a5918b4

SHA256
7a5a6f5633a0cab4f7e15a90a1d068c5d69cc348c5327f31113bb53a41ddcb3b

SHA512
9e5e5d269114685e178bec643f817360cc40e0d3966383d9a6955dfd23d923a27181edb314a09a9edde647b3b9ba5f4676c3ac8a0510d3e7e6c7d2e58fae7e76

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
344KB

MD5
f19ac07db8fd45464e577008820aeec1

SHA1
6f7f3dfcbd353baa7f7b5c8006a27aabf05e1c42

SHA256
01657884b16f73a8d93f852bd124d9205c69588f257e798d474a7915af1ed6d2

SHA512
c4bbb9b0bf1e75ec4f99ec93d8157dfca1a1968be84d5379ebe01979cfbc9e3a5bc1dd13d044677686b007e1f4c33157f03fbf1aa0a42a7c4ae69799bd0bf97b

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
344KB

MD5
490f0c00ade2f0542314bd00d3de5692

SHA1
64fb5eb087a00e9be48154f26e664448442964ef

SHA256
b56333eb9cfc46f056c1db584ab5e25fb66f6610ca3b74c0f0500986b8380c75

SHA512
8fed867031cf0850c649b66af4628b06eba40566ec337008b2bba8a8ecb3c5ce4f9351c6c674fa8a6f89cf49b7f55069dfcce0c6f3901957443ac78a3cc9bc19

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
344KB

MD5
7e6ffd6c425875d8c65b68f64a242051

SHA1
d32bf649bbb94a12527e40ccf40f9b1aec518c49

SHA256
d657f6621b20c76479ed37644d91f9ceba26ec1cc8aecdc0e7c15472b7863c3e

SHA512
0ea7b6da57d81066bfc43fefa0e53b719510b85e78dd43e096d8b699369ab51292efaaef238e275c6c8f7eff03446699933123806ac64e081b1ec6dfb74a97f9

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
344KB

MD5
e6be63363a0e826538d15b268dc53f2d

SHA1
db1ac442fdbc86ae14639c9f40c4f2bac0ce700c

SHA256
6b7e92d9a83351c09c041541ffc1a956c90f880eb3a3021eb3697382d9800bdd

SHA512
a0e4731b67dc7ad63b149b6b62c4fadc88ec31810e2d2e4bce9e9995580817c5c67028fe395243fcffd1d9c63081be75dac277ac29e7b31dde4c272734f345bc

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
344KB

MD5
e86aa23072c5178d24c9fc2b1cdd3053

SHA1
7a2f97156e505cf8f672a828819a7864bdb5879c

SHA256
a9ad84f2057078f60ae40135de4e56978be2c0e5763e7e2739f0560d6e9f3d24

SHA512
65ce5883936d8bd2a20f44199c8d101b49463282f57ad3f1cb204a1d1d7e459e284e9331b61b83712b2977ef946f79e3870c71752f8fd4bf25f694f059423159

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
344KB

MD5
697132813422521cc69a7756e8c1cf28

SHA1
07015d987086c21d7d2899a25cbad77b79b68ac6

SHA256
020074638bf7474fa8b44431b4da931a44c7fa2bf41c15ed8698303ca36f0b71

SHA512
995956834ecb467db450a59be1bb972586629895513b2545c6adacac62a22f8b97b5252295c248004c9f690b4f947cb79ca2f2ee5bddf991b2406a2804e005f8

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
344KB

MD5
1b971dd51a91e0a9328711e85a0f35e8

SHA1
2e056c725eef3b4cef86079443ef6fec2bbecd54

SHA256
cc909b1861aee774ab47ed878c103eeec270d4236b75ca4919eea6ed50abd2fc

SHA512
9fb4e664b8381f7980c1e34c184c42345acd7ba7f37a82287c4222276ceeb01485a6607313825e288c8e5a4b5d6b32c27768a57faf482452fd26db8773de01a2

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
344KB

MD5
b238e4f9a81b2e041573fb46654420ec

SHA1
d8fee047ab901fd299a0be952d46026491c0b3c3

SHA256
be4f1d94b372e0f9ba35297d144470eaf02202c8a02a54a9ee1f87a68807ab47

SHA512
462d979e8aad00026e4a77b1f76b8150f074d45cff6f8b4344efafedf192e61f2305b20af34c22daf919ffaa464e26ca7fbc74d39372d0fb9c572b2ba1d340e1

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
344KB

MD5
372a00fd3059e9c249904303d06c5826

SHA1
e0a1347abe2c16f529bf92e3c1ea4326a1c6cc29

SHA256
23fa8e438e669c4b0237cca91f53fe5f343f3f2200d24c2fe95f02b19bdbf9fd

SHA512
82492b0fa29f8f4beda1b09c2822f8f68c301153c6abfc80c73e16deecc11eab36c973eaa079998956bb48424875a5bc62817bfe237e64961e1ca81d55a4d2e4

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
344KB

MD5
2867885dcf6c3be6f9c42ddf219e0864

SHA1
57632ea5f75b7523b00991bdbbbbfd25f79a89eb

SHA256
abd925244265e76d7530f873fd937df23180320639fa3a8f045fe0bd9a29ede1

SHA512
fa95078494e0ed647ce79eeecfda499276dfc80f289a5d203a4f706f60eba05101a2d46adf7b7b781dbc4cdef862d205121867e6ed865816e7c7e1a70ce79ac3

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
344KB

MD5
c69ff8de5694fbedbbd3ec416cf89abf

SHA1
33908b2b80281ba3396e5cdc28c5b65e6d49ac10

SHA256
a7bdc3fa42f6ede40f43142da607cdc5d4973d8d14d72a7dcc69c0021361a62e

SHA512
c827fa27eab7667a29bbf5c76922197464ad4705e7bbad0317045f6a1a337a7bec9b115ac01b5ae4a09b933b72b8b9c53dc8a3f5447e62ab62e5d609057a378a

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
344KB

MD5
3d0b1a2d8f516428942e940d50671844

SHA1
6165bbaff5f4bcf64d3fb851e0a940f9002d17d7

SHA256
13ee57a2b6ba2510590762dca402d48bb7299b8505dd627d06cbb5899999a880

SHA512
675c5207b18189faaaf34880e7ba3cf3f133884e024b63036ded30383da56ec79362b243a8ea41c3176057b12261590b2d893ac9ef4082162cc798f45b11ac81

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
344KB

MD5
b807ae02c89a220483f6fe417a470c18

SHA1
2bb7597afff5d8bb9a52217c485d30c5ab34f050

SHA256
7443bc68fd2b0a7036f41964a03ec16c73c4c2bf635057de7f1fc74ee215d0cb

SHA512
f3d5a022f7e2b3f59fb119966baa0d41da021af809a599eb4a9400e0afb69b6014b58e521a214dd47ced7b3e8bb9ba470bbd9cca96141b58e838eb5adc3f67c0

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
344KB

MD5
89bee8525307d0951b2fbf5479511c6d

SHA1
56fbe3391b654e4ad8b9c16e57ccb8876dda9942

SHA256
0017039c8bcd70532a3aaee58bd1df4e62e503d889382f9e144496cf0cfa98cc

SHA512
a92d52cff0a54baf2353470f26b44a3d63f242b3ad30c79dfe5cd3e5fd4599ea67bf4e530476485695e85e510c7cac3b4f34da31a5698808f3396abf2884715c

Download Submit
memory/228-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/680-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/940-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1868-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-582-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-921-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-884-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-598-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3840-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-584-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4320-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4724-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-908-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-591-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5148-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-603-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads