527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5

Analysis

max time kernel
138s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5.exe
Size

80KB
MD5

455bd68407ca57fa378a9411961a5732
SHA1

bafc4b2a4f363db2e8b4ace9d4e28e6a108e3976
SHA256

527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5
SHA512

db9a82b9def1e99f119ab86103bb65e96da38e65887616950a462905d4dc364038f79aa77bde88c2b840e608e14660c8e4d9457018340b649904ed4e70bf2481
SSDEEP

1536:ASMhp3vS1YeFk9YYV93HjPYbZkXK2L9/S5DUHRbPa9b6i+sIk:CNK1YJJVpimXJS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe

Executes dropped EXE 64 IoCs

pid	Process
996	Lgmngglp.exe
2148	Likjcbkc.exe
2156	Lljfpnjg.exe
3236	Ldanqkki.exe
4296	Lbdolh32.exe
3024	Lebkhc32.exe
3332	Lingibiq.exe
3664	Lphoelqn.exe
8	Mbfkbhpa.exe
1608	Mipcob32.exe
396	Mlopkm32.exe
4952	Mgddhf32.exe
1132	Mibpda32.exe
2916	Mlampmdo.exe
620	Mckemg32.exe
4992	Meiaib32.exe
2576	Mmpijp32.exe
3056	Mpoefk32.exe
3452	Mcmabg32.exe
1056	Migjoaaf.exe
1116	Mlefklpj.exe
636	Mcpnhfhf.exe
1752	Menjdbgj.exe
344	Miifeq32.exe
3248	Npcoakfp.exe
3076	Ncbknfed.exe
1652	Nepgjaeg.exe
3876	Nngokoej.exe
4428	Nljofl32.exe
1840	Ncdgcf32.exe
3260	Nebdoa32.exe
1700	Nnjlpo32.exe
3316	Nphhmj32.exe
5040	Ncfdie32.exe
4264	Neeqea32.exe
4808	Nnlhfn32.exe
992	Npjebj32.exe
1380	Ndfqbhia.exe
532	Ngdmod32.exe
3956	Nfgmjqop.exe
1860	Nnneknob.exe
4020	Npmagine.exe
664	Nfjjppmm.exe
3504	Nnqbanmo.exe
4000	Oponmilc.exe
1396	Ocnjidkf.exe
808	Oflgep32.exe
1040	Oncofm32.exe
1488	Opakbi32.exe
3780	Ofnckp32.exe
4408	Oneklm32.exe
624	Opdghh32.exe
3840	Ognpebpj.exe
4976	Ojllan32.exe
2120	Onhhamgg.exe
2024	Olkhmi32.exe
4184	Odapnf32.exe
3640	Ofcmfodb.exe
2676	Ojoign32.exe
1264	Olmeci32.exe
3488	Oddmdf32.exe
3116	Ocgmpccl.exe
4364	Ofeilobp.exe
432	Pnlaml32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Hmphmhjc.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6460	7048	WerFault.exe	273

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 996	2004	527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5.exe	87
PID 2004 wrote to memory of 996	2004	527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5.exe	87
PID 2004 wrote to memory of 996	2004	527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5.exe	87
PID 996 wrote to memory of 2148	996	Lgmngglp.exe	88
PID 996 wrote to memory of 2148	996	Lgmngglp.exe	88
PID 996 wrote to memory of 2148	996	Lgmngglp.exe	88
PID 2148 wrote to memory of 2156	2148	Likjcbkc.exe	89
PID 2148 wrote to memory of 2156	2148	Likjcbkc.exe	89
PID 2148 wrote to memory of 2156	2148	Likjcbkc.exe	89
PID 2156 wrote to memory of 3236	2156	Lljfpnjg.exe	90
PID 2156 wrote to memory of 3236	2156	Lljfpnjg.exe	90
PID 2156 wrote to memory of 3236	2156	Lljfpnjg.exe	90
PID 3236 wrote to memory of 4296	3236	Ldanqkki.exe	91
PID 3236 wrote to memory of 4296	3236	Ldanqkki.exe	91
PID 3236 wrote to memory of 4296	3236	Ldanqkki.exe	91
PID 4296 wrote to memory of 3024	4296	Lbdolh32.exe	92
PID 4296 wrote to memory of 3024	4296	Lbdolh32.exe	92
PID 4296 wrote to memory of 3024	4296	Lbdolh32.exe	92
PID 3024 wrote to memory of 3332	3024	Lebkhc32.exe	93
PID 3024 wrote to memory of 3332	3024	Lebkhc32.exe	93
PID 3024 wrote to memory of 3332	3024	Lebkhc32.exe	93
PID 3332 wrote to memory of 3664	3332	Lingibiq.exe	94
PID 3332 wrote to memory of 3664	3332	Lingibiq.exe	94
PID 3332 wrote to memory of 3664	3332	Lingibiq.exe	94
PID 3664 wrote to memory of 8	3664	Lphoelqn.exe	95
PID 3664 wrote to memory of 8	3664	Lphoelqn.exe	95
PID 3664 wrote to memory of 8	3664	Lphoelqn.exe	95
PID 8 wrote to memory of 1608	8	Mbfkbhpa.exe	96
PID 8 wrote to memory of 1608	8	Mbfkbhpa.exe	96
PID 8 wrote to memory of 1608	8	Mbfkbhpa.exe	96
PID 1608 wrote to memory of 396	1608	Mipcob32.exe	97
PID 1608 wrote to memory of 396	1608	Mipcob32.exe	97
PID 1608 wrote to memory of 396	1608	Mipcob32.exe	97
PID 396 wrote to memory of 4952	396	Mlopkm32.exe	98
PID 396 wrote to memory of 4952	396	Mlopkm32.exe	98
PID 396 wrote to memory of 4952	396	Mlopkm32.exe	98
PID 4952 wrote to memory of 1132	4952	Mgddhf32.exe	99
PID 4952 wrote to memory of 1132	4952	Mgddhf32.exe	99
PID 4952 wrote to memory of 1132	4952	Mgddhf32.exe	99
PID 1132 wrote to memory of 2916	1132	Mibpda32.exe	100
PID 1132 wrote to memory of 2916	1132	Mibpda32.exe	100
PID 1132 wrote to memory of 2916	1132	Mibpda32.exe	100
PID 2916 wrote to memory of 620	2916	Mlampmdo.exe	101
PID 2916 wrote to memory of 620	2916	Mlampmdo.exe	101
PID 2916 wrote to memory of 620	2916	Mlampmdo.exe	101
PID 620 wrote to memory of 4992	620	Mckemg32.exe	102
PID 620 wrote to memory of 4992	620	Mckemg32.exe	102
PID 620 wrote to memory of 4992	620	Mckemg32.exe	102
PID 4992 wrote to memory of 2576	4992	Meiaib32.exe	103
PID 4992 wrote to memory of 2576	4992	Meiaib32.exe	103
PID 4992 wrote to memory of 2576	4992	Meiaib32.exe	103
PID 2576 wrote to memory of 3056	2576	Mmpijp32.exe	104
PID 2576 wrote to memory of 3056	2576	Mmpijp32.exe	104
PID 2576 wrote to memory of 3056	2576	Mmpijp32.exe	104
PID 3056 wrote to memory of 3452	3056	Mpoefk32.exe	105
PID 3056 wrote to memory of 3452	3056	Mpoefk32.exe	105
PID 3056 wrote to memory of 3452	3056	Mpoefk32.exe	105
PID 3452 wrote to memory of 1056	3452	Mcmabg32.exe	106
PID 3452 wrote to memory of 1056	3452	Mcmabg32.exe	106
PID 3452 wrote to memory of 1056	3452	Mcmabg32.exe	106
PID 1056 wrote to memory of 1116	1056	Migjoaaf.exe	107
PID 1056 wrote to memory of 1116	1056	Migjoaaf.exe	107
PID 1056 wrote to memory of 1116	1056	Migjoaaf.exe	107
PID 1116 wrote to memory of 636	1116	Mlefklpj.exe	108

C:\Users\Admin\AppData\Local\Temp\527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5.exe
"C:\Users\Admin\AppData\Local\Temp\527470a38e0144ff8ee15761a4eac1abaf152b89cb7fe12c379a358785db8ff5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\Lgmngglp.exe
  C:\Windows\system32\Lgmngglp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\Likjcbkc.exe
    C:\Windows\system32\Likjcbkc.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\Lljfpnjg.exe
      C:\Windows\system32\Lljfpnjg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        23⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        32⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        33⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        35⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        46⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        48⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        49⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        54⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        58⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        60⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        64⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1424
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        67⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:412
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        69⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        70⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        72⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        74⤵
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        75⤵
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1912
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        77⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        78⤵
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1788
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        80⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        83⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        85⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        88⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        92⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        94⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        95⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        97⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        98⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        99⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        102⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        103⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        104⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        105⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        106⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        109⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        110⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        111⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        112⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        114⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        116⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        117⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        119⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        120⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        121⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        122⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        125⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        127⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        129⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        130⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        131⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        132⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        133⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        136⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        137⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        138⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1472
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        140⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        141⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        143⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        145⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        146⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        147⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        150⤵
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        151⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        154⤵
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        157⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        158⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7100
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        160⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        162⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        163⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        166⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        169⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6876
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        171⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        172⤵
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        175⤵
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        180⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 404
        181⤵
        Program crash
        
        PID:6460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7048 -ip 7048
1⤵
PID:6252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
80KB

MD5
0a53a3337fb12fbd5b191941deba9b53

SHA1
b05efa5ced517efc51ea83abcd1e23af82c4e063

SHA256
9e7ea0542875ea2f3ee2a6fd2faf36fc1647221f5214d8e68fc3fc63e1da0824

SHA512
efe3efdd3894a02c1210b5c70d27cd5ca762425180c5775f719d1647661addef994874c31155c4db36156c1ac4ad03c67c0aabb48aa3c7fcd2deac97b36e29aa

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
80KB

MD5
d27efed52975eb33859b49f180bb43cb

SHA1
359463c88f1e88c9d370f583610b2c8c008b82eb

SHA256
602b786be9fc856fdbdbbd0ea3dc6fe8a221e8a3b59650d88a58dd8e2b98778c

SHA512
b575110085b39e8a066438ac4578c983e4ba7cc6f47192c8f36b23fa8a79201d897ae0e4cf085adb37f2a0cd74f0120f2906192d08a35828b16845dde62bcaed

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
80KB

MD5
ba5c4f6c1bdc364faaea33f2df140296

SHA1
c8e74082be0b27b4793c27aefaedd39af192654a

SHA256
6c4098e4e18217a73821d9c2458da4074c06baec9168bd839acb077cca8e2be2

SHA512
36d5caa458071748fab99a7f3aab9b2997cebaf27f8ed936785a220b955b67a47aba1c13b0c6c42659647295221dac3c8370eecd4914de813422a6f3bfae48c6

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
80KB

MD5
7d4d153f2887c452aed8a6d4f63e05b1

SHA1
a1ede3054c2e58e17cfd78db90b1fae233fbd056

SHA256
976cfcb2a918c8500a3068e892aa4a9454176ae6c440858c027c2884b36da1fd

SHA512
59cc8299a78b9c42b5b8bb51039b4a0023cc355c2668b11535d91d3b06c3cf2402c78787d403dcc9661751b348463b2f29584907e6c2f4a3ed621a54cb73ba4a

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
80KB

MD5
c556c21329a81d56903c4910aef669fb

SHA1
9597fa29372374dcedfb22014551763f551ebbd3

SHA256
3294348e79ed2584f2193fa932d83b35418c3de0f7bb7dc0d18b93603a2e0be6

SHA512
9df0e1b5be11b3263115ad7b46a18e3a80f8a6e6d0cc6849a63b7977ceb5fa6ca9d348a8cc4bbfd5a5d4c9c6d059be1f4030d002753d47cb3cb9100a8b9b1575

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
80KB

MD5
3548a341389060661b20c1bbb3a65e8a

SHA1
669bf60c71385b0509ee7dcb4869cee728d13085

SHA256
fd868bd493c6549cf70fe9c6605d31b5e372d32755bf242d1999f49294009a17

SHA512
a0980b6d1948b9efbc42295f7e6790acf51e614d7aa992a9593aa3265bc3a3ffd0b2c14af41fda9a87013a0f3e6c0a1a481fc0a2bc20073c58370a615c33e67a

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
80KB

MD5
ef133c8a23eaf91bb41a23ac98b2447f

SHA1
4e3b913621fde370f67bfae2fa527f32be8ec0f7

SHA256
0c03900ece586aa73aa535090aaff8fc226444783df9992ad028802f97011022

SHA512
e25d77b79c3b298f91c7281e110cb1b01d62b0c2e06d6826c47de44797a83178424d38f97afe3ac72b65ccf4560d0471ce59552af92198c13630b2c9c7d66005

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
80KB

MD5
46c3a3c3be78d1d8a6b1a8d853675e40

SHA1
9cd13827e81ccd75bc5ecb983b8b3b60ca10c9b5

SHA256
4dbfc55178813856886d7314d1f1bfa0e23185b85c7a2d07bf7996cf98ce5ec1

SHA512
a10b753dd8fc37f8fdd73acc83c106e5d704619d1e111ba98a8ccd2e58cb3fe71144c04b428cb885f4ef15e3014c45d7dcf5a43cc88d763495fef32b1143c28a

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
80KB

MD5
38eb8aaee73e02c378c9f1b4fce96a74

SHA1
2841e9b62a25a99ef7394b03aa6a696850d99468

SHA256
d6c1666ae60cd64f30a7dc610cabf0ee3bbbce6bd05af94e3dbf46c943c4baef

SHA512
690b4308576ea95185ccf0d30fbc65207321ac8034f29125b43743c100c764778a24cefe0c0717a763cb4f3efcfd2d5fd94c749e6c25f470995ff5b0dac616a9

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
80KB

MD5
1e2aa8406decfbe401ceac1755d07bf4

SHA1
86395d599f7e9b6545e52645ca726f2b98abab71

SHA256
e310606e0fedef1c441f23045342080a60d2346ea80a2d54e11c7b6bef618ab7

SHA512
85aaaec9e6c5b01e29b76a15ee766b218a9dbb167fde2494475a315f0ce514506c79ff9b7c2de8ca8c4ee63f0c4a5e30d3bf4e9cdab4094f3bd7df7414069a16

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
80KB

MD5
2d9f59f2c872709917ba31a180e4577f

SHA1
8f2ddfc380d1f5ff8914325ebf5d7ec42655ce2a

SHA256
197d43b680d9ae51c32308ebac31dcc69882406193d843741ca22df849b8c04a

SHA512
d2d103b23bc4f705882d09d7449062d30aee961e27d1eb43d00c9e6461ae71d113a81d49555ff36908c643da469691df4cee44cba38e954e19d4d5eca773f574

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
80KB

MD5
5780f47f7c32c395d442e2fd973d66c7

SHA1
bbb2a318e76f8531715c673567ff4657e5015fc6

SHA256
2107940c06403f8eeaa67177e260922bdfeec228301cd3e909466d22d4903900

SHA512
3f37645b637e8e01885923ebd662cfd18df07a95237b531f3a2fbb895668b2d8490d2041a7369f440a37df3a70e8f452b23733526ecad09158688817fcafe59f

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
80KB

MD5
5d9067c28c436108c4345549b8480d09

SHA1
10ceba7daa92aa2d5d89549384b2fc4afe8cdec0

SHA256
aebc11e3b52a44f57132a01b996e61a5fc0330f6156fc6c45379e7b9bdcfc623

SHA512
42ba25a4327ffe8868c8fb197a0651ace586b4ddb6efc520be382a9171cbd6f192cc5ef03180a6de553e7e2c8ab9cf95a9cb4d8bd279ea47d9740d3b3a587d73

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
80KB

MD5
307be1995d8f15456041f2af81b24cc3

SHA1
7c6ccfbea9b4b151af3ba684d678c8117e445401

SHA256
f0d4434e487a1b4a47eda5012fc856b966c26365058f4e25c45122574ee8e0b6

SHA512
407ea5873fa84e8f096fbe8cf0a3f92f751f844dad8f5bdd6556f1bcf2e3b66ddb69781d9793a0e1fc6dfe91754822f3e50ba7d1a0c2eadddb10aa4eaa23b897

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
80KB

MD5
6091677f85ed915775e15a89421285fd

SHA1
85b88c3b0acf3d153bb8cf7bc5088780ede57589

SHA256
3d58c759886007a6029dc855262ab40e69242a3f6de9257a449ad5c4cc27829f

SHA512
90692e1318cd3e8d9d7cf0b91949d68f34372948190273e6b1acf49f01f6bf9a659406169f89ec7182915f840270103a7ab1bead0e919d21e6ac545ffe6d43ca

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
80KB

MD5
c1b169a6566f3a8a53f67c52ae93748b

SHA1
fc3a3fc92455115fa1a2c56fa1d2400b131f0423

SHA256
a828cfdb82fe1a217eaee69399cd743331457c57c7cf39f49e45e21eb5385d74

SHA512
0c56a89b7fa093fb57af45a3862a6f898b071880c2074b3600ffc5e699d1fc6fdb7a43de723584954a1321399acee0f07a9b0c9447b48549867130dba81cac30

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
80KB

MD5
930c7847f95db97b4ace344780da60ec

SHA1
566e8fa70fd18d0b84966d263b099f9c8564718f

SHA256
c91de99b99ffcd31ab9c09f21d9c1d01d4e0ec3368c383ab2563637b7d03072c

SHA512
f637c7b76ca9eb4d448de5610542a0423539c036a368e09df8febf9d16ac21b6f6748e28ff1071a3ce903254280dacddfbaec437fa0e4c8bd382a8ffe2217aaa

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
80KB

MD5
97229a8f8226b2dd427f507425a4816c

SHA1
4f05650c5f4785bea84ae0dec79e25d9adb802fd

SHA256
7733d7ccbec5b4db27f46ead459c5a295860b59d2553a4985c0949f61ee227ae

SHA512
d2e61b3ad105622968f7ac07f10c07daf11ddca520a4d4f16f3f5dc67eb4783727890aa184835f9bc5caef6900c7c04b34150ea0cb112b0f871243e538d62a60

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
80KB

MD5
e1b21be00a685d2bd8791baabbfb3be8

SHA1
55f7cdf4c69e3b52984784d0d9bdd5f99123d7a3

SHA256
91afe708b3494636d49cde4001b09e892021e69f0777ed21aecc1281d31e7cfb

SHA512
7b5787eb903d342c22ce81912a2264f5ffbea236c4fd35c1ea758ebfc8b0d04a64e6f358a13b901eb9973945834b49a02c26fe93989b1c0bf8a6b967dba4cce5

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
80KB

MD5
41e4003a5092bf75a8b3817420ca2909

SHA1
3ce9310d0192ce728f3aaa09c6846115142e4c4a

SHA256
9ba95b2ffa03a86926512ceb984627efc3196046a45cf705f297b525ca222648

SHA512
d11321df015f49f890d64e82ff8fa7f0f1de13e7cc0af2291177d6db7a4b6fb440e1645a727b28949eafe3ffb806ed1dcad4741a9d572d063a8f1cda358f283c

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
80KB

MD5
9e3707fe1f982f52be62b5ff6aaae9ba

SHA1
c6d0ac094df33ddd068f59f44304b0c45905a4d7

SHA256
9881499da048a823bff9aaf53d65ec59a1fd506e2c9dd5239ecdb1a7968c1a50

SHA512
df43d11d19643d5f28557a22bdc5d63b0f5833c1c6436824072ee7832627542c9447318e277820caf48db9023c2876a8e674c84f48653a8428b4820e346170bc

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
80KB

MD5
7216c835ee2c3a784d40406185a853ba

SHA1
eada74f8c135bed3ff3041a8b0d23ea4dd990d90

SHA256
a7cc7144bab45a0dde59dc77d1adc50d0ccb4b756b37432bd523c08e2751beef

SHA512
823d6193959fa782b22d5c59e8bc908ec9b868df6b2783b91a8833223755b58015856bab9541c8121c5dfb5fa2c17cf3971d1d683f6b58e73fecbd17b05ad759

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
80KB

MD5
0b368ee6e1147226718636b68d4a613a

SHA1
e78b9030104e69830f1c32feb69494682bf9c9f6

SHA256
a6e08d150d0f0300930360e30e50752e376d8ae617330d23e53d40f0e0811fca

SHA512
48acefdaaae69eae67c7aae2f5805b2ce3286f5c96ea2b050a8c241b9d7bdd2fa8377ab2616aefa116c82567fd7b324753bea0c89b49a806d1402dd835ccfd98

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
80KB

MD5
69e92cea86df52f9434c9c2cec18304c

SHA1
005fb3d0982f8ceb88e9c63d619bba87b86e9e50

SHA256
e696f5df36ce1aa46e8809965a33a095d9ea2dbedcaf857bc4cd32a00808faba

SHA512
36dd57783437a22f47e6028b4f45bb3dea62525abe86cad547a11201ea9f6a1db00e1cd5c70fc07853c637dfd4e864d98f00f85e50dcc3c429da286eb9389201

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
80KB

MD5
dbcb8c9f168ed9c75073e238e23a598c

SHA1
c4feebcaf80fa34f2451a4888c030f7e42826f78

SHA256
43475e5a92c81e00cbf9dc716086dc199c9078d53723453607a5e9f1b8261637

SHA512
ef2d2601227de1ab88e43b12051fea617f39e780e86a0e8e5075622e46bc9011fcd73fa28aa804bbedfbabc28dcec74727e59eed8427f899150094e138857858

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
80KB

MD5
5147d7a866a1f50bf57b8d95c9417baa

SHA1
9dc5b308dd8fb941b662aa430c71dd0ee76f38f1

SHA256
73386f79b8ee650dc0143190595b9ebb05d804f4d241aaf1d8ed1d16f170d557

SHA512
58a65fbe8cbada89920ab82035048483cbd0ff9e6b378e161358e959480600060e63917757a600fd3e60b322ce762f03623c3e11376da4f22982062b49503b49

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
80KB

MD5
d11ff1e539377a032d20521e16068ea5

SHA1
17654efae5c1267c8964e47ddf1654af915a3053

SHA256
9c2181f28a47872e9abb73ff8e4c24829139259bf9cfd9ef3cd1d0936dc76664

SHA512
2d2c18444bcad16298396a8b5039848a647b3fe2e04c83dda04ff1cf77784ff1b9197092bc8da62225b51b3d0f075d3691d3ad6d017c4b76097e2d6db65ceaa4

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
80KB

MD5
6be6061bf6e80964bff2a768bdecf4dc

SHA1
d8f2804d812f56ee530d181ebfa4537feab85f75

SHA256
a2512326a07dcec724554b4637c9e506bd0706384245dc6ed4d22cf8c1ad243d

SHA512
c895535bea34ed81621dbddaab6de28b0cbef546c9e1a31974fa859588c4068ffd4c7baac1adabdf9f2d3835ede1f0e5aed4a01dc193e16da2e925f6c56468de

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
80KB

MD5
451154466941e4d40c61261ef19cc3b5

SHA1
f5dde76596d85db7cdbd600365a401835f035837

SHA256
ca959c12331410506377b68bfff1feae041fd4fbc4c5684303e053bc247e6e50

SHA512
a5d4881941b89137564af1d17b6b26c1ecf8a233dabbbec62ef6b23449093c2119eb66e249587dead321901382c689184f726c56452e93596c67deb2c966d713

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
80KB

MD5
b904ed6dff6713e66a9c8fbf3506c48d

SHA1
f90019dd65b56ee65efafa7ae6116fd74d8c4bbd

SHA256
cb07d1b2f097f93324e6ecce272ff82cdbe9f8ec973995e77a6eb4b54bbab61c

SHA512
05ef05664ad83de28b81613b806c6af2b1541d97d16d870aa61774963d14c07334d029896dcb0dc394dfbb46455fad7221db6af73bd518fe1f6921a91df8110f

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
80KB

MD5
0550276e59ee6fa78ff0c7c962597034

SHA1
b51ba2c388e7eb03662efc7b8e6b659fdf081fd5

SHA256
5067d532b35778ca83fc3d958c6aa96bf6106665140dcb9c55eec4f53ab675e1

SHA512
7f0ef0ffc4071703911e76f5d7597ab9f7d013abeeb57a4dced3231dd5cd6bbdebd4402993bdffc478c4c4d73b944b8e89f99812b32c253e8c00ec3822573839

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
80KB

MD5
d6e921819818886665d0d55378b9b246

SHA1
a1e16e8363fd38feedd319869efecd0bad3a8f16

SHA256
d7f54ea77bb14dd11137cf07f0702c34445bf322edf7a343007b09173b9362a6

SHA512
867da90f4b156d5964be76a00d17f50952651e290222f36745f36c4d3c8ba3d3078383fdd07f75426695c1355c722d4daf83077b807020b4800342a86b9aed74

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
80KB

MD5
ee82b3f39853f6d8eaa8c2e687312ee1

SHA1
58ecedc4ea49f1cb8e1eeec97c7f0b4a554470f6

SHA256
9277d09b78f0ce0df37e4a41c7d79f9b950fbda578dc14b18ec819371c7e2d46

SHA512
e252008d5807819a017808e156ff4b222868055c411217815e817524b6d0e344e83d65e7f0ae2b8d728b740593e44015a2c89e7c9c4274ae951ead6a5474c62d

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
80KB

MD5
7f35a7646f71afc348db6c33fc8068be

SHA1
899eb493337ca427b89f0491519e6a52bacdaa1d

SHA256
3c1c2014d9999d20a2a10cccec30adfffde9b9f5263f6679e94d838791754dc3

SHA512
4b33f3f5c0a5f1729f022d6f3aa5e729a5f3ac5e23e07a705bb4ecd08850f6e01446f22158eafdb351d7391369f28ac3abaede7c0cbf1f83212ca58145850219

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
80KB

MD5
3e9aeefdb3bd7792683336ca3c728e0d

SHA1
832ee9f74877d28ca03f2117a59ea759e10350c7

SHA256
213b341dd8a764b485bf50df8d9b3cc4d4db12e2ea438997aea1c4e8887e5a38

SHA512
23cdcccfee1de335082043f3c670762343cc6166454eb84483d38d67ae50c251fcbc930f6fe8ddf5059ca6131e222ab7d5f123b293bdfa7b2398b8648be5dd9e

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
80KB

MD5
26a2d4da7ca2d7aa23c0d3b00731a901

SHA1
d59a88856408c85c7bc2d22b24992cb97f50c4ac

SHA256
39afa314a58048de4cbab090aaa06b3c36f5d84afc8512b4b72326b6bcdb67ff

SHA512
cf1c2cc7f4f757980ccdb29b39967170fab9dfa899c5f73f2d2f81924120f6f4c266fc1c6bc40336250106b8b6a0d384f39326260e100042bae8c8373caf00d9

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
80KB

MD5
24d5cc866c6026f5be825754d14eabfc

SHA1
e55752b43e02a1256cf6cadfaec988978762ddf1

SHA256
a57d763e7636033270842d39919a2cc0c35eacaf7e937df28d90fe315a0bbe91

SHA512
344ed5173c17745058b626d60bcd08106ccfc9e55974662ca2e425909240aae8b422f428180c2294f3b93d33e942a49536034fe332d8d350b83b20f2f6135aac

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
80KB

MD5
2df08cc04a283f9b598a28ac1109cbc1

SHA1
9733752ae01a7a74245a4115f5ddd592daca4e1a

SHA256
8c87fdabc577719adf020709da113b6180d9cba8ee2e522ba35fcb18725ff3a8

SHA512
2ede4f39ef72da9a62efae006c479882649f7eff892392172e8f5e57626a10d3e0a123d79a404460ade1c58a65723596876f821026e44f128f53b3d223bdab56

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
80KB

MD5
f4e766b5ec55097b58df81ee3650faf8

SHA1
154dd085924b59aea778966cdd72b1736018cf0b

SHA256
bb38810fe87db25f7bf92e15c23cc697daa193e479b5a1a2f668e2fd7b45e3d4

SHA512
c0872595b2afed658906b7d2f000883c967179a76eaecc829b1a728849294e2c750197227f5cac801ae924242d3e79fc3347db2a4c7e6bb1306d73da4723bbf8

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
80KB

MD5
20efcc8894ab5dd12674481920142d4c

SHA1
241b382953a1d4c54a5002a921bf0c05c50bccf4

SHA256
745e70f42d7c1202c1b32d9894bc6ec3d1ca86104a596947e046fbe8234ffc08

SHA512
8e9047233081b9c4ee95a3bf369fb358729d51e01781b0ca8fb544641a5a533f17da4e6be311e86f10e7b711632f980d644d488cbad5adaab88547dbc9858e0e

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
80KB

MD5
48b8c9881937bd5eeebc8b13a6b8176b

SHA1
82867e52d545be93d92440694b1d23e18f482116

SHA256
f11d88b0a464e089dc1dffe0e5651dbdb9dfb8d586d21df0ca7e98568f128f47

SHA512
96b07c54348f40eb09ed0529d79dcecf927cd27e8a4a686c307871f19f1a296b84706e212d63b43e6fa3e7f59a330c374f5cf2a8e659d732fd92711a62852930

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
80KB

MD5
e1661762e03546f0fde43ebe280d6278

SHA1
439df7e4317aca10119be7774d05fea8353ecc07

SHA256
c36767404df8afa5c7587e123965379483f2f1759f5b574a82d22826d2b7ec93

SHA512
ed89b6c756bb4ceb25b1b4efeaf3c489a71787a30d2ff230ee72ce3bba11c14eef9bcc44af8872a163b67e72535be33efd5c12753c04f95893bda72bac502a66

Download Submit
memory/8-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/208-504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/344-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/468-549-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/620-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/624-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/664-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/708-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/808-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/992-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/996-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1040-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1132-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1264-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1356-468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1752-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1788-532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1840-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1860-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1880-484-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2004-547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2148-561-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2148-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3076-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3116-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-575-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3248-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3332-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3384-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3664-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3780-369-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3956-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3980-474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4184-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4408-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4624-522-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4808-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4908-548-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4952-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5132-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5168-562-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5220-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5260-576-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5308-583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5352-595-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads