146b8a6e0bb6be5c690873867ed8ab174c1890586029b225437bd4f88eb24fc6

Analysis

max time kernel
137s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

146b8a6e0bb6be5c690873867ed8ab174c1890586029b225437bd4f88eb24fc6.exe
Size

361KB
MD5

dcb4bae82a3d9216392fa351ee4fd59c
SHA1

b7156c84f8a710f125d257e32ae9b35fca55fb9f
SHA256

146b8a6e0bb6be5c690873867ed8ab174c1890586029b225437bd4f88eb24fc6
SHA512

86e8e12feee07f33386cb392c8ac7997ba1658259f0b2f838b2322d72de3740a7a5ce59db548ca10835b061a53f49c28b4942f1770f542003a255dfca0fa4213
SSDEEP

6144:0g+Tkl2l6jsVQ///NR5fLvQ///NREQ///NR5fLYG3eujPQ///NR5f:0xTk8Xw/Nq/NZ/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlegeemh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceibclgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Denlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chgoogfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe

Executes dropped EXE 64 IoCs

pid	Process
4956	Ceibclgn.exe
3664	Chgoogfa.exe
1456	Dlegeemh.exe
4880	Dcopbp32.exe
2600	Denlnk32.exe
848	Dcalgo32.exe
3316	Dhnepfpj.exe
2532	Dcdimopp.exe
5116	Dphifcoi.exe
4532	Dfdbojmq.exe
744	Dhcnke32.exe
3440	Dakbckbe.exe
5004	Elagacbk.exe
3716	Eoocmoao.exe
4640	Ebnoikqb.exe
696	Ehhgfdho.exe
3804	Eflhoigi.exe
4548	Ehjdldfl.exe
3788	Eodlho32.exe
3384	Ejjqeg32.exe
4100	Ehlaaddj.exe
2000	Ebeejijj.exe
2056	Emjjgbjp.exe
3896	Eoifcnid.exe
2652	Fjnjqfij.exe
2560	Fqhbmqqg.exe
2632	Fbioei32.exe
3224	Fjqgff32.exe
3652	Fcikolnh.exe
1356	Fjcclf32.exe
716	Fckhdk32.exe
1664	Fjepaecb.exe
4564	Fcnejk32.exe
1956	Fbqefhpm.exe
5012	Fijmbb32.exe
1672	Fqaeco32.exe
2088	Gbcakg32.exe
60	Gjjjle32.exe
3628	Gogbdl32.exe
1084	Gbenqg32.exe
4320	Giofnacd.exe
2392	Gqfooodg.exe
852	Gcekkjcj.exe
1688	Gfcgge32.exe
4664	Gjocgdkg.exe
4852	Gmmocpjk.exe
1552	Gbjhlfhb.exe
4316	Gfedle32.exe
1176	Gcidfi32.exe
1224	Gifmnpnl.exe
3956	Gppekj32.exe
2160	Hboagf32.exe
4424	Hihicplj.exe
912	Hbanme32.exe
4396	Hjhfnccl.exe
3588	Hikfip32.exe
3564	Habnjm32.exe
2184	Hbckbepg.exe
1088	Hfofbd32.exe
2080	Himcoo32.exe
4500	Hadkpm32.exe
2228	Hbeghene.exe
4268	Hjmoibog.exe
3940	Haggelfd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Dcopbp32.exe	Dlegeemh.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Eflhoigi.exe	Ehhgfdho.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ikfcpn32.dll	Ceibclgn.exe
File created	C:\Windows\SysWOW64\Dhnepfpj.exe	Dcalgo32.exe
File created	C:\Windows\SysWOW64\Jehocmdp.dll	Dhnepfpj.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6784	6668	WerFault.exe	261

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqqjmnii.dll"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Denlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagaaq32.dll"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	146b8a6e0bb6be5c690873867ed8ab174c1890586029b225437bd4f88eb24fc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4956	316	146b8a6e0bb6be5c690873867ed8ab174c1890586029b225437bd4f88eb24fc6.exe	82
PID 316 wrote to memory of 4956	316	146b8a6e0bb6be5c690873867ed8ab174c1890586029b225437bd4f88eb24fc6.exe	82
PID 316 wrote to memory of 4956	316	146b8a6e0bb6be5c690873867ed8ab174c1890586029b225437bd4f88eb24fc6.exe	82
PID 4956 wrote to memory of 3664	4956	Ceibclgn.exe	83
PID 4956 wrote to memory of 3664	4956	Ceibclgn.exe	83
PID 4956 wrote to memory of 3664	4956	Ceibclgn.exe	83
PID 3664 wrote to memory of 1456	3664	Chgoogfa.exe	84
PID 3664 wrote to memory of 1456	3664	Chgoogfa.exe	84
PID 3664 wrote to memory of 1456	3664	Chgoogfa.exe	84
PID 1456 wrote to memory of 4880	1456	Dlegeemh.exe	85
PID 1456 wrote to memory of 4880	1456	Dlegeemh.exe	85
PID 1456 wrote to memory of 4880	1456	Dlegeemh.exe	85
PID 4880 wrote to memory of 2600	4880	Dcopbp32.exe	86
PID 4880 wrote to memory of 2600	4880	Dcopbp32.exe	86
PID 4880 wrote to memory of 2600	4880	Dcopbp32.exe	86
PID 2600 wrote to memory of 848	2600	Denlnk32.exe	87
PID 2600 wrote to memory of 848	2600	Denlnk32.exe	87
PID 2600 wrote to memory of 848	2600	Denlnk32.exe	87
PID 848 wrote to memory of 3316	848	Dcalgo32.exe	89
PID 848 wrote to memory of 3316	848	Dcalgo32.exe	89
PID 848 wrote to memory of 3316	848	Dcalgo32.exe	89
PID 3316 wrote to memory of 2532	3316	Dhnepfpj.exe	91
PID 3316 wrote to memory of 2532	3316	Dhnepfpj.exe	91
PID 3316 wrote to memory of 2532	3316	Dhnepfpj.exe	91
PID 2532 wrote to memory of 5116	2532	Dcdimopp.exe	92
PID 2532 wrote to memory of 5116	2532	Dcdimopp.exe	92
PID 2532 wrote to memory of 5116	2532	Dcdimopp.exe	92
PID 5116 wrote to memory of 4532	5116	Dphifcoi.exe	93
PID 5116 wrote to memory of 4532	5116	Dphifcoi.exe	93
PID 5116 wrote to memory of 4532	5116	Dphifcoi.exe	93
PID 4532 wrote to memory of 744	4532	Dfdbojmq.exe	94
PID 4532 wrote to memory of 744	4532	Dfdbojmq.exe	94
PID 4532 wrote to memory of 744	4532	Dfdbojmq.exe	94
PID 744 wrote to memory of 3440	744	Dhcnke32.exe	95
PID 744 wrote to memory of 3440	744	Dhcnke32.exe	95
PID 744 wrote to memory of 3440	744	Dhcnke32.exe	95
PID 3440 wrote to memory of 5004	3440	Dakbckbe.exe	96
PID 3440 wrote to memory of 5004	3440	Dakbckbe.exe	96
PID 3440 wrote to memory of 5004	3440	Dakbckbe.exe	96
PID 5004 wrote to memory of 3716	5004	Elagacbk.exe	98
PID 5004 wrote to memory of 3716	5004	Elagacbk.exe	98
PID 5004 wrote to memory of 3716	5004	Elagacbk.exe	98
PID 3716 wrote to memory of 4640	3716	Eoocmoao.exe	99
PID 3716 wrote to memory of 4640	3716	Eoocmoao.exe	99
PID 3716 wrote to memory of 4640	3716	Eoocmoao.exe	99
PID 4640 wrote to memory of 696	4640	Ebnoikqb.exe	100
PID 4640 wrote to memory of 696	4640	Ebnoikqb.exe	100
PID 4640 wrote to memory of 696	4640	Ebnoikqb.exe	100
PID 696 wrote to memory of 3804	696	Ehhgfdho.exe	101
PID 696 wrote to memory of 3804	696	Ehhgfdho.exe	101
PID 696 wrote to memory of 3804	696	Ehhgfdho.exe	101
PID 3804 wrote to memory of 4548	3804	Eflhoigi.exe	102
PID 3804 wrote to memory of 4548	3804	Eflhoigi.exe	102
PID 3804 wrote to memory of 4548	3804	Eflhoigi.exe	102
PID 4548 wrote to memory of 3788	4548	Ehjdldfl.exe	103
PID 4548 wrote to memory of 3788	4548	Ehjdldfl.exe	103
PID 4548 wrote to memory of 3788	4548	Ehjdldfl.exe	103
PID 3788 wrote to memory of 3384	3788	Eodlho32.exe	104
PID 3788 wrote to memory of 3384	3788	Eodlho32.exe	104
PID 3788 wrote to memory of 3384	3788	Eodlho32.exe	104
PID 3384 wrote to memory of 4100	3384	Ejjqeg32.exe	105
PID 3384 wrote to memory of 4100	3384	Ejjqeg32.exe	105
PID 3384 wrote to memory of 4100	3384	Ejjqeg32.exe	105
PID 4100 wrote to memory of 2000	4100	Ehlaaddj.exe	106

C:\Users\Admin\AppData\Local\Temp\146b8a6e0bb6be5c690873867ed8ab174c1890586029b225437bd4f88eb24fc6.exe
"C:\Users\Admin\AppData\Local\Temp\146b8a6e0bb6be5c690873867ed8ab174c1890586029b225437bd4f88eb24fc6.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\Ceibclgn.exe
  C:\Windows\system32\Ceibclgn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\Chgoogfa.exe
    C:\Windows\system32\Chgoogfa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\SysWOW64\Dlegeemh.exe
      C:\Windows\system32\Dlegeemh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        25⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        28⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        34⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        37⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        38⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        42⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        44⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        45⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        46⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        48⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        51⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        55⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        57⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        60⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        61⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        63⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:228
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        68⤵
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3572
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        72⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        73⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        77⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        79⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        80⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        81⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        82⤵
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        83⤵
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        84⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        85⤵
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        86⤵
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        88⤵
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        89⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        91⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        92⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        93⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        95⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        96⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        97⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        98⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        100⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        104⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        105⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        108⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        109⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        111⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        112⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        113⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        114⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        115⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        118⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        122⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        124⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        125⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        126⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        128⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        129⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        132⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        134⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        135⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        138⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        139⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        140⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        141⤵
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        143⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        144⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        145⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6444
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        148⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        149⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        150⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        151⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        152⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        153⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6792
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        156⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6876
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        162⤵
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        163⤵
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        164⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        165⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        167⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        169⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        170⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        172⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 400
        173⤵
        Program crash
        
        PID:6784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6668 -ip 6668
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
361KB

MD5
cac5c9aebc9375a371796aee018b6c5b

SHA1
94fa3b51c36218623331ad7d43594b09757cb6e6

SHA256
395592d14cd1fa3a33ed0fbf7b64138f0a4de2e8591226036044219e46e011e9

SHA512
318ff8596467230224b6a6fbf5d0c2b7d5f7f6f81ef36649e7b1d38e9bc482e7cee967b87484c41a2c66d71f4427f0d5027c6ac15c2b596d94428d853946f8db

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
361KB

MD5
7a7c6c0d27b129257ba6a17e339279a3

SHA1
f7ae1776674a510c612be96a5ee8291a027636ee

SHA256
f05675c3beb30d3053aabfc07eeb4b1bf454acb1f575a806cb70b215d8576f78

SHA512
da1038a88ae5a716d992431a46f9fe4fc388bff37ca2448b1831664fe5b561f60758640ec45dbc970354ef86d97dd9607e5a4611d3de979fc7a757dd02021afa

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
361KB

MD5
fcfe84053a90d7ad1bf951a7d3f8781d

SHA1
21b8df55c32e84234c1efb61d55e7a94b7a2be6f

SHA256
acf13ce0439dfa377d8d5c86fd6d32c725d7ce5333a5895e84f1116b34411ebd

SHA512
4d0da566fb1c1402f6539876c581605885d43c9956cd5c989714fd2da1e95848f088d23807227c48a888fc53c23799647373f39af22512bfce0a53994db107bd

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
361KB

MD5
60f639c53a6455a9262b827f670c914c

SHA1
c14a6b868ae14d67b7d83f558973185c949aab08

SHA256
18755e83555180a964ddc9f18b49280112940b231bf58d6b381919b78822a339

SHA512
d6cbc34432c7dbc39ee9113af0582ad3dbb18b088873ea5060eaf1b75acb3b5aaff1f00e70156a927be195a657674389570a60c34c891a5961f448459ebf684f

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
361KB

MD5
55616eeb518097cf17732bc6fb0a21d1

SHA1
e3f8d715fd06fceacefcca3cc1530de0de00c3ff

SHA256
d5b10449c7d04e56c8ec3e5a5e1524dbc5096b706b130db5fca8fbd87644db0a

SHA512
3748133fe5ddc97fa02698251a558abd59ad95623291f35298218d47773aab1a4e3c8c47915569883ff5c35810d30e28d202ecce3ee2aeb6a97578b8ac7ec1df

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
361KB

MD5
a20c32964009277a379fc5e28bc74c1a

SHA1
823dc3c4bd02c0d9c0f4d17ebe9394b5f6bb3af8

SHA256
19700e9fdd35862919af6732b8542577ef3d3956972cb327f364c954ccee32a6

SHA512
bc6323dc13e2298b571618d028f9f0f09cf25f2cccd66448235c17ade8c0356628f77d80245a7204dbf415809aa2a75f5ea20613807e433807ae2f2cec35512d

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
361KB

MD5
01651cf1058333d64133fbb0507f19df

SHA1
22bba8839f135988038f34090d70e854f88d6023

SHA256
e23e1041855b73b8068bab1b10f1fdfe74c966c6dc887077c4a56a95e3ea8744

SHA512
f6698ddecaa2140c9e47e39db1f9edf16736a082a1ea2656b840b043a73dbb6d94706523f76db8e5600a49d206f6eefe6c40d1c9d9df910d65ba6f4e9db630d7

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
361KB

MD5
7a2664c99d60d7089abcd6b9c4f8377d

SHA1
a005da99b3bff4cffca3b01f628bdb767f6471d7

SHA256
8cb3b263c61f212fcea29513c9c4c7f5e1ee0ce3fae430ec9021bd8800fe42d6

SHA512
3381991dae5fc0504f0496f34b8dbe8c2cccb62411ce67f2600cd199e6dd7049ea43064206dfc8a93b1c57fc40c65028e868405507bcd758047803bde887a9a9

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
361KB

MD5
4e06e0eb35c9be05d8416bcc163cd6a0

SHA1
afb92484af137966649b1ba09ba3630f25151645

SHA256
83221d6b809452817789a0e386be95f005488e9c47c9558396be7464705f43f8

SHA512
b33e676c49543848adf2aa81aa1920438b15d1b0afdfa99f32023f1772760283be83ddc1e7d90a5de7c9c8b30408d802eb8a1c938cd947e5042ac6182cb1c520

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
361KB

MD5
e021776dd77892c128544feb19e7e710

SHA1
40c534d254de3c21b2ba73c7e4daf36233f296ef

SHA256
384fe87521db484cd0ba753197445d0cf9192f9dad2296f2cdb5af1443f3958a

SHA512
deabc6cb0f061b6518a576fe7b019ab44bc81045e80f0b3fb48c1301e6c7a5507a8ec0d4ba45c78c35952b65f838190148f104fd33f10a493c688c5572807561

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
361KB

MD5
98c46077d08b8987de62fe822edbaaab

SHA1
10d7f1e3b9e7308f5e112ca28395ac0ede8d64e9

SHA256
5caf8970a101e71ef0c7ba7a396c74168c07301070e6bb39525444ccd9bfc8d9

SHA512
e6ab8ee9e35625f22fabd390a9ddcfee07e7d8f284b5dc6b7de9f41013a0a0725985de39eedad7a32926013c8ef715b2d70bcb19aab52921cc6bcb3e1a58c40d

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
361KB

MD5
54e20a231fa6e3c00f03ae8ec2e9f0b9

SHA1
9b47b8b10d5b3876a3533c301c4868c1ad8403f5

SHA256
51861c3490afaad24e4822dc9818acd0c2f0206a9a16961d97a4fc90c4e28db9

SHA512
d4ed375a2dd65db6cbe7791963acb700793074eed6f231ee94f1c5bab0b0745d8c98e958a69c1fc5a8727b6b9ec53c2c52e457f7573c6b298bc37864687343f8

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
361KB

MD5
64f51ec6c811f00a06d09993faebfce8

SHA1
afc4d8843a5cbd42b5b69460aed437864dd06fc9

SHA256
fde5f4ac5d24be847f5c1c3da5b180330333ad7a90075736cefa220097237569

SHA512
07bceccce2ce8fb4e6eae48ecf50fd39eb5e57bfb0595e3cf2c3114bd6d7ed339975cc9b251e66d9a51fceac785c29fdb66e43aea8b554748358c8242b36050e

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
361KB

MD5
2c8c3b8fda0c64bf1620bc75a18ee2c1

SHA1
f929cc55184ecb77a1b116de037299964ea39de5

SHA256
e6325be7219b1624c80eb4ea5883e16aee0d31f9e6e962c5fb7eb3fe259279dd

SHA512
831f89d4a206e3388f9c6e1a19a1e51f45f82eb2095ff586fd7a8f640ba8aa4400b100159aeca359e7f3b177be9c8c15116f74e7f0e9217a5522d62416ae984c

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
361KB

MD5
a1e096e9cb0b240dc632eb1bc6f29c12

SHA1
76067a2e396eaba2125d71e8602e7a5ebdb05922

SHA256
37f5e56a519bb7841f2fef2e3105e487768155ce1683067cab02fc53091610f7

SHA512
3e1930d12aaf66ddae8a8f447defa330404432a98d43333fcdbeb0eff1f92949bb73e23c278e1bc0e358c37510e0de2ea9c6695460968c384087f01fc85b5c97

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
361KB

MD5
0b41bc5041d6aceb96bb014df1c58e95

SHA1
9a8524cb3e789aae9f2fc6b64878358532227f02

SHA256
219e925912b23121e7c474fca9c2a7685c1515f83282aa0921ad107601fa6e22

SHA512
67f5b812a5bc2512d0b1697ae7df55e316c74325088757230e8dde260371e39963b4186817fa391a39c95b39dc1fdb4b312820021afe2c8469131c559ae06463

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
361KB

MD5
39805f159a6eeeb21f886fbfb5e0be2d

SHA1
ffd9cd480ebb5d3f696ae878149efacb0731b278

SHA256
bb47cabb9b4b9b5d8d22ef6c7dd0813e1762af85e9d2282ba63bb3319eb4e0eb

SHA512
6126288c35cc0d58e2a988dee033ea721a62bcdde51a98b478958a9a3aa5527cc9b20c43769214d89063a9dfbfe58de0486597fc8d4395aeea35dc6e23936dcf

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
361KB

MD5
b5086e315c2caacb6a4cb013d3611575

SHA1
7af40e5d3f3796ec912aef1a4ccc287b48213a2b

SHA256
885e88f96667a4bf323f12f6c7a0267b5bd141aa0b72c08b4b30df4afce38d72

SHA512
c61f77fc7dd47f0fff14b658b96522ae54de0887829ca17486f92f854ee6722ab61c24b19cab5f724bf03b5f653015c8692aa4ccf78824f931626edd0e670700

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
361KB

MD5
4d55fb2dd2e9680974bf29a70d697934

SHA1
5d3c07960bb47a113cb3802287b2912ec378efb8

SHA256
62fdf7cab7d9d34d9abd144016520813eec118fe9c33941d52d5de593f3fb61f

SHA512
d912de690a5fe308a2cdf37f717adba601560e3d619c0699b1eb7ddf613eb3a5148cea17a4fc044d7517341c779c778cd6e743fbcd794d6224cc48c0b4bd0390

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
361KB

MD5
2d2e5fa8a5bf2f9a1bf993801ecc2fe4

SHA1
17ee73619768e191b51ff8efba18f643102691b1

SHA256
b4b522909c6cf67a2745af55136d0f5925d0bb958c613f6712014fe13ed916d6

SHA512
c6aed4254e3b143a4d0b48e60b4ede8464e4f0f3933a96fe8106da0526397d3c837325b517946ffb515217578ff44021b78033340f26e29558235b17542696ef

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
361KB

MD5
6e4a268fbe3118f08c2eadf5c5662c3a

SHA1
953b74456798db14ea085ca0b2591acddbc6c924

SHA256
fe270d98573cd9bffa661c219404c94e8aa69c8fc899e915735b31280398a889

SHA512
dad4e0738023708b73171ea17e1333626137f8909f672c8c42b98c2ad1a31722fd7ffc02708d57b24a641b2fe67ab5669359ecc0937dfe5de14726e4a5018234

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
361KB

MD5
e357412bfebf3115d82703159458f751

SHA1
e9ed8074f9fda9e40a7ea26a1a2ba7cdfd04b109

SHA256
fe37dd574ea3f4e3007b9a191315164917bd53ccdb8c2fe29e84ad2e60f46198

SHA512
3fa4d8d39481c232e17ecfaec278c5ec026d3a2ec1b0180577c5a7453035c211e6a1410ea72353013ad4daa6152e671869e4995e0b24aea100e755a095d072b7

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
361KB

MD5
de4e2c7ba765b7c1da174dc9639f7090

SHA1
40b54d563cbdfebe8b071cabb53f5acf3ae3074e

SHA256
d7548c8d9c832a09ec82047d90d95cda43b07e7fc6dcdbacd8bd8168206e285e

SHA512
249a3545c6b95e74d8be986ed3b76b9b010a2787de9aee63d7afde895b7cd58c97315ae8e250c8190273d56e87e37ed11281cdfd6371e3c12dd446d9c07965ed

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
361KB

MD5
8d8ac4d65c48f585f26388256ed7c021

SHA1
ff99f491ae3d1105ce2bd5103e67c84d6a8685b9

SHA256
92c049b2fb1aa89d58108bce2bea5c5f6d13d0eba94e473c4ee129961bf50782

SHA512
0cbefe18a391eb0c3866eb52f12fc73a225b2e1d60504b2e61997d9a51018f5463b25b0584c6cce201baa03519251a54735b4345a696742bc11b6409eb9027dc

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
361KB

MD5
612ecd06b400e9929f8241eec4a1d9a5

SHA1
6a02c7cb39d575663cc4fc44379e721184565ae4

SHA256
0b6c9ee39a71e63115c2dee00c4f8511fcc6a5a280d4a19a8a51c41be60fdc70

SHA512
2a97bea280a97d41f7e8eabd9138cbd0cc43b6d67d189602c15813e5658cea3870fed5373cc2509692b649fa039af1901e53687cd1edd8a3c1548b24e3e68f22

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
361KB

MD5
a91026fea54c7ff8dbf37a9be6668c1f

SHA1
35d40394379a0b96917d2aaf351adc92c10c32b1

SHA256
50c65dce49819a2e5a8654d95bb0e0de877fc6ad0304934bd01ac0a1d36aebe0

SHA512
72391ee439cb91beeae4f440434310ba9766316a22f99ae89253db92a2ffa6345c8f32a8884ce46c2d180ca9d86bb07588e5e3856f7822573f2bccd6be2667a0

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
361KB

MD5
17bc3c4513353e46dfbc9bc5083c086c

SHA1
9419756e3697fbd704b081a08383ba7f02ad156a

SHA256
6fc63eb79209c6e46eac2790231ecc7e47caeceb502509f64480f3a746352098

SHA512
8760eecf52198af8ace22b909c6e23cba29c5cbcd593725d84b1a76888a2d850fdafd06af3cd96dd19fef058743023c9a8d335eab49cd483241d9217863b04c0

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
361KB

MD5
a9424f87166c6cf6bd3ca5640da55013

SHA1
3c1abffc3644878a7ab8c8a06bba3cad359d3f74

SHA256
f62f6da49cbf176033a65ed0cbce0f9bf3b6e4c262320a497ca300834f306627

SHA512
f3f0429121278942dfcbb9c47bd4af6f6965421a2731ea8f645be2e7a75fd4679118ac21f9d341621a10f82991362640caf185ad5da2bb20d77655e929233968

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
361KB

MD5
aa8d5adfdce572baecf9a18f9d6e883f

SHA1
4ac52e8411f31551a4db385549a3e428daba1e35

SHA256
e9e078658d4a86bd9260668dd022eed2dbc549fe1585fbfdee995b8196e3c00d

SHA512
7ea2301677656c7cace986305aace20aa7d83e9d4a215f30b309aacf01e4d608b5bfce76688b80c8c58784a11f075b0f2dd408e48af67bcdd3b2864f1ab60178

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
361KB

MD5
a5fca6dba9d4d584f80ce36f34f52d1c

SHA1
c3691bce67382c2ae8711fd3e2f9faa7f662f990

SHA256
633c91a4d67a5d693dc8766e5a4920f0427ffe4aeaacc0b65a287bfc36d6766c

SHA512
a7730b5934bb9bbe37b97d0bcee1d6b578933b42c9f17fb22c1a60701f4ed3159dc9b8779b6c617059a60e5a23d1a9932b1001f2d943c15225f4dbc19268aed1

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
361KB

MD5
84fbfa511214e8c32fd1bb77f7747eea

SHA1
2bd513f7ba13a5b1da4a7719bad753481ab8c09f

SHA256
91d4908c64b19aca2d444effcc35fbd03d15a14cd9b6f29f43b60b5a4b6c2373

SHA512
d43ba054205e54f0412e821eba33a6de0dd2c64fe424ecf2ecb590af03b7303dca40c3ffa64bc7240873b5b8e39e9c5e9c2b2fb05e4144d312ea7b6b713b0226

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
361KB

MD5
79cf6856ae9abf11aa700c1bbe7a75d8

SHA1
a83ac1b66eb4c03ad1f08f611113eb52d2ea99e5

SHA256
cb731f26fe4720bf82b4aca27c03f17ef2e0740837151b9409053a16f48ac14c

SHA512
92ce90a3cd651348f264ef8d355852f8a35be83e9962000ce11122ffe08bf6d5c4afa83c449953556c830fd635caac3733b87f038eafc4e9454e3edf1c52a113

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
361KB

MD5
3d2360e511e01a593136645c209a45fc

SHA1
b7f4942507756901d8b53d1784641ab1ff7413a7

SHA256
2a64da3a1744786bd0441d7a8cd31ab87700ce95412f0bedfb715237288602a9

SHA512
55ae5a5409fc5c077ada6d58a8b17a9c93baf963db17c56c7acbe8478d085ce32ba78ebc8a15dda3537b1ca8dc9b7604f0848862ba5cf6aa55b3111714c282da

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
361KB

MD5
903e1d8f458107d86c69712edbc29c51

SHA1
af9d9d0183b242017d513c219219fdd2605322f2

SHA256
021ac60db6ef4f30439540b9d19bda8f4ebe1bb254efcffd1cb5b30c14b96860

SHA512
703b90f9484be91959dd6cd36a012095570b5ec04fc4ab682aedc48786f444cf6c85e0b9bc5ccaa94488bfd78eab0c2a0bd2338e941efa8f2c96f55a8a96dc66

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
361KB

MD5
9bf33b0519b92a6499f71824acad7ac2

SHA1
9bb58b7f3ccab51456dc88c74455a53d2846d0a1

SHA256
d1fe93cf0d53e91858b38d35dc9ebe2cde829102e6705f5bb0c909299a116e86

SHA512
93774f435750147e7ef79eb9448b6a7ed97f0962137f42bbaa363c5ef7df617b20b291807eb862cec2524a93f3176b27fd5474445b0a2022ffb972bb85ac6d02

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
361KB

MD5
dee267447d08ca2816a0606e5101e9cd

SHA1
bf1d7ddfb80fd232a8cc3e3d19562b1b9a26a4d3

SHA256
d4de1789c02edaee6fced50627aa2e17b0464e7409184bb0c4d748b8e0baef38

SHA512
01cca377bb65166db1ac5e4d2bdb8e911ce869acc387116fe1008c66f0267ca02dcb51fdc97849605915fb330b694e8f83f0c9c8f1bf88b2d4f61ed7a8158512

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
361KB

MD5
a38353fc9982e9124a8d3dd33712695e

SHA1
e4bb30f4b89971b5aaf311d9a807796f7e78c8a3

SHA256
ba15daf0cf6a10c53969b60e1568bb964df10e0e6ffbe453b3ccb565f020e9c7

SHA512
75ea209c918b4153ac27db8b9f30b396b4c03625554495c6e41a4258e06af0cb1d4b693f63663ebe51281c58a4c29df5d287b8dfc45e4f75ae34243950873cab

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
361KB

MD5
645b5fd519acd8ece321fdbb22112b9f

SHA1
04a16b6126e61efa07a4e92d71881ef70a26adb8

SHA256
9ae19f00329b8e78bd5eda042cf589ea599d203bac6021cf85df74ff26ca0c6c

SHA512
6c969edf46d87f86041d7d812ed0039d1c1be76aeada22619c7f174696c59866297eb18413f48407ba2de9cd1273d6abb7e46be9dad11a0b693efc898b91a50b

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
361KB

MD5
62451a79613f8d56565f46e45d292a87

SHA1
90913647e74d4af939cf0d0b77a52193f0e94bdd

SHA256
a5a885ea19c0a976610fe4dc4c969f45bf86e7d5031878816277239a0a4ea2f0

SHA512
27539b105fd7de9a7a17d21c1bb93cb0e98d5f65672a0c0253ce70da212fb30986c3f7f57b3d3ada0307cbce9473a8398f923b382aa6ec5f14ad9fd4a9ec7966

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
361KB

MD5
fed7a96ed6653c337afbe30be0c12d6a

SHA1
f08228bcb459119efae0bd74a5b90b1518f62910

SHA256
10c2a1c09b3ed34a33578128055a5723c8a2a26796daf8463a48d74b41826775

SHA512
0aa0ab0610f299ce32af07de3ca9077a4c0812144cab2a9ff3fdd8baaac907ffb30a286ae4ad94a8914ae20d69fc50c52302b7a87e36b446807144c7d6cb08f5

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
361KB

MD5
51a519171c96e3792e97f54d7ec0dbf7

SHA1
da103a727645994da00bb4f76d5798515be573d1

SHA256
f96124abb21ad19613be8adf2473d7289d03d76a979c4cd793bf4a9a9d9e873f

SHA512
1e540643c3df0df5ff952ca94a72156c0732558b159186cdf921507f49aee744d01e9ba979da907b99ba2017b298457d30854243b19376bb82eb4fa9147dd0fc

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
361KB

MD5
db2f5ffbe3034a5008c8d90195af70f2

SHA1
ecf29d626d35efb0e044bc462fd00b4fd0c7192d

SHA256
d5b14dcc4d13d30af52d25ed4465b42c889ed6a71d6c88c0a40846383f7dcf52

SHA512
486e692069ba690f6fdd6b4f439354953ead860515ff5ddea80775cc6840679078838f4a3ef2c66d0244d755c311116e8bc8c7a3e93e4fbc0144bc4e353cbd3d

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
361KB

MD5
46a72e588cbc329a9fd2ad36415332d0

SHA1
dc9d015bb9ceee90e0593f89e3a0d109450ab07b

SHA256
e1a9cedea8a39bbac23765a501e2d84671947cf3277e10420c3b0fc7a1196aa8

SHA512
02f3e8caf726810a13611e86187c91ac528699e1f00c87721d8c5e6eb2d1aa26661d48f38d44f52bf49ebf3d599cc1462275a4a35cdd7a9a7221837ac16989b0

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
361KB

MD5
8c6663b1bc16cb9e48eb1ebac70698ec

SHA1
1c8035cf112844a9508179012525565c746b647b

SHA256
8a6e9df1ab3e7cf0c0632ba59f26581ff370224ac1c33b1375333be26f2175f8

SHA512
da8eec6f8e0e0cc5acd88431209896de01cce576829f23f20cacb6f7b06e15c4d3340cfdcf7d6d5919d74bedaef70cd4aabdbbbfff79bfa02a01983ca55a9c2b

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
361KB

MD5
8d4e26da50b60359df18f06038b24e9d

SHA1
e33f1c7271a0c9d7c27ed8a61c34390eaab99242

SHA256
6d9394484fbf00bc49cc5331e72f30702de8beb11ee6fb3508d3b45a6d9add01

SHA512
bcaef3d9723e9217f7293b09caa934849b2ebe78d66c6c16e93298374f5712c21a05d696655698fe81084111b5a6088485485f082ae8c3df1340b67609dbb454

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
361KB

MD5
98684bad74b0c8f519a62bbe2628fa64

SHA1
5aa95539d5964682068062f1efe6091568a9f565

SHA256
104402c30d12c5d82dfa9ade765398a8de9ead63efc6a79a4515039467c64d67

SHA512
6754ab000b0245c9ff457ec099cb660bbf2156898d25cc9b7193a4d9beea614ec6d06c6c15825c73476153224a9c160d276d5f874aa5bea3cfe4195ce30652f7

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
361KB

MD5
74e4614257f99ed5edf158e4007f1a1e

SHA1
e18f1ba9d3d85a6606f7596c0c42f51dfc8c0572

SHA256
47351a337658b3f6088423505a383c7493c30d7e9068f54c6702ffe517fa72d3

SHA512
dfe86e9695efaaa1c217e1117acc55edb27cf76725972111dd03ae4d27f258c4a37ff76cd539db9df672f55caa7568d42247df2dd3078bb4932d6ead08b2e096

Download Submit
memory/60-291-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/228-447-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/228-1319-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/316-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/316-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/316-528-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/696-637-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/696-129-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/716-248-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/744-89-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/744-606-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/848-49-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/848-574-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1088-417-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1176-355-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1224-361-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1356-240-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1456-554-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1456-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-343-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1664-256-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1688-325-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1852-535-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1956-268-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2000-176-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2056-184-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2064-568-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2080-419-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2088-290-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2160-372-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2184-411-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2228-434-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2232-505-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2268-516-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2320-546-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2392-318-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2532-590-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2532-65-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2560-208-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2600-567-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2600-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2632-216-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2652-200-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3224-224-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3316-580-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3316-57-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3384-165-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3440-612-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3440-97-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3564-401-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3572-476-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3588-395-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3628-1370-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3628-297-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3652-1391-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3652-232-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3664-548-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3664-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3716-117-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3716-625-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3760-459-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3788-153-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3804-141-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3896-192-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4148-456-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4268-436-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4288-555-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4316-354-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4320-308-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4396-389-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4424-378-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4440-470-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4532-85-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4532-599-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4548-645-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4548-145-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4564-266-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4640-121-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4640-635-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4664-335-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4664-1359-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4752-526-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4760-488-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4848-529-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4852-337-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4880-565-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4880-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4956-13-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4956-541-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5004-109-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5004-624-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5012-277-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5064-504-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5084-486-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5116-592-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5116-73-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5136-593-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5184-600-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5268-613-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5500-639-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/6096-1207-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/6740-1142-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/7164-1125-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads