52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe
Size

872KB
MD5

183ce96126a6e6871ddb3b42f67d0c9d
SHA1

8ffed2c775f453236affafaaae50ac936137bce3
SHA256

52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b
SHA512

dd70f6b1b80b1cf4c1cb4d84b9f937b65dd4c6a054a004529a2ef788f028e1354190edd954f3f8aa1b2bbf7fb0eefbd40b97a16e0ae57d3380c2290caf0953d5
SSDEEP

24576:6HFh2kkkkK4kXkkkkkkkkhLX3a20R0v50+Y:6xbazR0v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elagacbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe

Executes dropped EXE 64 IoCs

pid	Process
2388	Dcalgo32.exe
1984	Dephckaf.exe
4116	Dpemacql.exe
2784	Dfdbojmq.exe
1896	Dlojkddn.exe
4596	Elagacbk.exe
1444	Ebnoikqb.exe
1744	Ejegjh32.exe
1164	Ehjdldfl.exe
3324	Ehlaaddj.exe
960	Ejlmkgkl.exe
3160	Fhajlc32.exe
4324	Fmocba32.exe
2060	Ffggkgmk.exe
3080	Fbnhphbp.exe
2628	Fcnejk32.exe
1320	Fodeolof.exe
3908	Gqdbiofi.exe
1460	Gjlfbd32.exe
2600	Gbgkfg32.exe
3088	Gpklpkio.exe
3392	Gqkhjn32.exe
4148	Gifmnpnl.exe
1712	Hfjmgdlf.exe
1088	Hmdedo32.exe
4512	Hikfip32.exe
3668	Hadkpm32.exe
4256	Hmklen32.exe
4484	Hjolnb32.exe
2468	Iffmccbi.exe
912	Icjmmg32.exe
2276	Iannfk32.exe
4760	Iiibkn32.exe
1624	Ipckgh32.exe
2384	Ibagcc32.exe
2808	Ijhodq32.exe
1188	Iabgaklg.exe
3932	Ifopiajn.exe
1196	Iinlemia.exe
1628	Jpgdbg32.exe
1732	Jfaloa32.exe
3416	Jiphkm32.exe
3308	Jpjqhgol.exe
1152	Jfdida32.exe
2928	Jibeql32.exe
3220	Jjbako32.exe
2448	Jaljgidl.exe
860	Jdjfcecp.exe
4028	Jkdnpo32.exe
1192	Jangmibi.exe
872	Jdmcidam.exe
2700	Kmegbjgn.exe
2308	Kbapjafe.exe
3104	Kkihknfg.exe
4020	Kacphh32.exe
3752	Kbdmpqcb.exe
964	Kmjqmi32.exe
2288	Kgbefoji.exe
4476	Kagichjo.exe
2144	Kdffocib.exe
4056	Kgdbkohf.exe
1660	Kmnjhioc.exe
4436	Kpmfddnf.exe
3116	Kgfoan32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bdghlnlo.dll	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ebnoikqb.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ebjmif32.dll	Dephckaf.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Njqijj32.dll	Dcalgo32.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ojigmkeg.dll	Dfdbojmq.exe
File opened for modification	C:\Windows\SysWOW64\Ehjdldfl.exe	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Dlojkddn.exe	Dfdbojmq.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fcnejk32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Dlojkddn.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Dcalgo32.exe	52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe
File created	C:\Windows\SysWOW64\Ehjdldfl.exe	Ejegjh32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hmklen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5136	1448	WerFault.exe	185

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobgoedj.dll"	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dephckaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpjnm32.dll"	52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkede32.dll"	Elagacbk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 2388	4756	52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe	79
PID 4756 wrote to memory of 2388	4756	52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe	79
PID 4756 wrote to memory of 2388	4756	52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe	79
PID 2388 wrote to memory of 1984	2388	Dcalgo32.exe	80
PID 2388 wrote to memory of 1984	2388	Dcalgo32.exe	80
PID 2388 wrote to memory of 1984	2388	Dcalgo32.exe	80
PID 1984 wrote to memory of 4116	1984	Dephckaf.exe	81
PID 1984 wrote to memory of 4116	1984	Dephckaf.exe	81
PID 1984 wrote to memory of 4116	1984	Dephckaf.exe	81
PID 4116 wrote to memory of 2784	4116	Dpemacql.exe	84
PID 4116 wrote to memory of 2784	4116	Dpemacql.exe	84
PID 4116 wrote to memory of 2784	4116	Dpemacql.exe	84
PID 2784 wrote to memory of 1896	2784	Dfdbojmq.exe	85
PID 2784 wrote to memory of 1896	2784	Dfdbojmq.exe	85
PID 2784 wrote to memory of 1896	2784	Dfdbojmq.exe	85
PID 1896 wrote to memory of 4596	1896	Dlojkddn.exe	86
PID 1896 wrote to memory of 4596	1896	Dlojkddn.exe	86
PID 1896 wrote to memory of 4596	1896	Dlojkddn.exe	86
PID 4596 wrote to memory of 1444	4596	Elagacbk.exe	88
PID 4596 wrote to memory of 1444	4596	Elagacbk.exe	88
PID 4596 wrote to memory of 1444	4596	Elagacbk.exe	88
PID 1444 wrote to memory of 1744	1444	Ebnoikqb.exe	89
PID 1444 wrote to memory of 1744	1444	Ebnoikqb.exe	89
PID 1444 wrote to memory of 1744	1444	Ebnoikqb.exe	89
PID 1744 wrote to memory of 1164	1744	Ejegjh32.exe	90
PID 1744 wrote to memory of 1164	1744	Ejegjh32.exe	90
PID 1744 wrote to memory of 1164	1744	Ejegjh32.exe	90
PID 1164 wrote to memory of 3324	1164	Ehjdldfl.exe	91
PID 1164 wrote to memory of 3324	1164	Ehjdldfl.exe	91
PID 1164 wrote to memory of 3324	1164	Ehjdldfl.exe	91
PID 3324 wrote to memory of 960	3324	Ehlaaddj.exe	92
PID 3324 wrote to memory of 960	3324	Ehlaaddj.exe	92
PID 3324 wrote to memory of 960	3324	Ehlaaddj.exe	92
PID 960 wrote to memory of 3160	960	Ejlmkgkl.exe	93
PID 960 wrote to memory of 3160	960	Ejlmkgkl.exe	93
PID 960 wrote to memory of 3160	960	Ejlmkgkl.exe	93
PID 3160 wrote to memory of 4324	3160	Fhajlc32.exe	94
PID 3160 wrote to memory of 4324	3160	Fhajlc32.exe	94
PID 3160 wrote to memory of 4324	3160	Fhajlc32.exe	94
PID 4324 wrote to memory of 2060	4324	Fmocba32.exe	95
PID 4324 wrote to memory of 2060	4324	Fmocba32.exe	95
PID 4324 wrote to memory of 2060	4324	Fmocba32.exe	95
PID 2060 wrote to memory of 3080	2060	Ffggkgmk.exe	96
PID 2060 wrote to memory of 3080	2060	Ffggkgmk.exe	96
PID 2060 wrote to memory of 3080	2060	Ffggkgmk.exe	96
PID 3080 wrote to memory of 2628	3080	Fbnhphbp.exe	97
PID 3080 wrote to memory of 2628	3080	Fbnhphbp.exe	97
PID 3080 wrote to memory of 2628	3080	Fbnhphbp.exe	97
PID 2628 wrote to memory of 1320	2628	Fcnejk32.exe	98
PID 2628 wrote to memory of 1320	2628	Fcnejk32.exe	98
PID 2628 wrote to memory of 1320	2628	Fcnejk32.exe	98
PID 1320 wrote to memory of 3908	1320	Fodeolof.exe	99
PID 1320 wrote to memory of 3908	1320	Fodeolof.exe	99
PID 1320 wrote to memory of 3908	1320	Fodeolof.exe	99
PID 3908 wrote to memory of 1460	3908	Gqdbiofi.exe	100
PID 3908 wrote to memory of 1460	3908	Gqdbiofi.exe	100
PID 3908 wrote to memory of 1460	3908	Gqdbiofi.exe	100
PID 1460 wrote to memory of 2600	1460	Gjlfbd32.exe	101
PID 1460 wrote to memory of 2600	1460	Gjlfbd32.exe	101
PID 1460 wrote to memory of 2600	1460	Gjlfbd32.exe	101
PID 2600 wrote to memory of 3088	2600	Gbgkfg32.exe	102
PID 2600 wrote to memory of 3088	2600	Gbgkfg32.exe	102
PID 2600 wrote to memory of 3088	2600	Gbgkfg32.exe	102
PID 3088 wrote to memory of 3392	3088	Gpklpkio.exe	103

C:\Users\Admin\AppData\Local\Temp\52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe
"C:\Users\Admin\AppData\Local\Temp\52786d8e0c31984cca74d079f6ac02dcc3ecefaeb978299f842bd04ff0e9e44b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\Dcalgo32.exe
  C:\Windows\system32\Dcalgo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\Dephckaf.exe
    C:\Windows\system32\Dephckaf.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\Dpemacql.exe
      C:\Windows\system32\Dpemacql.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        26⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        45⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        54⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        63⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        68⤵
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        69⤵
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1492
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        74⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        76⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        77⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        78⤵
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        81⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        82⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        83⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        84⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        87⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4468
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        89⤵
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        90⤵
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        91⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3856
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        95⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3744
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        97⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        98⤵
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        99⤵
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1976
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        103⤵
        
        PID:724
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        105⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 408
        106⤵
        Program crash
        
        PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1448 -ip 1448
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
872KB

MD5
a3847cbc412b80a8af8578f54279e942

SHA1
2d4815c29f0c607aefb46a9bb69d87b64d5e5a07

SHA256
8d4a9821de3649bbebad4887b69d4600e9b5b362560d0614cfa09567f89e17e0

SHA512
0b7ee771e991cb06e6b556655687cf2845270ebbfd0a57421da4bb958a7c5b31653121435ab398300ac16e41a41ad3da583efa0877deca00af4e23e7bbafa277

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
872KB

MD5
aee6b9b9a0e8db86cb35043fe74ea45c

SHA1
5fcd91bfa86e5d90d59360bf8125ec02dae13861

SHA256
076c5c5c5d4ac665026080fe8bdc2a53f3c2065bb26b75955852564cc897af9a

SHA512
8146208bfb1dbd6e2bac1deb6bd3c6a6449986e04869cb7704ddb818488f6bec51a5e4bed9d3460f98887b3434d57072712438a6223bd497b181376b4601a531

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
872KB

MD5
c0372afdbcc033103ffd6e663ed96a86

SHA1
7cdce7a3eee60b3300d04f18b201ff7bcb1b226e

SHA256
d4d5e3d51f1e5b9077f49f866665553c04c20ead473f240027851fcec5eb39a6

SHA512
938c14a92d532a974a30332716842b2d7f03e5d407fe0b49bf18eb38fc83d802ea0bb67908f4fae9ff1dec29081e6b6ed42ef9456a9a63a6189e8c42cc586a7a

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
872KB

MD5
a501564a47857a9693e73f7d6b64de6b

SHA1
c9065f698047d0de04506b7a92d64acf57ceed27

SHA256
eba695247160c15d7869ef176f5249ec2008e88fb564450a3a89e32f390d613c

SHA512
fc778d3b10e44474c1c4d7de54243afb7a3acb058e6c6fb26309b0b31328e9eac0446b0678a4a281d4fc18be2041e67ca9269f4af06a2f29ec427202f1099e2a

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
872KB

MD5
48cc76ae8f2ef05ddd147cff42453f8a

SHA1
c9684d6401e35d72cd83f77b9881d3299953ebb5

SHA256
e657257c84365eafc7ccaf1f78c6e8a65c65000809fcad48a05fdf8d1c5f4cf8

SHA512
434684dc8ff9653e94f0f6cd6b4a910ab22e0db2934c8f2b76e47ca74b2ba317e50a519c258bbb61151bcdea4c070f4024d0324b9172aff468b7533e35cd401e

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
872KB

MD5
16ce70815ad094111cc83e3f546366e3

SHA1
03a729ce5917c1c8a50df45d5bd6a6cfc3aa36e0

SHA256
6e203e4436ce8445cee6f3a6334c7b29efe1aaf8f91b64c01015bff767a697a1

SHA512
e8c85dd0224e74cc6a950f6cfba1731340b088e371d90b315fe17a3f13900964734fbe08a569d122babb39acad943184eb3c748f40e356e4c52e84529e6c2369

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
872KB

MD5
73a746df8b18ef97c3b052d84cf7136b

SHA1
24734e1282342670f83e957bfaddace4887a77d7

SHA256
f6cb3863df35f7fee2691516424895958146ac542d19343e69a8722a42f133a6

SHA512
33d47f654ed3bcfd82303ccce8bdba85babc336a16aac67b9d2f3530edf3c4a2afc2fe7c4d74fda83992448a6948338d2737a8e55afd2fe3f3e67bcbb89bee56

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
872KB

MD5
d9f1dd2a24413632300a12b8deda648d

SHA1
f06f04a6a3a1d83d7bfcfa430b6967c4a54ab61e

SHA256
d0099ee00a7574a47900f21079b5c4804b269cec92eaafcc1de43e06b869a1ac

SHA512
07ef9b4983e6268912ed3b1d8baeb38b0f17432deb84de5f2f07904ef1c2d6f9b665c275339e5e510fd415e6f4140d0964f762834bb4f24d94425700e2fb83f5

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
872KB

MD5
c1a6fa9fc1662ac117d4fe6278764d0d

SHA1
2fad15729765eca20b55dd8819bc638f58e38615

SHA256
e1ff5904e9da62f91f4691a0ae7050437d8f4d2c0901302a4c7a3d30a7e478d5

SHA512
e8ff9838821b6f5e873552cc1b771190c9eb0569185c6275c07e52377bd241f1c12f6740f09ff7b8a5d5ea1095c7f33ef8651a4da8e37a9f86edaf641d51f961

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
872KB

MD5
9ea500ed1f788b6e8fc560f905078d8e

SHA1
0e00af84bbbf0ecf10585587995d5690ae6773dc

SHA256
904ec2e39901b0885cd059d8cd84f0e53115ef9d41c3f63c1cb77cd242cff83b

SHA512
55addfaa41127ab1827d5928090b935b4cdc49f488962f052e47b7740ec81bcbd2a9b5c00bb4b0e950a40760abef705496750569b039d47f5c6001a5d29fe5e7

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
872KB

MD5
340c76ba29cf520dc8feb48ccf4ab1d7

SHA1
99326f98d0692800b12a35c67cad994eddcd47db

SHA256
7ec1117782b547ebbe0049992e03162abe30bcb3f01723572f57be4367892bf8

SHA512
0432ad72f6b2f39311a065f4835a662d4cc72dc31f4b678dba45f0b83407adf5629e3517dc5cd9cf04d76e74881280434480929e747f1961277975b067699cd4

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
872KB

MD5
61edba3f0db52a8866c2e6beedce41c2

SHA1
1db64f2628b963b018a20ad67aaa6f13a016bd7c

SHA256
f72b4a662a93e28e0362c5e4f4e44cff5a391d8bf54bf98d8bc071ee1fb4c051

SHA512
c85776e0f4dcd05ed2a5416c2c1cf62f0710249c221dd80eee958b9af5f4ff66a0721cf485a413b2a5b851cd5a1f26b507fcccbeee5f8c43c602578031e6d7a7

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
576KB

MD5
521e2c012bcb5bfda6c5ebf97149cee1

SHA1
0970d690e69e62c42accce72ebd087f4c746c03a

SHA256
485f081eb79598b6cfe1fc6939595cfa3ce76cba19da710f6049ed90c8cb57f2

SHA512
ad9b4ef481410e81c3a4cfbf74b405534c9749fbd33e9975712fde02c21d181486b4534772bf8cb459e0b2aa32b0f8d991691c1c9fb0cbb61f74dbaa826dfb30

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
872KB

MD5
ee9650a0fc99100b3fd826b1e9bd8e58

SHA1
41f95dec741ee073ccb99a6184b8d4b9910fcf9c

SHA256
151cf41fb0d54de9892c856b273060c610ea35a3d717caaa7be2961eb591b245

SHA512
d57dc996d01c0c90d70331f183f8114e154d377d4b4990570e629761504d64cbf9139c425bba9fa2014698888e80b3d2126402b869f9dc29b933d5eebb0fedcf

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
872KB

MD5
76a52c912a8be1b95f90b65e5fc594ed

SHA1
56976a6694ab3631814c00451b4ae4bedf1dc468

SHA256
b6061ecf1c622b9bb8931796dd0713ca41f716cb426432fad0037a6fb95b4be5

SHA512
4b2dd50e8eb6463ae69ad496b6af202f35487fff817bef0215a88da72af27a7ba12690d4c8064d5a70d87a1023aca561b34b4f2ebaa60f6d3c7c4aa5a017c8fd

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
872KB

MD5
16b46df91966a60eec9f80583c55fcdf

SHA1
0ce48f177688b8f5ddf77e9c5e4d46cb7820f153

SHA256
6d4c87628274aa545375cb26f7d3bb1a0c22d28d596807b0854141b7644b1730

SHA512
0c698c9dfdbefd44e2408027c05e5cdca5d597bcadcf2e4904d11ad571f63ace0766fae54f003c4352827ae6d889675f4a0f78c3cfc811cebd8b3e7d6530aad3

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
872KB

MD5
2a45e8a7ca4aa3331f083e9e1fe8d007

SHA1
d6c53f7a81e6f35b7ceb212000832be3a9cfe8ee

SHA256
7bbcae32319f9244a645f19ebcfd2a58d3d20d194f002a62cf057ccae3201763

SHA512
16651098773867b5c444b3a5e513d11988ba29036dd95136af9d909a96a87e57849597e4dd168ca9404e99e08a7fff065999935d0556099a064a0c3a9e52b749

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
872KB

MD5
adc55a1d5a063174361f356e145985dd

SHA1
0a39f3f7bbecaaaae0695a4629868cf6b9ce3aea

SHA256
86bc0b3ba7816c7fd180c37b300d2a0df94fdc9ddaff1afe83b11bef6f4f0eac

SHA512
805eec42c6bbd8195232208f25a86d692a908f75c2cd185aebd57bdc7bb5258ed955e0e7db2d58b8ff875b4b7ef052acb03e6056b0077e4dc6ce74d13c5d8706

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
872KB

MD5
f24fdd390f0192b04324c67d85e6bb37

SHA1
875474b569601937abd7566859103ef282ad0ef8

SHA256
b27571c2d0e62a8cadf2723bed86876f70b21399bcfb544595b01cb395aef434

SHA512
4b8b1d9a22da9268132ef2292a77ef83fa87872d5f572c497a2ef0f22e397f31e2895322aedc2c46e76e5b23d1e3a034128e4bdeaf6bb719657e3e64d1c1d065

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
872KB

MD5
8ea5917805728af59462adba12e4f384

SHA1
64c1554bae2410c39e0846ae43a8b322f7fd7429

SHA256
511c52ba893af13605bc64b974fafc4ecd9ee826ff3c861db062af78f13beca3

SHA512
7dccb463521f7bc6ca7c989fbc64d7823f15c791c7b5e7a5b8f9136dfa9ca1a9da1d27ed176dd30633cc1f157e1e353ac400877dae922e7f9b6a6a0d5c0207c3

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
872KB

MD5
10ffc0e22b819a0e6a2af53dac000f07

SHA1
81830abfa6451f118a784aa866a7e986a1e87a48

SHA256
10376f86ce91da82a7666e381806f44dd5e35a71ac00187cf2c583e3df36a378

SHA512
f8c69e4ec390a1defaa8bb38725a84f812105ddc2238cbe71f06a4f6caeea67250acc23d986cf3fc3e5c51ea14b19bd09c9a21259cab23ae8c141d7b8689f1a3

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
872KB

MD5
3a7d437c0dc47b65be7099230156307f

SHA1
737259b2061921bc99c7a049b807803b6684c3ca

SHA256
7258dad714a05d94a96c3aeca82c560a90dee19e18d918043e5f554602d4a746

SHA512
765af24b5aaf3b2dd0f9ff6fc9f5d141483092ff08bdc2c73ded3f29197663a2d130d423284d0f20589999ba5ec6c95882b43bf5a7d22a5640cafaac438a341b

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
872KB

MD5
802ec9ebd3f18ff0808929892a5975fd

SHA1
3af5818ae4c7bd917d68cc94cc8aeda60e88d713

SHA256
614ef7a49c7b39cfd959984b84522e5788a691ba394551ae2f68d8a5b20db3bd

SHA512
5c2777838044e8e4d20bd3bd7e188414e909e2d9c32174dcb69d97d742ed5840dd3622d34831780dadf1f42470a25b42d0a8b0bf8ce8ed1bc159f308529f16a5

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
872KB

MD5
de195dddf2e23dd72b0c4bdacc88e8d4

SHA1
b9c0f8a34ed9854f96130c31573e12cd64bc3203

SHA256
2eb6e6a2bccf1b910b0302eba355a0f6a441cdd1e905e882bd6403d18b6b4987

SHA512
9a5bc03fd5e906459cd2511d3e5d3ec9fa128c8d73ac494f1d7327c9bef1cb7edc606d8d462b6accf99dbbfab1547e1dfc4d7a6ab6935e3a308b2ede69951a89

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
872KB

MD5
53a11195e36e055b50780e238e2f9eb1

SHA1
c3cfd231b5afe00f3ef0cc3ae57ce90d1dcbf14c

SHA256
258e1ebd7975cbcd5bdae265ef59557e54a8a3aff483144b56518b6f6f90cfe0

SHA512
8155e7465f9a9a04f81f9a4b0ee15087f31caa58f739aebdf14f85218cc00413848c41d90bc748f77af29fb942db72f28df0a642090c68ed1b1c6bff0b03cafd

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
872KB

MD5
2b522a2d1dec62acf32b988d30dec9d4

SHA1
adba66b543d22518a26a9a6a30243d2c7c8b4b0b

SHA256
88775f09ee498c9756ea60a3d6198174d260e56abf586863f1de838173765a9e

SHA512
776e17da54c2f18f1f298d73b051cc6b6b49508d146ba67726a12f911cab3b96595a49b4af61c4962c1279ff6a827cfab6f93bef13b596449c2f5a73488c7d95

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
872KB

MD5
ec619d49cf935c61d350f504335e6be7

SHA1
0ad10c8a9e0b535323af4737b4d3d8df06538912

SHA256
9df8546dcd26b2d30de32ad26d66ab5be1176705be74208c2315a44ee3a37d9e

SHA512
880d13a89239831f7df895c288890f54e4fd859fc77f3b5439d3657d5ff61e57411a3f144ed9a44f016f6b3f1f805cc0f5938a5f7ec45ac0bded5bf4d66a2595

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
872KB

MD5
87efa7ffa47939dedc8cea46cf17270e

SHA1
c304872555b005cc484d61d0fb1d446894b3bb81

SHA256
eae0834ff2e6d8e9493da20302784ee1e219ff9a033c0971ef8512e81f97ff82

SHA512
7ac346863a9d86c48303d3bd33398b6ddfc5a376f323105e7f771b4e8b1755dbe4b6467b1749e56b99e6fc9fe4de99b3f1b4c24a368ca74d10d712884e37167c

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
872KB

MD5
074b4618322d27f24c4ee298bfa7a7f2

SHA1
174e68e79c8e67f681b540999f8ab12df4e2f43d

SHA256
85118f5fe56d832b029b434c445d943202dad7aa368a662298d45d81e8327a77

SHA512
0383cd79e7828584f879c5bb37b1cf3696ec860589b3a912194ca99affb84ae0282fb0cbc40053377362df76b1e4a41ff1f0040209c13e8d1674e8871758a316

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
872KB

MD5
85b398d992b950b0265f6ebca2d8923b

SHA1
4bd65d6bd4878866d3c7c04320a52badb16b4b24

SHA256
0e893619f70cf5cc7e6559be0a9ce46cf14c40e57ed648b817697a280f492a0e

SHA512
d98394ec2f34d8fd635b7c12f4c82bc7de61eab88204292dcdefde027971dc7352559382ea51cd0db54a7aca44a6da1f6dad915d9ac3d6e4b55a5eb50b6d816b

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
872KB

MD5
e089b05e159a0660a0157e63ac8c6799

SHA1
252d88c50148d9a66a11f5584637a90906ece5af

SHA256
3f146e34f18997c0f93fc0f4a201b6d5b06c6bbf2b6501b737257b0269ebfacc

SHA512
a982ed5c076ef523b3a29cef44f9c55e0648083ca9fab08393f174ead565b760075f54fd53ace9296d5565957f664852d1426ad83126e3ef86e4386e01b3155e

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
872KB

MD5
7758d1e6d746c03fd2574134ab228712

SHA1
a9c4c8c135240430867af2686d2e788bad4a03bd

SHA256
b40895270b21c70022b0cf791f4d2f46105a92e3536ad0081515e2b0286145c5

SHA512
44a87fb3478564bab976bd8e763a5d38fae2a6d4e6e7cfa99ba6524ad3fc0e25bfb31cd506eaaf89f0bd4074ccf0770c5bcc99bf9215bcd745d6af9caace2e1b

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
872KB

MD5
e3d66706b587aef05e5577fce21ae4b2

SHA1
5d67458321e375ec0ba60b323a1ca2683eb140c5

SHA256
7130554f7fd916f6b8c1d34930739949b9bc71c735d42f129504b18322e17819

SHA512
741bec8ba18f0b29129fbdca6b5bd3c63bfebc93f36e855710906333011104ec00aebb638fd9a5ac8e43e6e8b7943becc5df5bdbcbcaf6dc7aef4bcef0f3c78c

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
872KB

MD5
5dbdf0f0095de5d5ad63c65bb4f6764b

SHA1
08e7b4694d636d40734909fc8ff98591e990702f

SHA256
f51187fee307c4c5903c1f1c77588860b8f403f03dc107b8143c02784877d29c

SHA512
ff72207c151c2ff75224d40d19b52afd16f28b38a57a7011ae71b5b2fdcf458bdd7477ddcd4c02da3cb3e7f8d2d8b00224e24301bbc38a4a9af8dc7e41f40410

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
872KB

MD5
c875889bc661a79ceb1ee6e6ce87e066

SHA1
f6a7945d85e43be3373da0feb2b96a904f211e57

SHA256
9259e06877c0d448ad4d52b6263bee837679b8ac3dad754f9809238b564eac93

SHA512
0e5f31c798b35159ab41fa9d13c70bfbd46dc0ce40682171961493ee1bfc33a089005aa12c472b44de02c73da46dde4c2923c2e417a5f48b18fb23cabddedd82

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
872KB

MD5
392bb038cb650f05dfbe1f5a74a2bd9e

SHA1
54d70b1d98cdd65dfd3235be306dde064b80d5ae

SHA256
39a6c915e59b8f6d5c9d262175be0596b68dadeef689b632e82bd3395c9458c0

SHA512
c1c66641df682ab6555f79af4ec96ed9d4a4fb701604f7252865edd57442906be61173c17b23ab9c808c22a99e2c18f0b39d557380df94c581caed205d5ea9b5

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
872KB

MD5
db1348fda4e4df330966a388ff7e8173

SHA1
150226bb21cef4d96dda7145886dd70861b8dc28

SHA256
1ea3be9b4c0e001c8517f6ce533d2e8381d78ae0190fae51e77ad0488e216629

SHA512
9dfef922f2b1cd0afc685d4887c3ec1e802f6276810d4ada437165a739a9a456eafb8f7d99fd7a964232ecd32dfae7758925721c8e83cdbed011c473b7d4f447

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
872KB

MD5
fc1a78534ec8ae7e10148cf4bf4070ad

SHA1
6e5a921b1204ccf7ff277ac7bcd5eaa392b0d072

SHA256
561e7261a5315fed5087e8fe461c74417fea989ec77b1f11c94aaa571b604e02

SHA512
03426952bdb17b2b6dd3c5707659dd70dd0585ae25abbc211636e3e19966630a364af3ba94538ffe5e193b584e90de5cf35014882fb4c622eccac6c07cc23f97

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
872KB

MD5
4c005ea7547e147f1bab67df0c0ef3c8

SHA1
689cc0586af6a3a204f27fed671a094d33b401b1

SHA256
ebbdf7678759ee1eb5fac32918436345a0dfb4867a162948e6fa0272137c6b65

SHA512
6d9dec52942ef5d5b3b1fc244e1a4d53b37205b8259e64c57f8231fc903b24154a8715bc42bbcb2d6a21a330a16459c8c3b6bfd8d16ff3f7b8f43571758b3ae8

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
872KB

MD5
30496f3586d469e68ccb3afba0af3e5c

SHA1
a9233c4066350df602bd557ce49f97fd7a438069

SHA256
f2381690447d0e8a8b3e166c4b773327b6ef215952eb4c6a7f65c38fdbb4c600

SHA512
a904a8c717e0cb247cd9fbc2f8cba044b70b9320c8e8e3c72d4bc45d1f3d629c3336794cd01ff0347b65c500f9c61f5c5dab235f342b66c8fa9dc3912878b538

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
872KB

MD5
7d40df792fc439dcc8e3799ea947527c

SHA1
4f2bfd119942e43939c8c13bfcdc8b74951c8bc1

SHA256
6f9394d2b6828354164bcbbfa13d9ea989ed362b775639ee69661a5a13a77677

SHA512
62d902a1fe44fbc32d8ca483aca6ef5e1d25c3d246b5cbc84eddf08470f28dbf96267f405cc502bdb929c2f4ea67f966da10f5b3132ec92cd85b551110f44814

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
872KB

MD5
4844b03ac51155686f91d3b53a997047

SHA1
3e15638140dda3b923cf0a6cc85b7b0eea28a74f

SHA256
001b1a1b0fcf73159dbd2a67d480cab6b88a4a30eac5b3829a562f1be8ebad92

SHA512
d431594131393ab56868a8c412f1ec913bce574887e21c083e36de96930e1509190b21a15cfc51b4cfede26dbf7052eb0df9fc624b3359e176580ca136701e81

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
872KB

MD5
a9d085d24df0105b1d4536c7c609acb0

SHA1
5b47113ec92dca268ed883377d271e41123654f7

SHA256
78ffc8709c9751b0da86d519b14ba4c7bfd22596e188fd4fa1eda18d0145729d

SHA512
af2141e307e45e1fa67ff8ead7f2f8c1b08537296ea4c1e818093e8f1f69f577be9f5491e5829df487f2cddd024847754ba81e7dfc0d6662d1b4e8afb32500de

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
872KB

MD5
67b5286e07071685158d2d33fbf625e9

SHA1
759486ca1c90e42ade74ecae07e21b762015a41c

SHA256
04c6c40b829ce0a566285a6bfee3aaba058ca3e9c262253174a47f88212d35b5

SHA512
d1b47b05a87f38863d54336ad73c2864e667d5ced14e32a1598c09317e838c6430dd075e6642a60d3f50dd92e306fdbe0ad6d243fd79a8290265e97a5fb94f86

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
872KB

MD5
f351874243ae6e1c7578eee9b1068ec8

SHA1
032202b7de3242524ee5fc9d65bfc025700364e9

SHA256
58a8235a8234ca0f3102b8f0d41140f368ff6ff51e2ca3500dc3363d7786a0db

SHA512
056c39866cec444fb11a98731ca0092db28708c270a48872a891f35237d3493119002e0e8d09523ef1dbaf2ebcadec06627bf4cc65aa240e607b83a20c27159b

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
128KB

MD5
c46c39a817c3570fc9e9875448b47c20

SHA1
01f1f7a5933b75b19b75b35d59bbc7f5d04257a5

SHA256
1b0e4643aec10785da16b833e64e6b7c00a7a1070a920685fa2f81207540067c

SHA512
930311e2dd0080b53fb4d42d4b2df678b6ee2e7d5a93c619ea0ccdc5b74536212b461a72fa9d5199b57aa1daddd433503337ff3fd1a0a93936bf22c01020ec87

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
872KB

MD5
0dd716960d7c8ba187a4ae20e3b419a0

SHA1
bb30957f12f165715a533a3198c712b4d66741fe

SHA256
5a96a12f84086b47f27664ae7a0551b26941fe3ba23f8c39b95242f736c00c04

SHA512
6bd647b2436593887b14373721f8ef4f854d834ad29d65f65c85dfa784b29bdeb6e7e1f05f054e701e13009aba5f5890fa50d2ebcc8261291dbee0ed67961019

Download Submit
memory/628-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-772-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-741-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-820-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4760-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads