2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f

Analysis

max time kernel
92s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 20:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f.exe
Size

464KB
MD5

1fad7f1f7aabf493f80213a626c4f910
SHA1

3828ea404d79e9e886d2ec120063bd4a4277d0b8
SHA256

2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f
SHA512

3bde491aaf06a469f8856e128124aaa3d3942fe2ef6c532d837057e50efc2df8d522cebe9bae5469288e8b2bf7aea13f65f2aba0a52554a64b25654495af30d5
SSDEEP

6144:LVFBObVKEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPC:Zfi4EVI2C4EVu2JEVcBEVI2C

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cakjmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Denlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chebighd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe

Detects executables built or packed with MPress PE compressor 64 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023298-7.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3964-12-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4516-20-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023424-23.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4768-24-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023422-15.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023426-30.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023428-38.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002342b-46.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002342d-54.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002342f-62.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023431-70.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023433-78.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023435-86.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023437-94.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023439-102.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000900000002341b-110.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002343c-118.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002343e-126.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023440-134.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023443-142.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023445-150.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023447-157.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/692-164-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023449-165.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002344b-172.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002344d-180.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002344f-188.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023451-196.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023453-205.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023455-213.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023457-219.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3128-221-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023459-227.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2372-228-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002345b-235.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5784-237-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002345d-243.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3896-245-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002345f-246.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/636-253-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1844-263-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5248-265-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023465-266.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2016-276-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2448-286-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1028-288-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002346d-289.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2568-294-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2288-303-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1724-306-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2552-312-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2172-318-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023477-319.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3040-324-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2680-330-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5080-346-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3240-347-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5156-357-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5576-359-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2008-365-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5392-382-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002348d-383.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3212-401-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 64 IoCs

pid	Process
3964	Cakjmm32.exe
4516	Cibank32.exe
4768	Chebighd.exe
868	Cekohk32.exe
2100	Dlegeemh.exe
4084	Denlnk32.exe
3652	Dadlclim.exe
1524	Dpemacql.exe
1108	Debeijoc.exe
712	Dllmfd32.exe
1284	Djpnohej.exe
5744	Efgodj32.exe
4668	Eckonn32.exe
4124	Epopgbia.exe
3480	Eqalmafo.exe
1684	Ejjqeg32.exe
3612	Eofinnkf.exe
5592	Emjjgbjp.exe
5420	Eqfeha32.exe
692	Fjnjqfij.exe
404	Fmmfmbhn.exe
4780	Ffekegon.exe
4132	Fcikolnh.exe
5596	Fjcclf32.exe
4716	Fjepaecb.exe
5788	Fcnejk32.exe
5028	Fqaeco32.exe
3128	Gjjjle32.exe
2372	Gcbnejem.exe
5784	Gjocgdkg.exe
3896	Gidphq32.exe
636	Gfhqbe32.exe
1844	Hboagf32.exe
5248	Hjfihc32.exe
5724	Hpbaqj32.exe
2016	Hfljmdjc.exe
2448	Hikfip32.exe
1028	Hpenfjad.exe
2568	Hfofbd32.exe
2288	Hpgkkioa.exe
1724	Hfachc32.exe
2552	Hippdo32.exe
2172	Hcedaheh.exe
3040	Hjolnb32.exe
2680	Ipldfi32.exe
4608	Ibjqcd32.exe
5080	Iidipnal.exe
3240	Ipnalhii.exe
5156	Ifhiib32.exe
5576	Iiffen32.exe
2008	Icljbg32.exe
1404	Ijfboafl.exe
3744	Imdnklfp.exe
5392	Idofhfmm.exe
5436	Ipegmg32.exe
2756	Ijkljp32.exe
3212	Jaedgjjd.exe
5564	Jdcpcf32.exe
2976	Jjmhppqd.exe
3312	Jagqlj32.exe
6092	Jfdida32.exe
3948	Jplmmfmi.exe
4480	Jbkjjblm.exe
4824	Jidbflcj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Dpgbbq32.dll	Djpnohej.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Eqalmafo.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hopeje32.dll	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fcnejk32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Eckonn32.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Kmihaj32.dll	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Eckonn32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Denlnk32.exe	Dlegeemh.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Eqfeha32.exe	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Eqfeha32.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Cibank32.exe	Cakjmm32.exe
File created	C:\Windows\SysWOW64\Ddomph32.dll	Debeijoc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3916	5844	WerFault.exe	193

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlegeemh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efgodj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chebighd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbehnol.dll"	Cekohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonnknli.dll"	Chebighd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijkljp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3964	5052	2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f.exe	80
PID 5052 wrote to memory of 3964	5052	2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f.exe	80
PID 5052 wrote to memory of 3964	5052	2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f.exe	80
PID 3964 wrote to memory of 4516	3964	Cakjmm32.exe	81
PID 3964 wrote to memory of 4516	3964	Cakjmm32.exe	81
PID 3964 wrote to memory of 4516	3964	Cakjmm32.exe	81
PID 4516 wrote to memory of 4768	4516	Cibank32.exe	82
PID 4516 wrote to memory of 4768	4516	Cibank32.exe	82
PID 4516 wrote to memory of 4768	4516	Cibank32.exe	82
PID 4768 wrote to memory of 868	4768	Chebighd.exe	83
PID 4768 wrote to memory of 868	4768	Chebighd.exe	83
PID 4768 wrote to memory of 868	4768	Chebighd.exe	83
PID 868 wrote to memory of 2100	868	Cekohk32.exe	84
PID 868 wrote to memory of 2100	868	Cekohk32.exe	84
PID 868 wrote to memory of 2100	868	Cekohk32.exe	84
PID 2100 wrote to memory of 4084	2100	Dlegeemh.exe	85
PID 2100 wrote to memory of 4084	2100	Dlegeemh.exe	85
PID 2100 wrote to memory of 4084	2100	Dlegeemh.exe	85
PID 4084 wrote to memory of 3652	4084	Denlnk32.exe	86
PID 4084 wrote to memory of 3652	4084	Denlnk32.exe	86
PID 4084 wrote to memory of 3652	4084	Denlnk32.exe	86
PID 3652 wrote to memory of 1524	3652	Dadlclim.exe	87
PID 3652 wrote to memory of 1524	3652	Dadlclim.exe	87
PID 3652 wrote to memory of 1524	3652	Dadlclim.exe	87
PID 1524 wrote to memory of 1108	1524	Dpemacql.exe	88
PID 1524 wrote to memory of 1108	1524	Dpemacql.exe	88
PID 1524 wrote to memory of 1108	1524	Dpemacql.exe	88
PID 1108 wrote to memory of 712	1108	Debeijoc.exe	89
PID 1108 wrote to memory of 712	1108	Debeijoc.exe	89
PID 1108 wrote to memory of 712	1108	Debeijoc.exe	89
PID 712 wrote to memory of 1284	712	Dllmfd32.exe	90
PID 712 wrote to memory of 1284	712	Dllmfd32.exe	90
PID 712 wrote to memory of 1284	712	Dllmfd32.exe	90
PID 1284 wrote to memory of 5744	1284	Djpnohej.exe	91
PID 1284 wrote to memory of 5744	1284	Djpnohej.exe	91
PID 1284 wrote to memory of 5744	1284	Djpnohej.exe	91
PID 5744 wrote to memory of 4668	5744	Efgodj32.exe	92
PID 5744 wrote to memory of 4668	5744	Efgodj32.exe	92
PID 5744 wrote to memory of 4668	5744	Efgodj32.exe	92
PID 4668 wrote to memory of 4124	4668	Eckonn32.exe	93
PID 4668 wrote to memory of 4124	4668	Eckonn32.exe	93
PID 4668 wrote to memory of 4124	4668	Eckonn32.exe	93
PID 4124 wrote to memory of 3480	4124	Epopgbia.exe	94
PID 4124 wrote to memory of 3480	4124	Epopgbia.exe	94
PID 4124 wrote to memory of 3480	4124	Epopgbia.exe	94
PID 3480 wrote to memory of 1684	3480	Eqalmafo.exe	95
PID 3480 wrote to memory of 1684	3480	Eqalmafo.exe	95
PID 3480 wrote to memory of 1684	3480	Eqalmafo.exe	95
PID 1684 wrote to memory of 3612	1684	Ejjqeg32.exe	96
PID 1684 wrote to memory of 3612	1684	Ejjqeg32.exe	96
PID 1684 wrote to memory of 3612	1684	Ejjqeg32.exe	96
PID 3612 wrote to memory of 5592	3612	Eofinnkf.exe	97
PID 3612 wrote to memory of 5592	3612	Eofinnkf.exe	97
PID 3612 wrote to memory of 5592	3612	Eofinnkf.exe	97
PID 5592 wrote to memory of 5420	5592	Emjjgbjp.exe	98
PID 5592 wrote to memory of 5420	5592	Emjjgbjp.exe	98
PID 5592 wrote to memory of 5420	5592	Emjjgbjp.exe	98
PID 5420 wrote to memory of 692	5420	Eqfeha32.exe	99
PID 5420 wrote to memory of 692	5420	Eqfeha32.exe	99
PID 5420 wrote to memory of 692	5420	Eqfeha32.exe	99
PID 692 wrote to memory of 404	692	Fjnjqfij.exe	100
PID 692 wrote to memory of 404	692	Fjnjqfij.exe	100
PID 692 wrote to memory of 404	692	Fjnjqfij.exe	100
PID 404 wrote to memory of 4780	404	Fmmfmbhn.exe	101

C:\Users\Admin\AppData\Local\Temp\2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f.exe
"C:\Users\Admin\AppData\Local\Temp\2c4f9e6643cc2ab02cf43d375cc0fecb9107276e95d95a917243b7415dfdbf3f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\Cakjmm32.exe
  C:\Windows\system32\Cakjmm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\SysWOW64\Cibank32.exe
    C:\Windows\system32\Cibank32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\SysWOW64\Chebighd.exe
      C:\Windows\system32\Chebighd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5744
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5592
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5420
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5596
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        32⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5576
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5436
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        58⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5564
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        62⤵
        Executes dropped EXE
        
        PID:6092
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        65⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        70⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        78⤵
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4772
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        83⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:432
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        86⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        87⤵
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        90⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        96⤵
        
        PID:976
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1584
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        98⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        100⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        103⤵
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        104⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        107⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        110⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        111⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 424
        112⤵
        Program crash
        
        PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5844 -ip 5844
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
464KB

MD5
c7f92868fa8a595783b8356ce157b701

SHA1
888de75a07ce9f7efc7bcccd7b2cf5c513bdb507

SHA256
60368c7c92e0f7222fe305d9d67ace4324fabd009fb17015cb6318922645a4a6

SHA512
1b15b446a6bfbb9bd4127f28bc055e0ae34cb42fd035bdbe73cb7b4a909311089eae67366cba682b96c8bae518bfb9269006645672b03ed45c5a97bd75073951

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
464KB

MD5
e01ea69f0670984e812fcbebad790108

SHA1
de1c9d1897e8d607f2d3b33165bd0948f9c4b8cd

SHA256
c787fc91712110a8c3e7265594fb07bc67561c57c75d68b584018443fd6bc916

SHA512
f906b0393facfb743e3ab5df62eb7fd623ea0e77fd0c4c06be38726f6e309c980ca9ca91445961aba627dc332879774bc023b1fbb3a49608d7b02115ff6cb0b1

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
464KB

MD5
500df937bdf93e92ea4e53e54562be31

SHA1
8b3216335fa37072de478202b347ae9ee3151f28

SHA256
3ab127a0ba52098fe889e3faf5023fcf49f46b3562551daa7c0a46ddfb9dd5ca

SHA512
804330b12b0b1d41928bb76358738ce41fc6f2600b316ca4df17bf72c4c29405a25cfde43dc91d9e1b293b0bc05c1c743b9ce2df70712559309b9e4032a5f160

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
464KB

MD5
1e90fde69812fdd2b0154080b980be8a

SHA1
03cd0c354a941338c18635fe3af52ab0ac193888

SHA256
0fa105fcf2796c97685985fde308bf2a0a5951a6ff3bdbc551809d5bb0b5aaf2

SHA512
d87d460764a3e84cec02cec02ddeca2c07ba879950b831d1e12cdad6d6e396f165ff0427406bbe11748a04d6a22f2a78df5c98577e637788d4c535eac9c49902

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
464KB

MD5
accb4f83039ebbade86f30867d13a8a0

SHA1
2658057a952c466f0f8f7bb6d91ebf3465ba3a3b

SHA256
e6b44d007f602a6525105ca2bd196b9a22dea9a960c712e90b3329355b947fdf

SHA512
be5866da3d82179705b91ddc0a651d18f742c9c2b892a5585a7fe3a904216bf94cc2ad3639b963a8049e4366ee93874a0fcb4f893698c568e6fbb9bcf152b46e

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
464KB

MD5
252633bcdbdc0a4a7a0b880a1e8afca7

SHA1
a280b1f21706126d58238fd97b8fc17b375ecc07

SHA256
7fe89a0355173a5200d9695d7693e956ecefc9b26e608674de26b1aa399cbeee

SHA512
81b5c3eba4160b5dd68af2fc5d8a53cee690630e950072170e9943069b4525ba04fa20dc4d4b51972efc97be2f278ec0b353b18dd087ef1c5a09d9378c79f839

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
464KB

MD5
36d96da23e41d68acb8bcdaae636bb9a

SHA1
1039b0eae2eb81076ebeb769f520227b3cf53f99

SHA256
fc2d9b0442f59b0930f80153ead111cc8a68f9fd4404f48ab731905a9a7c52db

SHA512
16660b63f83c7ae2c4a15ae21daeef6d2d41465c00c400d82a5064745f51a812098bebbc042be034fc70f066de90d2657789656b855dd660947bfcf3ab2e298b

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
464KB

MD5
c8112410a39a8e61bd3f307ca10a89ff

SHA1
892d425785e87a6e40013c8474d1cab134ef6058

SHA256
5485944f150faea6855e678871282be5000ed55bef62839ee0304765cefc0cf5

SHA512
cf2566e9f7a0df738ed69866fa33eb3bfe21888c9a7d931ecf288b58f5ff2e6e109689364dc54264f3acf862e1f81d548a63d249a2b91f90a120c1b6cdeb2b50

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
464KB

MD5
2fd3f4b4cd7648de96c141ff85417ffb

SHA1
3ae2dc0f163d6ea35cc9aa2359819746ca229c8d

SHA256
b36f5756185753f9224b298b8139e96e71de4fca07814cdc309425f2df857d56

SHA512
f7d08b8571598ae0516898cbe357cc2de5547d5c272cd2134d37bbb77b310a2a85b9dfd4056d2ac5b3f4acc6dcacb0f3c845116c26728bd9229e02437e5e5fe8

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
464KB

MD5
cc3b0e629d3e4eb6f6a4476c36e00299

SHA1
b3ef69209cafda7938371e17f04165e6528544ab

SHA256
6119fee15657dde7c4478eba0f21aa1f579b01a6eb8d978f11d5152d057844da

SHA512
851d599738bc609ec06c7662c7a6aaa618bd7f36b23eb7594c632d75f8d064d8b5cf51fa156462d18f24ae02448766c7c7a5afda5808a843ebf2712acdfd0e65

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
464KB

MD5
2c5bf9cc016158fe92aeb93078487c61

SHA1
1835b4ce7816e4c144c86fba2931c646027a9c6f

SHA256
749c3e81833f0e6d0a186f76dbff7e4264c209e94052016c012171e8f10d7978

SHA512
b97ba1a137116860153fb1e0c44a7af3f67e68a575ece2cd72745059c51b83b805baeda0bf1809eb598f23bf47cec0911727113f4cde924e8116024cc883b926

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
464KB

MD5
d41c632b951be6b09f7609dc7ae360ac

SHA1
0300c1a151cc9b6e96b813db1e3530749aba85aa

SHA256
cb7b4f8d1f4cd49a282e83dd3cd3fcaa915f1b1fb825e989e3b2144687a947b7

SHA512
289d1676521e794feadc2e271f475ad2960e76d14dca247048ce4c9da92c74290d89123c66db1c29bde1d8dc4e161c57c3f7baca6dc92257f1dbd3358abd9ed4

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
464KB

MD5
c13e2dc46a191c34fb7a992d6a92b825

SHA1
0a01b382ae3069a127be2d2c6754921c99639538

SHA256
d542b77caf10c43678a2eef10f12257340f4b616786849d6db7caf18871363c3

SHA512
2f75858de27f42356ce84393d42d090161e5d5fb0836534a483f195b82916dd3dca06029303d49be4742791624dd6863e95dd5d71a6cd8e0928522676ee0242b

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
464KB

MD5
d0dc198cf549188b560478f2668dde98

SHA1
d7b1acb39ae4ed43910677112a552ba880a2469e

SHA256
30fd0ed613d97f9576ff0efb6d45b9f5688663ef1337c490b5d57d659415ac1f

SHA512
84609276c5f952e04a0825333fb3c8074af954bedb5c9c36458a8d2241f93c1ff0ecc5fdd54245ffbd0e363b6e0840f098d175e8f1e2a166bcd70d172929a963

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
464KB

MD5
ce856f69befc2d54ac6169cda163c713

SHA1
bfe4f89cf28859099186f1f4b573f3d484f85a57

SHA256
ffe74021bec82d90044738f7901eda12ed2805353839057a96f6bb3de381a319

SHA512
88af8543727214307dcee29203ce65eff0fae6d76748b1b910d8fc0dee269b2549d2e1550d71b7313d0a18adfe10109be06ae6cfae026f9d67a76547c73163c5

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
464KB

MD5
34ba84445c15423e6a095fcf993961b0

SHA1
b4c219da7d19f8923205eb0f87e797d1009a29cf

SHA256
dd77b9bfa3d41721345107083866e958a67b7ada547421d94d943cbcb180ac2d

SHA512
49e10d9f0e478ea518e4f3f7104a21888542a9f6059a124dd2f4f6998b9d35a16fb915cc3a6f06e0dff5b03e2dce34d4771191496ea67fbe8402f7210049bec9

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
464KB

MD5
16e6432bf6d879d8f2496ff98e88d58f

SHA1
8ae27550dfddf9bf997e7fca2f3b9648b91583c4

SHA256
c602368bb40374c9be3e7f482454b32ed6fcdb25548d8a51843cb555e8ee64a2

SHA512
95251dcddbc2e1d45f3be0639f5c6352d5dc4fb62f7c81bf99d8327e8304b2848cf7a189d5200151f1989ab52e6200b3d49731ab4ef12bd9876e1a85c18003e9

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
464KB

MD5
680f023528ee833137b631e89848b4c5

SHA1
12f2386dca0c271662bf730306cd9f2843df6f4a

SHA256
3bfbb0bd6f2e02c270563a3328dcf424ea725225114d3f097baccb4115f1cfe3

SHA512
3b4ca95b1c95d5f58bd9f0e23f522fb766e87ea5bf1b2705e7aa9fee1cf09870de45761922a526525af0c7c0d3cc93e4672c1aa38202f111c8cd17dcc1bc39e9

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
464KB

MD5
39af47b8c69a4dc95d4fc5943acd1872

SHA1
f337507d2c4edfefb33c8cc4e35371d5b1da129b

SHA256
a412e7131c6bab3e1eded2e896bc856cdee14934a05ab339d0326ca00223f7d0

SHA512
b4b926eafb6466d533b79f93ff349d3ad638c55e533c7dd0f4b73c849d9921d339b212e119c22db467d5fc8fdec6f2a0692f249f764434c41edf0f5c7f04a2a5

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
464KB

MD5
03737354f74c79fa5ba02ccd048a761a

SHA1
77195f621052094799ffea0521095e98972e86db

SHA256
f6d881f15432b342b1cb7f5591ca8fa1127e79cfe90635b62ccfafffb77e9746

SHA512
6b1da343bdc7fc5217bad4b1179422f84c3583fc4a5122b73f320213a8947387398a00400187f2477e1c4e5ade5970573c132e95edb91a883fb3ef8c667b149d

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
464KB

MD5
c6578abec39c2f1b6eb0328281244fab

SHA1
270ef7f6fab6b8b2bc580b880634c829bc6265e2

SHA256
fb60a7066b33b17c35417d6d04f2620dfce3de1b902e543d07c47f71f1fa4ca2

SHA512
fe9a08edc0639ad7511fa406cad346e6d930f2f26d468d2b8f7317a8f2895f10819d452aedd1be1a88e4cad6718f57593996af1af45ad2f368637b3231a746d5

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
464KB

MD5
dc615fdeeab7ef1f6b413aeb3a69af30

SHA1
65b1a0f91a3b20cef2730a5921bb7845e9b3c8ca

SHA256
f30b2e218695e6b2bac32dfafff63f69fdef7fb90f909fe7b4e50f4e1950963a

SHA512
6af7f8f2d183dc827b977122b1071c2f96a45184d6a4fb031b6dbb8b3aeaa54d94c05fdda01127c5278d8c339fae9d4e35e5519b6a82b7782a9fee44ca84d0b0

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
464KB

MD5
e7e58de3aee2c9885744f913c712c5c7

SHA1
c4bf2116ce366d64808e21818691f1d7657370b8

SHA256
2a69e409cd9e0ffc5f1b0fda538b82fe62ab400a64e259a7b13ce74745ac6b54

SHA512
baf7ac87bccd09bee820f9f2abc1e1760eb6c96218fa4524b19018446a1ea37ae58f2280a48e665d278cfb8ed51052dd177a0191fdbecd3c0f297f814d12f37e

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
464KB

MD5
9f03330952ce19386305bf8687e12591

SHA1
2aa56bbbb68110bbe4e178a31361dd998c13342a

SHA256
5ce7c79a4b79c3d79e01cd47ecff84206281c927d2dda8db966c26d174e449d3

SHA512
35bca6a1f7c122848efd4f9e00b8181f5931052a0f1e50261a4691f282372a1f0814269b3aed57e443054ca04b915abd37b392f2696c87835d5b8edcbbd8c63e

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
464KB

MD5
e0f97b2ff00302f7df258c78113e2ad0

SHA1
6a429ecd7c64d4d486233d8fab301648926465da

SHA256
c492f2cc6ebe38caf323f9554fa6eb8c494764041f3d61c33e2dbfa0c978dd32

SHA512
1f6d26525fbcff5b26929e05e19fc3f1302d1ced7b7858f31fa4e783ad59a9b646261b423f0aad681e3936b59254d9f85bd93e23b5c0fe92112815bd7cbc0a28

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
464KB

MD5
be21d6cb6040613132364c65967d3a2b

SHA1
ed60f16a61603fedaa036664bf461b805ecf9178

SHA256
e8efc3ea669f05cf414bb63bf39661655605cbe08c73a26012568a7b880d6d32

SHA512
fb9f725a5146f3fa5ba6fb55440375b70d45d9d5b0c803aee375d91873e7987261cbae1d5f2e06b9b089b36c28b0053d6f1832429fa8aad7e889b796e22348b7

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
464KB

MD5
31d76f085df44c6b96a9cce6dbe2fb72

SHA1
09401f9ee9f5dd5c49651d091ae9d52b2d6c7c19

SHA256
b783e8731142e43b7037e1e0ea678246da291e6d8fbabf41cfd37135348c3379

SHA512
642c0526542102dad7c44f3e8f8f32ccd26b37f712f575e0b71bb79e10287f772a6acbde42a104f12a8280e5b3b4d5aa14a9500cb6e7ea5dc2e4a6b40ae29008

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
464KB

MD5
11ff4f57095f03633e2f75019f75e103

SHA1
574951d257274bde7f60d920f736b11a40bb323a

SHA256
32690c319c8a53cc6c450b2e470b389fbb50b6f7ab886df97be393d25d546f29

SHA512
41a0302265147e04962c8a7ef7faba8586a6a438937d00922b72d60e4c464d919f231d6487a9a08377c20c984347cd6acab70b54b61f6b6f5ac7c1283993c09c

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
464KB

MD5
99cf0e1c0aebf7b020c91de90b96be5f

SHA1
b07b5bffd8388f29d667a5c9e1a8c57b04080c67

SHA256
56ff838ba0697cc8a438c541c70d7ac7241d0b202d6e4f220e67f117d3e504c8

SHA512
4c26f85eff91e18139b90f7d59aa70f73f00dbac6ac63d26227236bf5999bd4a7d89f84206a004335e137d75eba2d01b2faf2afea7bad85c183b93313351e698

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
464KB

MD5
c675ced1639fe91d164c6b5fd05cd371

SHA1
097018389ca357adbbfbd755cf8bb7308cba5b70

SHA256
54685805d4c3f49a7ce06e2d459300dd27427540c87f6cb09b09f7cea43eed02

SHA512
16d013b8ee8d980d5092d5ac6a2fc9309826bd3814354483e2a1b0843e9d3116ffd07ebb278f4b60cf4b7c10edba7994824b4626ab9cfc5b3d6984ab15c85b9e

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
464KB

MD5
d2110de6593efb797d417c9ad5e30e1b

SHA1
6079e2d0dc2345afe76b5c8d9ee91e4d515ac8a6

SHA256
f3a815f6069c20f06df8484c889dfb5e095b9ace83ffc96de34beef7040021b2

SHA512
bf76784ddaa1eea51900cad5b628d2102c4df8290b860718fb439145f72e23303f6c8e064ddc0b9442fd5ae5feec91b2b1e1874d22a7905c11b010d1ee36765d

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
464KB

MD5
72b771be9e0b62e29ed600ecd5f9222c

SHA1
f79e25f32990028384baebf3b9f78340b2ae5ffd

SHA256
e86e91a6b51cfa145eb6e10324bf0f0d9d8bd8e91951d5f980da2efe55569553

SHA512
d193f0f32617b431823cf9321ececd9ab82f5ef32e23581660c6936d7ea2938c77c49b9f1de1b5869e5271cdf9483db841334c2930520b808fe8e41f5bda244c

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
464KB

MD5
efe20d754fb33ce5e01a68b2a04c0fb4

SHA1
8e1aeb340f04710321c27de89bb8dc3a7ca48384

SHA256
ac85d6e0328dae627f117157433e939735eeea0491a724ebecd385e1ab888438

SHA512
48ce5fffa2b70e2c7ea6206b3f8d61e7da05b42946127976f2b43dd35a1facc58fbc8e9ab8491395e99837817dd4bc3904d8201bc09907b0747de8bcedccd44e

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
464KB

MD5
8473164226475329acc1684bd3605de2

SHA1
cc8c683caf7719843ffc440933e884f5c2773075

SHA256
19dec4219f21377a48a800f2a9008ec147547caf7512c980886a5bd0bf846c31

SHA512
aac9a74466ef29c85d49710638135a29375bdfefba5424b80bfe52ce46bdcff3fa86ccc604d3bfa915821f1549c94412b0094a63f503f162cdefc3489efc240e

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
464KB

MD5
ea126c2b7326a50f3cfd8b5cd8b12925

SHA1
c2e75e9ec1e29731920be128c6bdc73a63b16f05

SHA256
ec7a2b2510d2d948b61a8523512fc9b088fc1b54468ba82d638dd7130b76c106

SHA512
3534b0e750414f074283689400b005fff72c21dceba1f52038b96e979dbb0fccbba2804f158b93813adee897087603cb50a6ec261503691ff85af4704d3b440d

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
464KB

MD5
2522ce1c4d299d456442067929761a47

SHA1
196b3b27788339885eddd01f310e03a1785aae0c

SHA256
9446f95253fc5e086208a3fe6409958b49f006bc0a93cf4bbeb21b6f359a65bf

SHA512
371554e3570dc8b82054ba1f980014b27f5eb96128c2cf9899d4a45d84fe55edbd81daf3942776172f8fd5496cd2a16ea985076db87bd7b69054182d3e101166

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
464KB

MD5
b00087b160544c6d1c840aca835ba586

SHA1
91595be3d546107fb06cd0b5bdffd35c9fcb841e

SHA256
244153695c60efccfc05537a4502f13e83e1d50b5a7b72dc076ee0763feec2f5

SHA512
230a065040474823869468b68e6bdcab2f97fbf9f0f708a6ba223017a195f90ba0eac3998f5a413298fbfe2920058337e3a0642cb4c3f54c8d1133dbc17a0434

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
448KB

MD5
b2f707aa64565ae37accdc666f044899

SHA1
15c6a6f1c48ce7c0b56688ab4753a269dfe076e0

SHA256
5e40d2bb7c3fb6577fca17290fe19f0c3a51cb2ef253378c612ff19d85d13036

SHA512
14bc7bc14ef311fa8763294b2e29dc91ee1868c51b9e3d0e410ddc413b9cdb1753b6176862a80285ecf771907fa6debb25a426234a127d017f08e68354771c0b

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
464KB

MD5
be8a97738ed95e14efb4451bb6df0075

SHA1
5941468ae36ee781c33ea46563449b7d857b66ee

SHA256
c41e4269c80f43c711379cf03c110698413264c1a7604caf084ffaf0e6eb9216

SHA512
1e02349c9b1e828c9a7c9225cf4a17ff1faf420d45b0f69e263c2e3f7e1884c9377605cb8e50fe5769a726a869bd5a5a82c72b795a2e891130c840749da467d4

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
464KB

MD5
1242c0c22e10cc1ce5020c797f4e19d2

SHA1
01b5657a2dbe198cc642b40006c9143bf40fb369

SHA256
25d16276e7092a3b65fb5b6f01f9b2f3cc4483be4f2076b1b6b07d78b489bac3

SHA512
b85e0f7c34067100435ee99a38ee64422f9abc62bef1dc282460cded422d24a2938cb8f5d1ec0ac58a52a8e75a1b430719b8b02076bdead855e7816c72cb6d7b

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
464KB

MD5
e0ccb8ba630eea4fc56c908016410ccd

SHA1
067edb7b9b96cda524fb26def8bbe5d74efc978f

SHA256
18be938611c5e370e5ecffc581e840c7e06f61a01f2e47124188b49b1e45f325

SHA512
ccbf839ab42bd3187a861855d380aee1fd4713b841f3ee63d0e9d0d86c9d09f9a2c3ff066a7131d2b109da480aa49f8515783dab98b0932ce9cef928b7db6fc5

Download Submit
C:\Windows\SysWOW64\Plbehnol.dll

Filesize
7KB

MD5
33b1c822a3307fe420ae8d73704dd14b

SHA1
7ecc52b3b2fed4cb421f3f270481557f98391fc7

SHA256
27e616d055275f13a4792d628f2dfd5e19bd9b066059bdc34db273f9e15c6a5e

SHA512
4121c575dd1d7415ae32b0d645d1b4ad1e6d12cd519d6f5b1e174e6853715f6899e9b9c42c3198d2391d6565ef468267a67587a112329fce134f1fba038dbe6a

Download Submit
memory/364-574-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/636-253-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/692-164-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/712-80-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/712-596-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/732-501-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/868-557-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/868-31-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1028-288-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1108-590-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1108-72-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1284-87-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1284-603-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1384-467-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1524-64-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1524-583-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1584-635-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1684-128-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1684-634-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1724-306-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1844-263-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2008-365-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2016-276-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2100-563-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2100-40-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2172-318-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2288-303-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2340-579-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2372-228-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2376-515-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2448-286-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2452-509-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2552-312-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2568-294-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2640-584-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-451-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2680-330-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2740-449-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2976-412-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3040-324-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3128-221-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3212-401-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3240-347-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3312-418-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3480-628-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3480-119-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3612-136-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3612-641-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3652-55-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3652-576-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3744-379-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3896-245-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3948-432-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3964-533-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3964-12-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4036-479-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4084-569-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4084-48-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4124-111-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4124-622-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4132-182-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4428-598-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4480-434-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4516-544-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4516-20-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4668-615-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4668-103-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4712-508-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4716-202-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4732-460-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4732-811-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4768-24-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4768-555-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4780-173-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4944-491-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5052-4-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5052-532-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5080-346-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5156-357-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5248-265-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5392-382-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5420-654-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5436-392-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5448-648-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5548-545-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5564-409-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5576-359-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5592-647-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5592-148-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5596-190-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5744-609-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5744-95-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5784-237-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5788-206-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5956-616-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5968-480-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/6104-531-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads