3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731.exe
Size

80KB
MD5

54ac88c38d0b02d6ce292166f71bf66a
SHA1

07d35a031099e96162660c6dc84153032d9671d3
SHA256

3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731
SHA512

f6e59883f6bd58ddefca93199a18f4e3ecc18732ff3fe798fb5ce3349f2a0b2b10fc136bd0004fb17b6ef21d013c9c1411ac5c76458fa0392acf3de29ec65b22
SSDEEP

1536:/DT+4FcUTiYjfkOn7iZdwQ+pRZAnrjHThxM3i4AjV62L/aIZTJ+7LhkiB0:/DT+xUTiYD7isfZADrM3i4ol/aMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieolehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmknaell.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe

Executes dropped EXE 64 IoCs

pid	Process
964	Ibnccmbo.exe
1236	Iemppiab.exe
1032	Ilghlc32.exe
3312	Ieolehop.exe
3680	Iikhfg32.exe
4488	Jfoiokfb.exe
3540	Jlkagbej.exe
1808	Jfaedkdp.exe
2344	Jmknaell.exe
4512	Jfcbjk32.exe
4748	Jmmjgejj.exe
4232	Jfeopj32.exe
3912	Jpnchp32.exe
2316	Jfhlejnh.exe
1052	Jifhaenk.exe
3236	Jcllonma.exe
4548	Klgqcqkl.exe
900	Kepelfam.exe
4332	Kpeiioac.exe
4000	Kbceejpf.exe
844	Kfankifm.exe
4980	Klngdpdd.exe
840	Kefkme32.exe
1404	Kdgljmcd.exe
1444	Liddbc32.exe
4256	Lbmhlihl.exe
892	Lmbmibhb.exe
4948	Lfkaag32.exe
3284	Lpcfkm32.exe
1140	Ldoaklml.exe
3040	Lepncd32.exe
4196	Likjcbkc.exe
4436	Lingibiq.exe
212	Mdckfk32.exe
4060	Mlopkm32.exe
1156	Mchhggno.exe
2124	Megdccmb.exe
4080	Mmnldp32.exe
3100	Meiaib32.exe
796	Mlcifmbl.exe
4064	Mcmabg32.exe
2396	Mmbfpp32.exe
4840	Mgkjhe32.exe
3068	Npcoakfp.exe
3272	Nepgjaeg.exe
4804	Ndaggimg.exe
2828	Nnjlpo32.exe
4844	Ncfdie32.exe
1584	Ngdmod32.exe
3024	Ndhmhh32.exe
2012	Odkjng32.exe
4976	Opakbi32.exe
3212	Ogkcpbam.exe
4500	Ojllan32.exe
3756	Odapnf32.exe
2956	Ojoign32.exe
4496	Onjegled.exe
624	Ofeilobp.exe
4812	Pqknig32.exe
2964	Pcijeb32.exe
5048	Pjeoglgc.exe
3736	Pmfhig32.exe
460	Pjjhbl32.exe
2512	Pqdqof32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Klngdpdd.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Jmknaell.exe	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jfcbjk32.exe	Jmknaell.exe
File opened for modification	C:\Windows\SysWOW64\Jmmjgejj.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Kefkme32.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Kbceejpf.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Kepelfam.exe
File created	C:\Windows\SysWOW64\Gnbinq32.dll	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Elogmm32.dll	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Iemppiab.exe	Ibnccmbo.exe
File opened for modification	C:\Windows\SysWOW64\Jfhlejnh.exe	Jpnchp32.exe
File opened for modification	C:\Windows\SysWOW64\Klngdpdd.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Mcmabg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5516	5416	WerFault.exe	200

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iemppiab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 964	4932	3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731.exe	80
PID 4932 wrote to memory of 964	4932	3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731.exe	80
PID 4932 wrote to memory of 964	4932	3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731.exe	80
PID 964 wrote to memory of 1236	964	Ibnccmbo.exe	82
PID 964 wrote to memory of 1236	964	Ibnccmbo.exe	82
PID 964 wrote to memory of 1236	964	Ibnccmbo.exe	82
PID 1236 wrote to memory of 1032	1236	Iemppiab.exe	83
PID 1236 wrote to memory of 1032	1236	Iemppiab.exe	83
PID 1236 wrote to memory of 1032	1236	Iemppiab.exe	83
PID 1032 wrote to memory of 3312	1032	Ilghlc32.exe	84
PID 1032 wrote to memory of 3312	1032	Ilghlc32.exe	84
PID 1032 wrote to memory of 3312	1032	Ilghlc32.exe	84
PID 3312 wrote to memory of 3680	3312	Ieolehop.exe	85
PID 3312 wrote to memory of 3680	3312	Ieolehop.exe	85
PID 3312 wrote to memory of 3680	3312	Ieolehop.exe	85
PID 3680 wrote to memory of 4488	3680	Iikhfg32.exe	87
PID 3680 wrote to memory of 4488	3680	Iikhfg32.exe	87
PID 3680 wrote to memory of 4488	3680	Iikhfg32.exe	87
PID 4488 wrote to memory of 3540	4488	Jfoiokfb.exe	88
PID 4488 wrote to memory of 3540	4488	Jfoiokfb.exe	88
PID 4488 wrote to memory of 3540	4488	Jfoiokfb.exe	88
PID 3540 wrote to memory of 1808	3540	Jlkagbej.exe	89
PID 3540 wrote to memory of 1808	3540	Jlkagbej.exe	89
PID 3540 wrote to memory of 1808	3540	Jlkagbej.exe	89
PID 1808 wrote to memory of 2344	1808	Jfaedkdp.exe	90
PID 1808 wrote to memory of 2344	1808	Jfaedkdp.exe	90
PID 1808 wrote to memory of 2344	1808	Jfaedkdp.exe	90
PID 2344 wrote to memory of 4512	2344	Jmknaell.exe	91
PID 2344 wrote to memory of 4512	2344	Jmknaell.exe	91
PID 2344 wrote to memory of 4512	2344	Jmknaell.exe	91
PID 4512 wrote to memory of 4748	4512	Jfcbjk32.exe	92
PID 4512 wrote to memory of 4748	4512	Jfcbjk32.exe	92
PID 4512 wrote to memory of 4748	4512	Jfcbjk32.exe	92
PID 4748 wrote to memory of 4232	4748	Jmmjgejj.exe	93
PID 4748 wrote to memory of 4232	4748	Jmmjgejj.exe	93
PID 4748 wrote to memory of 4232	4748	Jmmjgejj.exe	93
PID 4232 wrote to memory of 3912	4232	Jfeopj32.exe	94
PID 4232 wrote to memory of 3912	4232	Jfeopj32.exe	94
PID 4232 wrote to memory of 3912	4232	Jfeopj32.exe	94
PID 3912 wrote to memory of 2316	3912	Jpnchp32.exe	95
PID 3912 wrote to memory of 2316	3912	Jpnchp32.exe	95
PID 3912 wrote to memory of 2316	3912	Jpnchp32.exe	95
PID 2316 wrote to memory of 1052	2316	Jfhlejnh.exe	96
PID 2316 wrote to memory of 1052	2316	Jfhlejnh.exe	96
PID 2316 wrote to memory of 1052	2316	Jfhlejnh.exe	96
PID 1052 wrote to memory of 3236	1052	Jifhaenk.exe	97
PID 1052 wrote to memory of 3236	1052	Jifhaenk.exe	97
PID 1052 wrote to memory of 3236	1052	Jifhaenk.exe	97
PID 3236 wrote to memory of 4548	3236	Jcllonma.exe	98
PID 3236 wrote to memory of 4548	3236	Jcllonma.exe	98
PID 3236 wrote to memory of 4548	3236	Jcllonma.exe	98
PID 4548 wrote to memory of 900	4548	Klgqcqkl.exe	99
PID 4548 wrote to memory of 900	4548	Klgqcqkl.exe	99
PID 4548 wrote to memory of 900	4548	Klgqcqkl.exe	99
PID 900 wrote to memory of 4332	900	Kepelfam.exe	100
PID 900 wrote to memory of 4332	900	Kepelfam.exe	100
PID 900 wrote to memory of 4332	900	Kepelfam.exe	100
PID 4332 wrote to memory of 4000	4332	Kpeiioac.exe	101
PID 4332 wrote to memory of 4000	4332	Kpeiioac.exe	101
PID 4332 wrote to memory of 4000	4332	Kpeiioac.exe	101
PID 4000 wrote to memory of 844	4000	Kbceejpf.exe	102
PID 4000 wrote to memory of 844	4000	Kbceejpf.exe	102
PID 4000 wrote to memory of 844	4000	Kbceejpf.exe	102
PID 844 wrote to memory of 4980	844	Kfankifm.exe	103

C:\Users\Admin\AppData\Local\Temp\3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731.exe
"C:\Users\Admin\AppData\Local\Temp\3dbf20a368157f4edf5b2cc20ad34c3ffb613c894f09747c2f235a7e040df731.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\Ibnccmbo.exe
  C:\Windows\system32\Ibnccmbo.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\Iemppiab.exe
    C:\Windows\system32\Iemppiab.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\SysWOW64\Ilghlc32.exe
      C:\Windows\system32\Ilghlc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
      - C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        33⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        35⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        38⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        41⤵
        Executes dropped EXE
        
        PID:796
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        49⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        53⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        61⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        65⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3176
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        68⤵
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:652
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4004
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3772
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2744
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        78⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:896
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        80⤵
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        81⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3308
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        83⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        86⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:336
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        91⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        94⤵
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        95⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        97⤵
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3000
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4824
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        102⤵
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        103⤵
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        105⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        106⤵
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        107⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        108⤵
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3300
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        112⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        113⤵
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        116⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        117⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        119⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 220
        121⤵
        Program crash
        
        PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5416 -ip 5416
1⤵
PID:5492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
80KB

MD5
f64f333e9f5f2214a842ea1852b90c30

SHA1
2743ea557afcdf507ea609a0798d6d0906982cbf

SHA256
8bc87f2a4538a09bdd5af29cdee74361c1fa5e06ee4a7a60ca10e10cbfd075de

SHA512
d36e5e670d7a4eafd70d76b02d16b4d7e8ee0fe53b2893d813890db1252707a2966e0a5c0affc93bc5dd5efa808deedf1c5fe7b3ee3b14416b5f6fd1c2fde3b2

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
80KB

MD5
6f45aded7547ef349e7579d7e23d155a

SHA1
bd862a66c1ff5e835854b9a648cb0aef630f16a6

SHA256
9d2bb5804b8a61384893efe517780108f5855b4b54d7dc4851fb17ffdd41ee79

SHA512
af666b7b8eadb16389f1fe685a8ac099ee53e59b4cb74adb0ceab2eccaec02a74ec90113d0a5be08f39a69d6a9ce87ca6c4038aeca0b52c3f615824a08973f4a

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
80KB

MD5
3c7a5e13e9d75843695da22ad7e9b98e

SHA1
80d9ceb9fe47c51d02dc9c157b5aa6d7b1b934e4

SHA256
f4ca555b4d694702e4ad500511467cf72054ffdc4ce16019c226a91cf19ca459

SHA512
0a761d19920314635f47a3b0feaa45f625ac2dfaafdb61d89664a65aef540fb8114bac71cb50709ff05edee8305e49415a400313eb5a4b30934f5d3a16d159dd

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
80KB

MD5
dfaa1cadfeafd18791ac893733d65edf

SHA1
2076eaede6f93947c928df26cceea55987b0f7ea

SHA256
703f17aef37f873effd9554302d2f269ce277133c26f01ec2eebeea888660228

SHA512
6b5241b93743819705b759e48ff035b1a3d366f7945cccc3b2dfa30e8ba57469ebaff76ee4fd9b9def3ddfd9927d10130f1456fecef06f3b3ae684f9e059d48c

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
80KB

MD5
4372dac1e5bea0f9c1a1fc9ef8ac9798

SHA1
32a7962752b2003d550f8584c202f7d2e841d707

SHA256
7b78f539d36aaecc0ff8fd195d5a1fd91bcf83ed905f455d0742260bc96ec6bc

SHA512
5ab8eca0ef17ac4625118b2d9af93109a4e37b70feb239f77ebfe3e1cbf18a242b96b29c6221d16fd9844d49f6235c2cf14a0305e4ecd701d7e12d8777d0e25d

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
80KB

MD5
f18040bf9f33474c4336c1de2b497ff5

SHA1
1e8076c44121716c6f608a9a791ac62e53eae919

SHA256
151f8a884c3cf862ca8fbe5f8c66f503e709b1022936d977e98f9b84c7da6c87

SHA512
928f21e47e0ae96208433b5a862fc287bb0d007f6715bd62da9c264974230f0caed68d6f30534c715c81537581eb99255833bf4082061cb1d12e09c6fc361a54

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
80KB

MD5
d5256f68df1b81a22cf9831e327a4353

SHA1
438f42c6ac241b1d60ee56a07b8d053f7f23afcb

SHA256
974123e341a00a2c8b77e8f4328552ba525da33b19aff010f6de1e916545554c

SHA512
9a035f3ddea9e5e5a482a927cb8294e84ab3509f08b7bf098e9b18a7ce0212b43616305be39c36abe2191d3646bb597734924dd35683cf1157bc47d3425549e3

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
80KB

MD5
2dd3a5cf28f05f194147f598b57356f3

SHA1
dc3a809a60951e57ec07202c097ec1dd803372c3

SHA256
ae8a289ae1dea4b30a35fb48f2cc0371fb04f1d6516160e74a74c261554e80b1

SHA512
e0f6e0f8f1083c6d289199df50362456f9f8c445a166d4c600ee2df7657ea7a25fef0cee79c6d395eab1a4a7515ffd06a18fc2d42860c76f625c4edd7ec73796

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
80KB

MD5
be506457135a9632696f5a46efe99821

SHA1
f4983fbec9663b9fed18be6ccfb918b8d3b12294

SHA256
f9664801bb30222f1df8aad5d3c731ff310fb141435bdebdd9e2565f7d764528

SHA512
b0500a3b1201540058ab54666925dacf4b5576b2881c8c366aae56afa7593a14e008edb536b61ff59adaccc1f20e2142398eead67a261bfda28eac9a02bd3f10

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
80KB

MD5
c112ad8e715c2f12e1269c8ef7740b3d

SHA1
a603ce443a31ba4e481e7daf8d31c9e5d7468485

SHA256
5b05aa1ba066958f7a563eb4037adbf66b65e5ee12617991447c99b0ae260aa2

SHA512
e8c6eac6995ea8c953f4ecc13394c4d404bf4f9c78be1c343847b01db25a179a5cba242d3cc305662358c5ada57caad0bd58e54bff397d6c5909fd2dbd45cbf9

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
80KB

MD5
1e59e148f2d8fad52c9b68a05841a4a3

SHA1
86b13f5f96e9e67617e04dc813fb0bde576ad35b

SHA256
e4aa3cb0922ee6d84344d9468983b804419f817b484f93791f9021e274404be2

SHA512
9abd9d1b73e1c2f3904cd8dec8528474cb24d48ad63a2bfa3da11bb0b76d1b4f8bf0208b1be8c252045204cfc669b79699cff28d66dead8e074e0e3863facbff

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
80KB

MD5
d9a23bbccb6776c0f45c3425fbf337a5

SHA1
45921716d612ef18ef5036028d2c283e1132a43f

SHA256
0750c41191c938067fbb1ff71fafa0fc58dc5d090a162ffa4b3c9ea27676ec98

SHA512
8f1f5c5b6418b3f87d118722584cfe8d1cbb55e62bcd1807934c44b1b5a985de96d8621a65f6c49da3c17d0d4d610efbd14bb9e32a3ba5bc6ca250b725380ef9

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
80KB

MD5
866a8b98028e075d27d47aa843f3d1ca

SHA1
1632d92ac7b3686fe5853e10c5d5340fa2a99072

SHA256
2e8655165bae31eb6a2ef27ab55a7e32fe4aedb554e5d95d57a1f41c8f54f22a

SHA512
4ec6900954641e59b8d13325f2622bcbf958d0bb16b71e59f1f64b78924ef10d81e16aac73188fc5b5bc66dd4790a4aaabe832c0464a37b8562ef298f5346866

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
80KB

MD5
5f31ba11f944631add88ddb0a8bd20ad

SHA1
18fbcd075ac5768891e292919d7365a9630ab9e9

SHA256
7fc1ec50b668e8fb16d10980a4a04697deee8231db62719fc013a9e84297ad1c

SHA512
2774279d64932882ecc460afe38589ad9d79e85497780a99547c714c9df0f1b122da26f7efb121f498ad148a716343d3ff1c181e7445f036830d6e9e65f4c9d0

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
80KB

MD5
31e35c69ce5075c59170455d1a148923

SHA1
2844cff36c77b73d9bee7a4ae23cb53bfd1bd332

SHA256
0b4c8a9a125c39262ac2bac8afb174c2c3f5f20723707889ed7e35fc7d1fcb2b

SHA512
584ef7b3bc777c94ce148e2fe6c35e578664e75b4d3ab029be5c671badf01243c890c0b6b7a9f67921dd2e743751f3edc558b879c8f6ca1a101c8a3bf21b69f8

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
80KB

MD5
9689cf430af1c04b637d657094f6f6d1

SHA1
691be849852e4c2445b2b3771c6969f649dd483a

SHA256
f5b03bae5a9ec32870b79d9fbf6fac86b5c4f5bfb3331e7875f2cc46a3980ee0

SHA512
b31f98f65af27f399d03b396e7db37dcebd6bb1b71258983a227b0d98b3a42bc567f5cb2a30ac60393c25c13faa7be41597a47141e2a2f786d71990df15088d7

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
80KB

MD5
d88cbbb310fc59d0e0191b626064b686

SHA1
e7c843da1499a62c3f29a83a8e21f29da4c3ed74

SHA256
e2de4edd1d44dfc147a3e2fc51e364a14e72e0ebb7d25f9211800437dae2b507

SHA512
1a1638006327d9336c7b371d83d0c2b37d1963dab7092e00591aabab333fdecf963e67c59ca30439d443da4fac1714ebe17bcc0a0782ccdfaf116b6bb892fb9b

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
80KB

MD5
7e2e8e2238a010af5bf3f0a0a915c4bb

SHA1
282c8db41298c511c2974715fff92535b6ba7d45

SHA256
d06dee6e166f64c5a75f7bb2a84294366cb3c9985a19d811c8a07fce32a057a0

SHA512
09d36902fb796a3456326da45519c6256c32f98bd7747fbf745c9095de687cf67e837c50cdbe01c7f27542103f528919ffcfaaea7f03849abe339ebf715a9b8a

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
80KB

MD5
537acc03c61a255e1c0faf7ba0c4d1d9

SHA1
6f21ff02fc3be87496bc93cb5f85d605bb7e1c5e

SHA256
70e0f82e15f89948a323796eff22ed323b618e771b9a0a8c6b3ae25f7ecb4240

SHA512
94b103519f655bb27ae6e0081a4df698c98fad17777268c45f511fb9894082b5dc21e213c6372b86275c36d011c1b9b18fe6b863f78be5a313ab1045a8e38578

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
80KB

MD5
3789ffe0c93c31ff02a545f12a998a5c

SHA1
ae93aa0cf6a8bb1c7185584f65fb9aaabb6bd3e4

SHA256
e0fca5454c969a0f339eefd99f731dd3561a2fe8f1bd157f870b1c8a0786e415

SHA512
d60a70b0888e272c6509840d7152ebb31d4f3834b8f0e41690245a7c74534c5e2ae7f758fbce1bc250451d272d10e46fa6b09d45e6387c984cdfa0dddfc9da8d

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
80KB

MD5
5cb08cdd0db02262467939f757441075

SHA1
9386733d9c60461619df7c54248cafc3a4cc10d7

SHA256
aebebb9e7b76f170eecd39f36ccd1375409a72f672484ac7ca03c2be4c2c8c68

SHA512
6de362d8e19accface50793ff9495ebd44373e0eea3d67a8c875d2fa6420c546d95b2335403baca31d4e3137b5c53afacf04b550180e76244d5097c651d1ddba

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
80KB

MD5
d3f230da474c4d7b13f3dfaad8247662

SHA1
eaee8a602bc824a066cc87ee09910cb1fc9e1f56

SHA256
5a41491f5ed94c656c93c4b01f2feba057a59e049bbbc75ef382f303129a3c7f

SHA512
14c6374eac3865f8a5132fb26351df9a8a2a3539767f3afc4b0e2da0665928e684e61b58cda2c45d33048775a6692b70225d95c4ce6332744d3e03b397eb378f

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
80KB

MD5
8691a2ec7bd93e5e42074f39f6eeb119

SHA1
cd8e882f4d9446f7529b8ec20468877c5ef5f0dd

SHA256
a91854cfe9fab6cff944008c1da935cf4bbe112316250561cdd47f9908334fa8

SHA512
06188c2245439b5520b83a6edf60c18e387b017b4a2a0b387bc92aff20f2a8ead1b9aec74e15b90c04ff84935d45e401a12b2ff5f4a26a03dbb46fcd8c6780e3

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
80KB

MD5
99a3f1f8d3ce8a29233203f281e770a7

SHA1
84bdb03e38120c40e1c5d0ab4a9135dd1e0dbe1a

SHA256
66bf8b6013ec26a5fd5529bebaf198e8bdd6cd2aebf7fe98dd5e951ea56180b0

SHA512
ed4e2331cf9522878ab05d29109d7560c525658fa25aa8135398587351dc5c4e3bc60af476cae34a22c9f9eab3bbe560d0e35c5be31cc0a63d8d1c83bb436bec

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
80KB

MD5
fd6a29a09617c340492c30610d6654fb

SHA1
6ae7477700130afeb1535dbfc64980d5602f33f3

SHA256
d45a2d21601b3a10b93d23b3a8df44034f50bc734426f04bbacc3b1e68a00738

SHA512
f689835040836e74f7114426f936ad2bf61a7338719ba84cf8b36fd83f5f065eb3c53e8e3a78fb0ee9dcdc56705792cc6d298fc90538ead0db0fef0e48bf944a

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
80KB

MD5
5d23ff644a52f62664083d14ba72c750

SHA1
0e9872181ed7da48128a1e6d14e81b267baea1f9

SHA256
562cfaa0aab449a44a3955741f2553503f26083584eac96ad9aab248cb30a4cd

SHA512
68069bcbc81e80a561bb8b0af05cb3ab5d0480e2bdd00a1ff1271ec48ae11d2ca255d97d3c124f7c30f5faca9213598dad4e69f120d8c136d7de3f872ef76a12

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
80KB

MD5
787b815eee34c7ca94c1b9ca12ef3fab

SHA1
6ec1ab25d93632ab1d85998a63aeaaec0a7531f9

SHA256
79e2dedb8c679f5ee6437a28c8dbfa6f6ea84609174bca2ddcfdc1975e648f83

SHA512
2633dd37aeccf7613ec011981b7de43dfa0b9d03c90883d558c9b863d50378adbe3c1bbfe503b3492726c80efcbdefc05f2fec6554c522ff8783f9b6c8a16dde

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
80KB

MD5
b8c0f803268ca45a9e18482f9501576e

SHA1
b1367b6faeaa2eece707f3411d377b2585de106a

SHA256
3c5ba451cd3a7dfc40c7f3167fb3711d5ccdb1053476a55eb882090b334ca4bc

SHA512
cd13f0c6f93b495b77aec9849d7d8091cb83e4e6530f86706d4ef3219cdb0496f21e7a914b62cc0e14e4dd0a046f04fa1779ef7bc056dc1dec9282804efae4c9

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
80KB

MD5
ff678e35c5c98b7c922949f91b58e34b

SHA1
94f8137308c2419a604a6524661ca5a52add38c8

SHA256
eb8d10e92376ed15660cfb9f9a0dff21f1549ccc1e2f62edf89acffb265d8759

SHA512
beb2d400c113bc0b8595887696f68ceccbc48b5dd2a71cc9d17b9e3f24c8c782d089bdce1095007aeb54af2fc3665162c2cf0f06ce80948970cc361ec104b518

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
80KB

MD5
935396c7e86fa24b15b9c521da5e5d1a

SHA1
c5b20e9d1ee8f38f1e17259485ee797bb12e58db

SHA256
32d701b3b04031bd2de8578cf62a2259efb7a0cea0be6d1fd2f54802f546e54d

SHA512
df52bd6c897e76ca28d35b32aa702739ac798b435ae67cf180163665dfa162da610f428fc2d5a483587a7e8155b8ef48ea96a56cdb2c383fb926083eb905f1c6

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
80KB

MD5
a245c4b73391f72089c1f9ed0be41080

SHA1
94d820657b778b01c6c8e31e1d7b3fcd87ddcc2a

SHA256
f525ede6105be5753cf2cdfaba9baff642a0a2ff86fce767451babce19996eb3

SHA512
c52d2eda1c4bd71e633cf3dd03e18d5dc37379361759ebc76b7816c1b31d30e218379f1697fcaa35cd0cb8271b4e3f12988c27faeeb90c34d70973cd66ac8346

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
80KB

MD5
f6e30af256a20f4cd24d3bb498720ad6

SHA1
ccac7724e571be61c919739b603d2acb7a64881d

SHA256
9fc50043b6758b7578f168dbd83fb7a34a359621b5380e4e2d6c3df8aa436e8e

SHA512
6101f3e580020280ad28a8cd27da2e3381b4af3cc5278408196acefe969e8076b2ef763cc12335de4afb799b848a9f7b0b35939724798c42e9af0b545c78f107

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
80KB

MD5
e2e4fbbef03d910ffcaaaf8ac3bb9245

SHA1
6e93199d448712367572e29f4c225c0a3556ae32

SHA256
a19c76e04a236374a001eb777fb279c99b85a1b00333e8490d603765f485e99a

SHA512
2230625450f8179d3f63643736ac1198767b18ddd60e537582c082fb8b9586f23cf7ee21163c56960f0d6e8855d2cff8edcccfffc3821d25b3c766c83371fe05

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
80KB

MD5
3db8710f2003c98bd0ae289fd3f84a9f

SHA1
56a7bc7f7b0c1f3f583ec7265341cbb3a5404466

SHA256
1f55c1330dd447d2cafbbd0989dca2c6927f84027018692f917f66ef6a59cd94

SHA512
967ebcf284a62be9a78963ccb092ed10130a0e93741a1a00d0de20a4fe51331770c1768049e77cffecaba74a9cc8b4dc80167b7a069f95e811cb4c2cd9efcb37

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
80KB

MD5
d4fdee13b77c3b2584a311dc00389542

SHA1
038a8ac2c4636d2cbfabde9b9e4903174dc373f0

SHA256
fb7c547ae79a4c7405145d31076fd124727767b4306fa6f8fc3be41d60617c59

SHA512
4e779050fed5ddd8c96b2ca9b6b0399a1238ac6c8a2e2e055b3c9042a97ef20f584ffcd44775a88a7d8915694b32c58ad126d48d378512396e46cf39bc1e6d03

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
80KB

MD5
089263ec43dc407fbcbc1dffb460eff0

SHA1
b038e43bf30742a60da4d3878401282507b976ae

SHA256
d2d7a78c6ef4c46bda7d9df908c624d5eb0a213b2b6d0c20cd22eedf7d6e54a4

SHA512
9d0c2b032b32d7b10c0f412c0bb26a52be23faf0e4e53c5d5dfc5ee321effce32cb7b3dfece6b52cae7f6478eefa9f0f2e245b7ba2039c3141f636cb9c740eca

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
80KB

MD5
cc0489f7644d8e12c2a195e3d6c26f3d

SHA1
fdf68b884b27e00bc6a22d992a86694f2983c785

SHA256
9373e17cdc33b39e309cab94025d2986d9537b4675d7f71467daddaee3817b19

SHA512
4429cda878be23b9536fb14d29f9349c429632913ca4cd04c0183bfa853bbb8472474aeee4dc4169344e54a4cff1f87b410a4836c878c992eabc3cc8d5252d0c

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
80KB

MD5
ccb6a5ad7410ae2812ea7e6aec984ead

SHA1
e21b00fdb16903380abe3e85873ab8da3c810c29

SHA256
cf1feecc95bc81fbf971b874048b99da2dde18e72e95128eec461a82b4c603ef

SHA512
d578ad43415cac8aad52cc652614aae59dd532874b2c0084b17ae63ee59a5ad95d350d892417e3abcbb20f39ffdc1cd893801ef493ae06b2b358589330a2abb1

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
80KB

MD5
133c68c5ed048c7c6df8bf9085a19c39

SHA1
64a7986a8eea07e173ca0cb4ed5095a88d104eb3

SHA256
c70cec82bf0de28d199edd4e8d97a7327fa04aceefe572e02fdf01eec3717f0e

SHA512
f06a65b986b7c174790e9bd9c7c326da53a0204ad238653cd7072eecf9880f8e971c68b98c9f000be3c9f9ff3fe871b6032763934157b6b031e32714110bc724

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
80KB

MD5
9ec29f9e1313de0e3b5ce65e170590fe

SHA1
d03ccf3ad501447f4f6cc688558f12a22b29c0a3

SHA256
64a561d4f5ed7ff9c92f82209fcf066a4ee1de291c6d7997350b8a1da776b2fb

SHA512
61fa8157bab025545a0cf9fa9b54786e0b782555c298c0075c62686af89cf3abd5ccdf648709030a9b93d3e0589152ed7761127f2ebe6e06e47b96b13a594abb

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
80KB

MD5
75d550a7c67cbf88f0bc58536f75483e

SHA1
1aa2a3fa7de2727e25fd4a3c645fc340d9ea9424

SHA256
ba95a89ff62891bb8cfafc3ed7fe40a470ad7d991b81231bc51bf04777f47b95

SHA512
99b6bbcc59fbd6369ef64f07dbe09400d5725c6f65f35d06b5bd73ac4fea08c5af6958c85a1c476120034a5423639f432d25acc77f0c07fa623d3db6ab131e29

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
80KB

MD5
76e223cff28de2fd0cd2ee0c4d322300

SHA1
3889e58ed3996943d387239cb2227fe5d6fcb4aa

SHA256
de0eee6e7301880bacef92c8385f7dac324c88e5561ec0b466303948e2a0b531

SHA512
72a702b71d6c358ea58fa1545a2e9f21278067bdee3420d4b4ea2eea5222913309bfc6a608083aae421999e1bb99063490cbd49207793ea2e2a7ebd977051515

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
80KB

MD5
0b09b388824cd7b571e1924d73e45eed

SHA1
fd5ae23da36fd383ad5ca255739cb8be71e0064e

SHA256
201a0a6a4f89cc45e08ec4e317e490873303cb881f315ae21894ffa0b06558cd

SHA512
3e851afed81a80a86b77db522b5f99c7b7c2758455cea88d419ce70eab1cd414c91ecea902034b61d14950bfed1ab2304ae3ac271040d03fd9697e933965919c

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
80KB

MD5
c65f191ca31b56582afaa9cf893eec12

SHA1
7fc2e3c63be1cee4ea323601197c10e294557adf

SHA256
c2ae3d75af0c2b36c1e7892c34903d148d6d3a0df3a8b64c7439c84b0c4cc84c

SHA512
25c340d01f0117eec8309d5cd432af3d09fdab4ab398b931c3aa110a4d804d71d5d7d66fcc001d80f60c2c896dc5b0933fe060bca4014a3fc2bd0960af87c305

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
80KB

MD5
b564272d94f7bbe61720f85f27d29f64

SHA1
e1329b5257ad3d404ff96312b4f3609b86ae129a

SHA256
16d9d0b30625e7aa316963d1d0cc66469c70dfe76b86fd7b67a95622180c4f7e

SHA512
63a0ebf2e020d0f7ae7a1180c9e418b9e3fc7fdcb09c7bc7aca50e4ce869b5d48f05ffbe14cb418432a35ab926c0155627e2a48299188ae01606d80244a7d6d6

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
80KB

MD5
228da2fc2ac28c9c206404772c970f0d

SHA1
fb723e60dc5352b81f0c72e588e5156ea4fe6785

SHA256
65c686af05703af787dc2373ff5712ae7ffdd251cdb30631b57b9629bff950f9

SHA512
267bbed94d578ffe1761a72ddb9722b6637c12a908233a59eee5010d87c45b605b5ea0a950c6143d9329cae30816443e46ea7f0ea86a0783fab8040e1cb4f422

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
80KB

MD5
12f42f7e52fe31f1e3aee0b20278018b

SHA1
3b3349a55b4e2290825de620eccb7db3440d6f43

SHA256
a7ec2b740ce78ced4c46eed44ba31d3a8a6a5a3c9658525b9617cc1ca80cb3eb

SHA512
324dfd74fc95e8a6d399f77abddd112e15baa24b85a2428c3180d5d507582874cc08f4c11fe8eb34cadd2d231eb5cd82610772d8181d189926a4009e581922af

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
80KB

MD5
95eb555e7c4e5b57b6d4f19cb9631603

SHA1
d97b6a46bb9e1c4d2ce4a6e6a8b7c82c68c4374c

SHA256
2229233914eb5627f65f6d3d4b92f14ca4d264186e5b86f035ca356d7f01b464

SHA512
b67901dc21367ba952a7e8179b0a5b7c6635b90b977733aed2cb5175b3ce677da387c5092438727b28f3f23e473d9fd59f9368b1a3e45b6d8e5516a219c8a486

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
80KB

MD5
57f185b1df77a46a7e98ab26a94e79c8

SHA1
9aefdb5c30051b6c87d4d7a6204d557e2025ef15

SHA256
02ac5fe2d2f7cc604ae69ad8c6f44e2061b045df53ade4e81a3e331fc8db8a61

SHA512
534bb735c4c48d9a5729c6653744540962f49a52bd57a9ea38b71a44837db88c04f35bff3cb63b6734f07747429db9819384120ab5529f7fbcdcd938427a33c2

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
80KB

MD5
8cda9dbfe880e25807fd643da9c13a6f

SHA1
cfe2cc1ef0f6a646552d7b3367c1c982fe1fa411

SHA256
d0d0b78ff6d65d65a82781836a61caf14e43d79d067a3702c03c4b970ac22fb7

SHA512
11ee31eece0a834a78bda91a72a3aafee4ec1a980540f93d831b6f5a53ca991a7c81bcb1e156c05ecfbafe377053c5034feafb0fbc18d7af76b8f83f2858e4af

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
80KB

MD5
5ebf064aff6b28456cc61a29eb5e8663

SHA1
c33b5635b268e776a55c4687ae25189103c26cba

SHA256
8eefc1bb4538475993e52ee0816a5608503ab4ef87fc1c755b44774b00cc1153

SHA512
8f8cc9f2efff5d659a6e6b7d737535410a9a36eabdd936d58e9b7fb2426dc99e17edc9569d128eac9158bbae93cb7464d7a2a854a4d907cbf400202609a31f9b

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
80KB

MD5
26d9f591d5e727f7e818fedd4032ed43

SHA1
b2af83a23f68fe7b2a30c4cdc55087d3eb98b66b

SHA256
5abac960382e0e20db311bb7344ea3d4dc3174a28cb5af1154df1c4228aa84cf

SHA512
9850ec8a0df31db00f643af2050399b4de1bba601fe2a95b7f87a8c7b0e1c28d03d1f70254d9e20a42606a976ec0d8376d77ed3a35a55ca38b03274e81c77b35

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
80KB

MD5
b6e63d7b36c03bfbd5f6bb1197690b6f

SHA1
7f0c1cf15f6b763a465968523931a762f29af374

SHA256
8aa44eb57051b519ae9816baf0ac904f804ea56f685831ce5c628a8b83132d58

SHA512
f506d6bd3c61d8fb9e33d12c6f007f0aa7ce4860a47aceaafb89ab59050edf4bc2f17d08a2db1f5ede4318a48ef943fe527cd84287db530a5b99785ca1a21c72

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
80KB

MD5
10b7f62d888e8d8774bf651e3aad562b

SHA1
3959bdaebb1ae2124c29f924b5a6358f80f427c9

SHA256
500f82942113878ee0a24f82657e42c8412c5a5dbe672f4a073c6dcf17fb0785

SHA512
f6ecef06d84c697fba2fd887451fa36e51232b0585c71457152bfe038b7b9635fac1049b8e40c7cce2f5663ecd7f1c70ff7f2a046a194abdd93ae1e46a321733

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
80KB

MD5
33269c27c985c1d8495e8fd71dacace2

SHA1
fbc5417be2e2af74ed8b25ac907df682cf5dc1c0

SHA256
846c32abbd3bdb91b683053c925540f875e5eb5e3cbbc8e41062e6fbbdbc82d0

SHA512
5bfb479d1769ff7d931df5b930b67bd776f367949acf1acb3b95a22b6cd2e88d02512c05b83d3ead17ca5f9c8d0502c8f46d6fe7c919cc00e563bfcb7e813d92

Download Submit
memory/212-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/212-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/796-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/796-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/840-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/840-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/844-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/844-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/892-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/892-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/964-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/964-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1140-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-374-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1236-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1236-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1404-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1404-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2124-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2124-381-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2396-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2396-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2828-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3040-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3068-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3100-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3100-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3272-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3284-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3312-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3312-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3540-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3540-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3680-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3680-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3912-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3912-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4000-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4000-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4060-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4060-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4196-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4196-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4256-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4256-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4332-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4332-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4436-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4436-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4488-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4488-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4748-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4748-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-423-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4844-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4948-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4976-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads