0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe
Size

2.5MB
MD5

1963268d644ac68fd0a282999753abb0
SHA1

1c64ee01b200c44d7b6f823f8f017cf2350e013c
SHA256

0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22
SHA512

e95eb9d481bab4010c645265b40400d12a55eda071eab8ddf375790bd05714bcaa62fcbaf3ac34db81b0e681a82a0c96fc0608012c1ada28b973fc67916c5fe8
SSDEEP

24576:rngsaDZgQjGkwlks/6HnEpFsaK2cWfVaw0HBFhWof/0o8:rnnaDZvjG0DnNaK2SQU0o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chebighd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahblmjhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chebighd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahblmjhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chphoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cafpanem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe

Executes dropped EXE 64 IoCs

pid	Process
3980	Aafgkpcp.exe
1680	Alkkhi32.exe
1032	Abedecjb.exe
764	Ahblmjhj.exe
5020	Bakqfp32.exe
3840	Bhdibj32.exe
4796	Bemcgmak.exe
4824	Badcln32.exe
916	Cafpanem.exe
1292	Chphoh32.exe
2892	Ccfmla32.exe
2336	Cedihl32.exe
3740	Chebighd.exe
3508	Dhqaefng.exe
4004	Dokjbp32.exe
3676	Djpnohej.exe
4248	Dpjflb32.exe
4520	Epmcab32.exe
2508	Eoapbo32.exe
3472	Eqalmafo.exe
732	Eqciba32.exe
3900	Efpajh32.exe
2556	Eoifcnid.exe
1396	Fokbim32.exe
4356	Ficgacna.exe
892	Ffggkgmk.exe
1056	Gfnnlffc.exe
4396	Giofnacd.exe
4776	Gmmocpjk.exe
8	Gmoliohh.exe
1148	Hbanme32.exe
4596	Hfofbd32.exe
5092	Hmioonpn.exe
3608	Hccglh32.exe
2804	Hippdo32.exe
4464	Hcedaheh.exe
3996	Hjolnb32.exe
3420	Hmmhjm32.exe
1372	Ibjqcd32.exe
552	Iidipnal.exe
3620	Ijdeiaio.exe
4544	Iannfk32.exe
1172	Iiibkn32.exe
3444	Ipegmg32.exe
4800	Ibccic32.exe
548	Jdcpcf32.exe
3616	Jjmhppqd.exe
2980	Jagqlj32.exe
4232	Jbhmdbnp.exe
3312	Jibeql32.exe
4836	Jfffjqdf.exe
2912	Jpojcf32.exe
1716	Jbmfoa32.exe
1164	Jigollag.exe
3500	Jpaghf32.exe
3236	Jfkoeppq.exe
2360	Jiikak32.exe
2724	Kdopod32.exe
3632	Kacphh32.exe
4680	Kbdmpqcb.exe
4556	Kinemkko.exe
1920	Kaemnhla.exe
3360	Kbfiep32.exe
4252	Kmlnbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cedihl32.exe	Ccfmla32.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Faqcbg32.dll	Abedecjb.exe
File created	C:\Windows\SysWOW64\Chebighd.exe	Cedihl32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fokbim32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Bakqfp32.exe	Ahblmjhj.exe
File created	C:\Windows\SysWOW64\Dpjflb32.exe	Djpnohej.exe
File created	C:\Windows\SysWOW64\Eqalmafo.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Aafgkpcp.exe	0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdibj32.exe	Bakqfp32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Khkchobp.dll	Cedihl32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Iannfk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5508	2500	WerFault.exe	202

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopfdhej.dll"	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgpaojg.dll"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgadhj32.dll"	Badcln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cafpanem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahblmjhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cedihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhehdem.dll"	Cafpanem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkchobp.dll"	Cedihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfolabba.dll"	Alkkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhdibj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifbkdl.dll"	Bakqfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jbhmdbnp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 3980	1760	0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe	85
PID 1760 wrote to memory of 3980	1760	0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe	85
PID 1760 wrote to memory of 3980	1760	0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe	85
PID 3980 wrote to memory of 1680	3980	Aafgkpcp.exe	86
PID 3980 wrote to memory of 1680	3980	Aafgkpcp.exe	86
PID 3980 wrote to memory of 1680	3980	Aafgkpcp.exe	86
PID 1680 wrote to memory of 1032	1680	Alkkhi32.exe	87
PID 1680 wrote to memory of 1032	1680	Alkkhi32.exe	87
PID 1680 wrote to memory of 1032	1680	Alkkhi32.exe	87
PID 1032 wrote to memory of 764	1032	Abedecjb.exe	88
PID 1032 wrote to memory of 764	1032	Abedecjb.exe	88
PID 1032 wrote to memory of 764	1032	Abedecjb.exe	88
PID 764 wrote to memory of 5020	764	Ahblmjhj.exe	89
PID 764 wrote to memory of 5020	764	Ahblmjhj.exe	89
PID 764 wrote to memory of 5020	764	Ahblmjhj.exe	89
PID 5020 wrote to memory of 3840	5020	Bakqfp32.exe	90
PID 5020 wrote to memory of 3840	5020	Bakqfp32.exe	90
PID 5020 wrote to memory of 3840	5020	Bakqfp32.exe	90
PID 3840 wrote to memory of 4796	3840	Bhdibj32.exe	91
PID 3840 wrote to memory of 4796	3840	Bhdibj32.exe	91
PID 3840 wrote to memory of 4796	3840	Bhdibj32.exe	91
PID 4796 wrote to memory of 4824	4796	Bemcgmak.exe	92
PID 4796 wrote to memory of 4824	4796	Bemcgmak.exe	92
PID 4796 wrote to memory of 4824	4796	Bemcgmak.exe	92
PID 4824 wrote to memory of 916	4824	Badcln32.exe	93
PID 4824 wrote to memory of 916	4824	Badcln32.exe	93
PID 4824 wrote to memory of 916	4824	Badcln32.exe	93
PID 916 wrote to memory of 1292	916	Cafpanem.exe	95
PID 916 wrote to memory of 1292	916	Cafpanem.exe	95
PID 916 wrote to memory of 1292	916	Cafpanem.exe	95
PID 1292 wrote to memory of 2892	1292	Chphoh32.exe	96
PID 1292 wrote to memory of 2892	1292	Chphoh32.exe	96
PID 1292 wrote to memory of 2892	1292	Chphoh32.exe	96
PID 2892 wrote to memory of 2336	2892	Ccfmla32.exe	99
PID 2892 wrote to memory of 2336	2892	Ccfmla32.exe	99
PID 2892 wrote to memory of 2336	2892	Ccfmla32.exe	99
PID 2336 wrote to memory of 3740	2336	Cedihl32.exe	100
PID 2336 wrote to memory of 3740	2336	Cedihl32.exe	100
PID 2336 wrote to memory of 3740	2336	Cedihl32.exe	100
PID 3740 wrote to memory of 3508	3740	Chebighd.exe	101
PID 3740 wrote to memory of 3508	3740	Chebighd.exe	101
PID 3740 wrote to memory of 3508	3740	Chebighd.exe	101
PID 3508 wrote to memory of 4004	3508	Dhqaefng.exe	102
PID 3508 wrote to memory of 4004	3508	Dhqaefng.exe	102
PID 3508 wrote to memory of 4004	3508	Dhqaefng.exe	102
PID 4004 wrote to memory of 3676	4004	Dokjbp32.exe	103
PID 4004 wrote to memory of 3676	4004	Dokjbp32.exe	103
PID 4004 wrote to memory of 3676	4004	Dokjbp32.exe	103
PID 3676 wrote to memory of 4248	3676	Djpnohej.exe	104
PID 3676 wrote to memory of 4248	3676	Djpnohej.exe	104
PID 3676 wrote to memory of 4248	3676	Djpnohej.exe	104
PID 4248 wrote to memory of 4520	4248	Dpjflb32.exe	105
PID 4248 wrote to memory of 4520	4248	Dpjflb32.exe	105
PID 4248 wrote to memory of 4520	4248	Dpjflb32.exe	105
PID 4520 wrote to memory of 2508	4520	Epmcab32.exe	106
PID 4520 wrote to memory of 2508	4520	Epmcab32.exe	106
PID 4520 wrote to memory of 2508	4520	Epmcab32.exe	106
PID 2508 wrote to memory of 3472	2508	Eoapbo32.exe	107
PID 2508 wrote to memory of 3472	2508	Eoapbo32.exe	107
PID 2508 wrote to memory of 3472	2508	Eoapbo32.exe	107
PID 3472 wrote to memory of 732	3472	Eqalmafo.exe	108
PID 3472 wrote to memory of 732	3472	Eqalmafo.exe	108
PID 3472 wrote to memory of 732	3472	Eqalmafo.exe	108
PID 732 wrote to memory of 3900	732	Eqciba32.exe	109

C:\Users\Admin\AppData\Local\Temp\0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe
"C:\Users\Admin\AppData\Local\Temp\0a737bee8f5f50c72c9d5319319282bb64a49b324e302848f2ae24c39f84bb22.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\Aafgkpcp.exe
  C:\Windows\system32\Aafgkpcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\Alkkhi32.exe
    C:\Windows\system32\Alkkhi32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\Abedecjb.exe
      C:\Windows\system32\Abedecjb.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\SysWOW64\Ahblmjhj.exe
        
        C:\Windows\system32\Ahblmjhj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\SysWOW64\Bakqfp32.exe
        
        C:\Windows\system32\Bakqfp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Bhdibj32.exe
        
        C:\Windows\system32\Bhdibj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Badcln32.exe
        
        C:\Windows\system32\Badcln32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        24⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        28⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        37⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        40⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        57⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        66⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        68⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        71⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        72⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        78⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        79⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        83⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        84⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        87⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        95⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        96⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        98⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        101⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        102⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        104⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        106⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        108⤵
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        109⤵
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        110⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 420
        111⤵
        Program crash
        
        PID:5508

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2500 -ip 2500
1⤵
PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aafgkpcp.exe

Filesize
2.5MB

MD5
45d4fb75b4f889165d5356760b4fbbf5

SHA1
e449da2166a9126552f45672c0c32abe47378b47

SHA256
6566ee3e2b980a6bf729071ad2133ff54b12f8673f401639d85c87194a858fa2

SHA512
20920900c206804313f9a6f9981905799ff8997ea1b897251fe85f864496520bfd239df78b813059876d4339ad44d6b504dc2f1d7ded6d434ffeedd029535383

Download Submit
C:\Windows\SysWOW64\Abedecjb.exe

Filesize
2.5MB

MD5
9c97be97e2f64ab3fd46dd4181fc22af

SHA1
aec199a1d20f7ecfcafb6990a17341b022ec761a

SHA256
65e7a9f36af0a0def11f0d15218d619600ee0bc6246be4bee4171f1899dd87a4

SHA512
3e53fcbd471dbd15b4a871cdfc3a64e135a5676aa4dc87241daf80616e8bd9b94e58961bae441f91994c0d85de6077e8ee4d57da7d26b910f3d4bfd79f2e64ac

Download Submit
C:\Windows\SysWOW64\Ahblmjhj.exe

Filesize
2.5MB

MD5
81ec579ddba337106c9e18edb195ff6b

SHA1
4cdab12a629e3af03da0184d9cda115de122fd3d

SHA256
1f5b95998e5bafa281258aae3b572cc98aa89d9f383dcc63b9f81ae6e2595198

SHA512
7d56d1c3e96791425fb169de939260cb35689b0a10111f77441f07b51e89a2b3e93f7d06976922472612ed62bedd9352f224ce1db7c66167c60aaaaf69c5ba0f

Download Submit
C:\Windows\SysWOW64\Alkkhi32.exe

Filesize
2.5MB

MD5
fa3b0fe5aece1799e4d74d23b242a726

SHA1
62b880b22034e537f0e4b08a1381ad2d5b8fc3f5

SHA256
198bc3e1ec0542063cef4462958fc1342308b565f2d22c8c366b209f21c39400

SHA512
6894af4e5f43f55a2ce764f315bd6ba1084dc246b7fa20a612a98a7db0cab8b7225cb52f0e99985b79ec1eab831adbfde7138ac0e68d68035ef0dad106d4d200

Download Submit
C:\Windows\SysWOW64\Badcln32.exe

Filesize
2.5MB

MD5
08df2812ac40db72982811a14cd6e97c

SHA1
89d569f9fdd737cda4597037c7e163c57a1884b9

SHA256
fcf19f11e31bfd30905ea75808cb87c77d0f00a24d3c7288f6c7036e6e671776

SHA512
6d4dd0ac20f114e48e3257d7e84afee4992211f86314bfc1aca4083a61448848f0bba81a16aae6a9a40478cf3ba61041cc0f7df1f10e8cbcee559e881d169e9b

Download Submit
C:\Windows\SysWOW64\Bakqfp32.exe

Filesize
2.5MB

MD5
26ebc0200d5d509507f00d4977f81056

SHA1
9d9522197f0f8a163620994abac092f3ee974882

SHA256
efa4b64825f4f4b9927f6014e95fe21214b14bae39874dde2ab926bf873ce26e

SHA512
6dffa46918fe151449b493537710ac7165e0082dff2f40e4842f5968061d1ad22cfe433caf9f242c41b7df40f2828c5ed0c44bb549386983d4a46359db65b403

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
2.5MB

MD5
28f4f99b34a5ad58ab0f8206a1e5c251

SHA1
9f59542b6860c8510c89103b929c858f1746640e

SHA256
735149b836166cec609e933ae340de317b48e329bb299c73674bbd35bed9627c

SHA512
283b430b1a2503b81013e4671ba7c816164f235a3e95fe6f0a89f81e8e5e3641d30e7484850084ba67a075d835475193f19d85075eba65abdfde3b00b8c821f9

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
2.5MB

MD5
8174b031f2ff48f7bd7f8632792dcebc

SHA1
e55f74c0824591e6e94f8c99b583120d1e02dadb

SHA256
fba0c7f4eca892d9ea44caa77ca26fa58b7a92b96d20a1dc6992d06e8d221323

SHA512
89f85488c981d62986002cd4ad6dca04b7f38b9b1298ca5f721760ddcc00be6c5e71ef8758108b83e1cbd0cc463f152eea15b3b17558e4d7cfcb384cd02a69a3

Download Submit
C:\Windows\SysWOW64\Bhdibj32.exe

Filesize
2.5MB

MD5
ac11e5edf9ddf58fb4f75a424203b11c

SHA1
13de3ba7e2b4c3b6b090169eb10072bc0db03e7e

SHA256
10e822f6c465170875a22c29f81116f18fc59b3ec051af8a86c955663c12befc

SHA512
4a44abe6046be8e5499bbe898c6e10e8a95b043db20913a0e3973dd0ba6996a4ca5e41a4a5b85fc1c910db09a75f13ce9dc054dc7fc41c1b91139250af692439

Download Submit
C:\Windows\SysWOW64\Cafpanem.exe

Filesize
2.5MB

MD5
8d3701ca9a316e2263d4304191399e0d

SHA1
c1fddc98450ec3977ed1582458969b9370e9d82f

SHA256
d2b004ef6c3cff08515836010e396ab68337158a40585ca4a99357667127e314

SHA512
a9138d12f4c4e1c37cf54b0f7bbafce755e1c92652a933a0c9050f4de5208590962f9beca5481531b435cb249fa58270b140db9cacfb5e889005bb0ff15d8219

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
2.5MB

MD5
dc6c0ef2483b5a21b65e7bfe5c48b641

SHA1
c67888c06625aadc1b599629083c8dcc2e396d63

SHA256
15e06e307ebb2f5ab74fe35ff3815503f43b0d2ae7d9d3087827c62df66c6661

SHA512
2dd9b0fdc29bc78f6ae954ee0d4f63ee64634c2fb34403d6738ac415e088cae40a9c069482c4fe4fbb36a3001cd3dfeefc2b3266c060bb6d95d58e1cb7aa3514

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
2.5MB

MD5
c587cc49b3abd02467794d5ba5048473

SHA1
4e7d1fe20c5a56ca947dfd267b32c8293964ab33

SHA256
2fa6376b9e765772e3a5b49d6e0c69506ab98096658a86694effcf41fcb0f457

SHA512
37855c08e5b9723c4b3b334a6f3cd2bf845ea071c1ac632b2cd4f8f75515574f23569f2574dfb3bfaa7ff4019ea929eed3a555b3b995a45dc9de9ce75f0d2951

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
2.5MB

MD5
9a2e091b23c7bee2cdcc87f224f8a014

SHA1
054379b42cea9d1814f1ba750611a46e075aa229

SHA256
d0c1e53ae9c22f9263ef557532112938d0c2fc84eebbcfec80b39bea9ff579da

SHA512
42990e986ccdc859f6d650c426b6be2db581a1190ef79a69476b544be74d94562b209148e638e3227856dcd13b71fbef77bf606a73022ec00366e84bbf0d1614

Download Submit
C:\Windows\SysWOW64\Chphoh32.exe

Filesize
2.5MB

MD5
f41018c75abc9cf48da3e4c5fa79c22e

SHA1
1dcea1f5e89b8679b1c81e56d220701dc66773f9

SHA256
70a639e94a68226050c78fa87351a28ebf57381a51647018432f87bda46fb778

SHA512
7065586c3eadf223c36d82d16398f67b8167d82c1d04bdf7534d47cc62d8394420aa2b7494a179e4e1db08f4f133a12fa30df49243966d58c28053df9ca88ca1

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
2.5MB

MD5
027f30c80ea73d8cfc54efb15c226234

SHA1
b5632f5aa876d36acc5cec4a0fc1825e174eb1d2

SHA256
c52c9b0d20d69ff3abf6a0fc30c988058b1840bdbb28452546c8879448e27c66

SHA512
7e75e50fe26c1497641913fb03dbaa8d3000f9b2709e140d95f1bc4d7526cc01a5f4480d9f9facbfb41e6e3d61396d6b86ef9dec24502f8e84d858e3a8dbe391

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
2.5MB

MD5
70df2a4f4763d2580ff0f681df0f2f00

SHA1
5256519dada0d126b6ab32ebc2d8f4e4f35d6786

SHA256
72d4809254dbba0ce0d093ea72587d50474d826fa34cf80f9f8e62b1008c1683

SHA512
5bfb8a4beeba7fa62c85cac7c52e8eb06b13c4def9596a841a0f4df99421c155aaae494813cb2d8a080ff604c0487c67737c96417d41455abb8ab4b6e1a2d584

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
2.5MB

MD5
9e2b024f2c3e08180bbf1d4b0fd5656e

SHA1
c96a6acf85f4ac70ae77e360493e585b947bada7

SHA256
28c196ef62fd3cf1d1ccf7a7897134c2c4343dc7bb9a2d434342ae16aac39e54

SHA512
ed0ede65fa3dc4d2fc82f16b93b57afdebadacfb14e21b5d629df6752acfdd9b70b89cbcab0c982a901703311550cac3c1902bca344c7ab8a3fcd572fcab75a0

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
2.5MB

MD5
0a19c6ceb5e51e2d8ef6cea2be28216a

SHA1
e98d9ae955e793f7472f98fdfbf98e106b12e144

SHA256
014c17153268040e05c450479df955e99aab0d670afc33c69aad2effa8e88b6b

SHA512
3a56a5a119ddcab32749f2929843233ed63f06be5925a4bc66eb770b69e009b78f42c15472b08b1671fe12bb5b11e34bfa78f1e264f079fd5b395cc792e38f25

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
2.5MB

MD5
9cfa4ef2e02431bddaee0e68c8e19515

SHA1
6da188d2d1f4af34226e30d19ebf51135a893f79

SHA256
e13275de40209043ab8af8674a8065b01ac409edd06d8176b60fb6b00ad566f2

SHA512
da2befbff4091ae05b233e3638acb6287496d9ec52a3843fb4f728c1d38a064b2d54cfdb483d465ec28ef03955093100c71312f5b4199ce54e55ff74f9c64d42

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
2.5MB

MD5
5a533c5682b34dfb00b0531de531daab

SHA1
4b965285e12f5e7430634e3d9591252c3c18c97f

SHA256
363c8c7b19b8bb9094bb954d5fde7b532806dfef847f8acd728ed3152e27b334

SHA512
569666a10ce14be805abc1262b1ac42e903c281f41b4f9db64df4aa7cf9d142275e9b71e41b1359516ef7b89606886e6d724f074999838c85fe99579878fe111

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
2.5MB

MD5
d1f5130985be86fce2cee8c48d3fa40f

SHA1
f0041169fb2a21dc910983f5e97f09f8dc1a4b02

SHA256
b1930be3ea6b2b10be0e8d43ab4e19b46448e7d13a01281d53227e4ff5fa7a9a

SHA512
954c3d10130175746397d27979e016a79b156e28c8d172a72f54fb56638a89fa501a37d44fa72e6efb59a0d810b0a1ff5079e09b4287b8ecf3e2381af4208a52

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
2.5MB

MD5
139fb34ecf00dd75bafb8a8ac1e5049d

SHA1
efca17b4a8a3a9ea7afc55d7212d9ec8bb261e1c

SHA256
c668a7443021a1465f3689aa236e8722a802b6436f841054659d7f2e8f787e77

SHA512
0910808d7fa1d1d8bdc5ceb0fdb5a807243248a71e0c646b451ca5258fcef8c9c8cfdcf617b6c1ca20d2b7bcb0fc19bf3ba9022e29b5c525bf8a95f43269914c

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
2.5MB

MD5
d979687206b62127648265f817b64b5c

SHA1
c3696743bca9f37c83bd578dac2f90e7a57cbcd1

SHA256
b507ebe3b3a1dc2f9f2a5f80a36827f6f06aebd903cb394cd14d153a6dd913b4

SHA512
a8431f0b026a4032cfe6eebf83818659a7a68b66dd090ea1cc46da3d8152d454c5b7e4854032aabf52c814fa2e8470d94c6572815ba3496966da219679e534c6

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
2.5MB

MD5
c93046fcb64c6ea45c6039518fdc9768

SHA1
de45c4c507d2dbd4202ab35575946be77fc77e9b

SHA256
956427eed90f9d89ba6822650771dbfce5a36db3ae8cea6796a724f298b5777c

SHA512
3228af37bfb117eb1d115adbc5e329aecbf97ff68e2d55082b60eb1b294559c195004f52640a18a09b2c554e6d3b4272b48b7eafdb455c4d67617816573737e4

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
2.5MB

MD5
c0b4ed09a5ee7337eb1b6eb2e1c0da2a

SHA1
e22b48e54614750c8b65bd5ab8655cc7c4abce6c

SHA256
11b1f292f575f5e67557d7ae2b650f2c34419a7449a20c433f232b5a085f89bb

SHA512
ab684f62611e78a89be368f2471a3bbd073a5e081ce2f349ca8ba0de76cabc4c3f4a01e8383d1bf9e47a0fade6b151e0f7619e868d3fc1b40b47313283dadf62

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
2.5MB

MD5
7af6edb46551f475ae75f5f51fdf41e0

SHA1
8359ec073d3721244289239a0d8bb4f517c00df2

SHA256
239453a8f8c32e3f32f7e0d62708601282c82ab11cba65bbfa48dafe4d17af3f

SHA512
0318522c8f3b1ddd5cf344711619d44a381ed367ff25481b4f15503445ff53ad85aaf43d2f4c79dfb5083b0de69f77901ae8925fc7d2bcea42b3228294ec23d0

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
2.5MB

MD5
3c56533f926e4084392e62b83102c99d

SHA1
96d92cf39a0531fca8401cd53bcba473f9390a0a

SHA256
36d7a47bad051314bc8dc1bf52eafcc407254f27f8ec4efcd9304b731c14bce3

SHA512
7842942e44d03b2f0dbbc7c906074712667cf504ab00bc632deec9ac11d838fc6045a42a0121668852bbcddb96af3dfe30b17423b62c8e60a53a99f3b59e7c56

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
2.5MB

MD5
dfcecfcbe72efe8a6514d1bf1e22ec6d

SHA1
b03aa71e9d36610e6da4c04237c731cfa69efb46

SHA256
1188fb499dabfad4f8c68fee507940141e3942e73c706f046dab8843a9b0492b

SHA512
c7ddbc0ada579873a849e5bf2dc983163482b3cf243f3c72d1f09b2eeade0d3047818252428c1f9ab33b317a8c4aae91676e033c20d97613788f92ab43b31284

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
2.5MB

MD5
a3ed6e5cd0741346d2e498d5cb121810

SHA1
a322b4b10cefee6434ba68eb0f6e98209e2f5039

SHA256
9996be8c425de5aa36b215ef7a66552618d8dc6adf622723fbae348786c42b7e

SHA512
d0efb8a21344b282294a2c03335e92bf20159e357095e1c3b82be17542693925533b027e22d1219c9be398abe83bb734af81f0ce56ab0e7e9b57250fc49e842c

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
2.5MB

MD5
a3523b515a892af643270f59f6eeb879

SHA1
8e7614f688bb8efd40794c3cea72ea0be8cf8b60

SHA256
01687fdc58eda764018f6415fb707e8d69483542ba2d5e758c3d37cb9ed50f91

SHA512
eab6dd6419bed463a3595aa39800b0091d90b11369550a8a1a920d1a843351cec9285b883beca400eaa5b2d3dd74c18a208393fe825985cbefd3007742d7571f

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
2.5MB

MD5
872ebcc4269957a717d93112db3afc46

SHA1
902d2c88fec27a8d53844d445c97248af979dfc2

SHA256
9634e32b69f51dbbf20fdf430d906eaaf0daf21b62f5fe0baf88b7481ba00679

SHA512
c1342f822a1f9b01b784e6880f86f0fad77eee5c0b34a816bed3f467c8d34694a9383f499a8dbd7d2dcda3a4c89648e79b3db073c3dedcb136f3f609108cfacf

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
2.5MB

MD5
6d32e231fb2107986fcd65df762fd5ce

SHA1
27503712f200495ee5a7735ded75bc5d1ff805e0

SHA256
e18e99b06f9ff258e18e1653b8089cd66d6d916840824372374baaafec805b42

SHA512
1f76267a653b25b052470a67f92146241c201bdbccfb836e3075b3f4dc42ad43bc2abdfd993ade7a033e1d0c8aac8202553c6f58c3a7fb96df6709fabacbfac8

Download Submit
C:\Windows\SysWOW64\Goohek32.dll

Filesize
7KB

MD5
5b4c3e28366fd16c666c2ca8a73b909d

SHA1
92f808a54d4d573d7509ded535330d7afc33efb0

SHA256
5314673279307334a81a9da5c3b114eae444f28f02f7da3692d05d9f577bf935

SHA512
00a1822613ae443ce5ecc61b0c546bbf0f7ce05ffe34af96ad8a63de48f3753611e652066a0d5aed903aec406b3ae5b77cec1ff79604d3a0496c2603e2c1b4a9

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
2.5MB

MD5
a90d228f59958f898bc9642f1f2f4340

SHA1
93ee3fbd74e0dc654a39ee61ed8f215da594094c

SHA256
57c5c924bb2bcad47bc8488c372747b59a9d5dab314b687799e18d30b1a50308

SHA512
bac00338795a33b59803d043d92c52919b051e694db5a6ab135655d7e0e3ca140c5e77f0444dbb2fc3b5988f30528897de29c214899d91dc91670fdd2f313479

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
2.5MB

MD5
d923ebde7a90bcefbf53cb1d8ed6d2a7

SHA1
4a55ffe22811f3801c15607cad976f1c7bb14fff

SHA256
b4954df83df14149ff57f5a854ed5a540e10f2426c662e5e8f60a5ea3370bd23

SHA512
86f48da14637e292b179ba26fd22f0cd9e4df1f76dcd454003441b2651038cd8ce160cb3a94be49d3510742215238754512e059666e979ba7fcc2e413cf058da

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
2.5MB

MD5
6ed7c7d44bc028ed9adc1b9d8a6a143e

SHA1
e633951b7dc7d1feb167f91b700b7d748504eaf7

SHA256
3038495847c87d7d6dac79a32d1b0b8353e1f287c9482e31466f06b17bd198a5

SHA512
3177a67cdfa67d1bfa6dbd2543f3bc3751620cdd680d87b1cab74cbcdfbcaf3416348473cf74c64fa4e5abada7f97a3de8978116bbeb4231c5b85720fd05952a

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
2.5MB

MD5
6ec5e626c8e19a0ad3e1615ad8f94a93

SHA1
1169e35b44c0fbfa576cb430ebe26c146608f282

SHA256
56d4a2a47a242bb55d36fde30c3068a4295b4f33f72756b914f41a04cdf66d43

SHA512
e6c90de79a816452c0693962be479141e0b25340553a2d8645384cadc3e334a069d6895ee9a267d215acafb13651882521cac2a10be44a84c22266abd7868bff

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
2.5MB

MD5
f905c1d2fb8bafa93253419c75b51b68

SHA1
210f50100d70cbe489b3660fe5daf3273f253357

SHA256
308afc4ab56b1f0eaf9dc1ca5856f562458a95ae5993cc4771dcc5cd770c2ad7

SHA512
cd097e5c31a0a917256acd5d264ed434229325819bc9a7170b8b4d61895f48c2f1ace4ff0348af9b8cebb380be108746d5952189580c233ea3711840d2093bfc

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
2.5MB

MD5
cebae8d70389dd7420b68960bf79e25e

SHA1
274d6ad828cd433af786e3929f6be63f80a10a09

SHA256
443b2fcb1a6b8ff24d097a53dcfd87f7d686eff1523effbfd5bcfec763b768c2

SHA512
1c1e7fe428f3a2f6b6f702077e45b03a34c7e9bc5f8af61130caca77acc6de81b423baafe9593582098ac36789548b4aa0ede090895c1ab8fee39a70b0599289

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
2.5MB

MD5
1963d49ff675113fa56f2ad460258906

SHA1
b26a8629ffb59860d8bb4a9cb028d3239a018829

SHA256
9866ad5f8607ce6dc4e1d8abbfdb214929b7789b487129688ed85380184bd6bb

SHA512
a9fed979ab80f667b9f115b9b72445c63fa66dd2e4ae648e23d9f478fbc79c53e5475a74100eddb289013dcef6ce3ca5cad0cee92505c038ce0f6024e8efd871

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
2.5MB

MD5
0c4918b3a0fb1aefcd0fb9310e9d13c3

SHA1
d46066196e8c0ffb8743c74966c8998f1cbd1fe8

SHA256
fb799e0406c8ccf2bdfa6c78be3cd9bc60f72318af4ad8dd414342ce1e9820ff

SHA512
87d89e1a2271958c6e7f3c06e31edf28f4b20031851ac85b6cbe1646f5b8c9f0d3e3748e2df2bb1b2fdef7740b063ac6f3daf7539591566c3843023fa679c99a

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
2.5MB

MD5
a79092893a21d55ca4ee74b193a92673

SHA1
e0850e3d584f976df06db41e15c6ea9056198bd7

SHA256
7deb5e571ec34a94d80e519c269ca8339ecd4babc784ac68c6f018c0ae1d851d

SHA512
6d7a151fa79595e03aa0a31180dec7f93a3d29290174503296a59b0616d07580730eabccd7b32466f8d14d11190e076468630e08de4d7b931ad41db93d987d24

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
2.5MB

MD5
855661ce270bfe647b7e8c83f38adbaf

SHA1
00da1661efdd2a2697ca161daa31fad74ffa725b

SHA256
2873e3dfbd29ab79c74a1fc06febe3288e710ae5cadeebe1af477bfe7432882b

SHA512
0c69d203382c64ab5dd342067b8b176bae58b082154fbe5d479f188a290cbdeca86cd07b635105b5f13a98f251fe112e684bb2c94026752b02b7bc532041b9fb

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
2.5MB

MD5
93d5fa00497e4a560a2652743e189523

SHA1
759173325131019a526b2f9e9409f4fec5bad7d9

SHA256
7007f2c1bda39990bbea7080b37bdf28fe167339bed2bffbe1a6f7de46b84770

SHA512
fd70766d447f3bff56e8fc20519016b14a70aeb1ae49db83ae4e87719fdb3213769cac873154a0a1ee54c961859a78ab0a12172c4145fada870e247cb2b4be87

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
2.5MB

MD5
561b7a3fcdcf698523502b6d87a005fc

SHA1
16f114b1011b86786d83f6d2d7d5e0616a5e9311

SHA256
133a33160312c7b6725bdd5a3c0e9d3498b9f3af5f5eb7d51efc752ceb4b9d89

SHA512
18148aa76a1596a6edf15b77d315c686e1ca71effb630cb2ac57435bb24e3cd5fcca5261b1887859ad50148e60fe8ebd008e58261ab65ad2130b0829ae4fc026

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
2.5MB

MD5
b36ca5c80bef3595aaf0a946af6c3963

SHA1
e90260e2af8f35517906ab38c777839611fa99c1

SHA256
8ee399ff4a013072aaf8d9eb86ebddd283f1cc683b3a992c9f2cb02e0ce6a7a2

SHA512
fc58fe49cc159729a4be97ca187327a83bb7d34e45c7aab8c1735b888606a4b1d6329a9f51a07066e88c1fd01c184ab43cbaf57bc1d2bfe8fac7810f20625b2a

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
2.5MB

MD5
403385ae1bbb3bd6fe393e7a3d5dd92d

SHA1
9e6e4895c9cd5610ef42a269583b15a336187f7f

SHA256
78d62cbb57657f7104b5f075f4688062bf89d0076cb4e1595cc8d5d7d2ba20e4

SHA512
1b4cd17ea4b8c41ba3ce787cf6dfc3bd1111aa43b3bef222fdbd66e1d62d663e0b190362e77a7c0317dd2e77b7474e4c38116e5d1730067ceb6b31d2b354932d

Download Submit
memory/8-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5164-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5204-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5284-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5324-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5364-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5404-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5444-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5484-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5524-804-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5524-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5564-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5604-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5644-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5724-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5764-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5804-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5848-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5884-750-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5888-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5936-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5980-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6012-747-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6020-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6064-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6108-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads