912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe
Size

136KB
MD5

a571d4b5c9b9c322294b0b0629693b18
SHA1

7a7601cea73930fd8e557c6b57d124eddf1b24bd
SHA256

912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c
SHA512

7f09930f234b977a4a888113455c486cdab97d2a015349db6ae4814c5c17faddb2d108c8ebfd755e4abea62897fad531a5660e454164e73a58fb475ae1c5cf31
SSDEEP

3072:Ps29SHQWaovdoFXv1IOxXBqi/mjRrz3OT:Pr8HQWldoFjqi/GOT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe

UPX dump on OEP (original entry point) 42 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022f1e-6.dat	UPX
behavioral2/files/0x00080000000233ea-14.dat	UPX
behavioral2/files/0x00070000000233ed-22.dat	UPX
behavioral2/files/0x00070000000233ef-30.dat	UPX
behavioral2/files/0x00070000000233f1-39.dat	UPX
behavioral2/files/0x00070000000233f3-46.dat	UPX
behavioral2/files/0x00070000000233f5-54.dat	UPX
behavioral2/files/0x00070000000233f7-62.dat	UPX
behavioral2/files/0x00070000000233f9-69.dat	UPX
behavioral2/files/0x00070000000233fb-78.dat	UPX
behavioral2/files/0x00070000000233fd-86.dat	UPX
behavioral2/files/0x00070000000233ff-94.dat	UPX
behavioral2/files/0x0007000000023401-102.dat	UPX
behavioral2/files/0x0007000000023403-110.dat	UPX
behavioral2/files/0x0007000000023405-118.dat	UPX
behavioral2/files/0x0007000000023407-126.dat	UPX
behavioral2/files/0x0007000000023409-134.dat	UPX
behavioral2/files/0x000700000002340b-137.dat	UPX
behavioral2/files/0x000700000002340d-150.dat	UPX
behavioral2/files/0x000700000002340f-158.dat	UPX
behavioral2/files/0x0007000000023411-161.dat	UPX
behavioral2/files/0x0007000000023413-174.dat	UPX
behavioral2/files/0x0007000000023415-182.dat	UPX
behavioral2/files/0x0007000000023417-190.dat	UPX
behavioral2/files/0x0007000000023419-198.dat	UPX
behavioral2/files/0x000700000002341b-206.dat	UPX
behavioral2/files/0x00080000000233e8-215.dat	UPX
behavioral2/files/0x000700000002341e-223.dat	UPX
behavioral2/files/0x0007000000023420-231.dat	UPX
behavioral2/files/0x0007000000023422-238.dat	UPX
behavioral2/files/0x0007000000023424-241.dat	UPX
behavioral2/files/0x000800000002336e-254.dat	UPX
behavioral2/files/0x000700000002343c-353.dat	UPX
behavioral2/files/0x000d00000002334b-407.dat	UPX
behavioral2/files/0x0007000000023459-437.dat	UPX
behavioral2/files/0x00070000000234b1-726.dat	UPX
behavioral2/files/0x00070000000234d3-839.dat	UPX
behavioral2/files/0x00070000000234d7-853.dat	UPX
behavioral2/files/0x00070000000234df-881.dat	UPX
behavioral2/files/0x00070000000234e9-913.dat	UPX
behavioral2/files/0x00070000000234ef-933.dat	UPX
behavioral2/files/0x00070000000234f3-946.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
4392	Eleplc32.exe
2096	Eodlho32.exe
1612	Efneehef.exe
224	Elhmablc.exe
2396	Eofinnkf.exe
4124	Ecbenm32.exe
8	Ejlmkgkl.exe
1548	Eqfeha32.exe
3744	Ecdbdl32.exe
2612	Ffbnph32.exe
444	Fmmfmbhn.exe
392	Fcgoilpj.exe
864	Fjqgff32.exe
1388	Fqkocpod.exe
1956	Fcikolnh.exe
4636	Ffggkgmk.exe
2308	Fifdgblo.exe
1556	Fopldmcl.exe
4688	Fbnhphbp.exe
64	Fihqmb32.exe
1440	Fobiilai.exe
3168	Fbqefhpm.exe
372	Fijmbb32.exe
2460	Fodeolof.exe
3100	Gfnnlffc.exe
1124	Gimjhafg.exe
4652	Gqdbiofi.exe
2996	Gcbnejem.exe
3608	Gbenqg32.exe
4364	Giofnacd.exe
4532	Goiojk32.exe
4852	Gfcgge32.exe
216	Gmmocpjk.exe
752	Gpklpkio.exe
2136	Gbjhlfhb.exe
3120	Gjapmdid.exe
3364	Gidphq32.exe
4724	Gqkhjn32.exe
772	Gcidfi32.exe
3824	Gfhqbe32.exe
1608	Gifmnpnl.exe
3148	Gameonno.exe
2360	Hclakimb.exe
2008	Hboagf32.exe
4408	Hihicplj.exe
2244	Hapaemll.exe
540	Hcnnaikp.exe
4284	Hjhfnccl.exe
4952	Hmfbjnbp.exe
4664	Hpenfjad.exe
3520	Hbckbepg.exe
1396	Hjjbcbqj.exe
1568	Hmioonpn.exe
4380	Hpgkkioa.exe
4456	Hccglh32.exe
4220	Hfachc32.exe
1240	Hjmoibog.exe
5012	Hmklen32.exe
1724	Hcedaheh.exe
5088	Hbhdmd32.exe
4176	Hjolnb32.exe
4692	Hmmhjm32.exe
1888	Ipldfi32.exe
4280	Ibjqcd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Fcgoilpj.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jdmaid32.dll	Efneehef.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fobiilai.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5992	6112	WerFault.exe	226

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eleplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fifdgblo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 4392	424	912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe	82
PID 424 wrote to memory of 4392	424	912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe	82
PID 424 wrote to memory of 4392	424	912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe	82
PID 4392 wrote to memory of 2096	4392	Eleplc32.exe	83
PID 4392 wrote to memory of 2096	4392	Eleplc32.exe	83
PID 4392 wrote to memory of 2096	4392	Eleplc32.exe	83
PID 2096 wrote to memory of 1612	2096	Eodlho32.exe	84
PID 2096 wrote to memory of 1612	2096	Eodlho32.exe	84
PID 2096 wrote to memory of 1612	2096	Eodlho32.exe	84
PID 1612 wrote to memory of 224	1612	Efneehef.exe	86
PID 1612 wrote to memory of 224	1612	Efneehef.exe	86
PID 1612 wrote to memory of 224	1612	Efneehef.exe	86
PID 224 wrote to memory of 2396	224	Elhmablc.exe	87
PID 224 wrote to memory of 2396	224	Elhmablc.exe	87
PID 224 wrote to memory of 2396	224	Elhmablc.exe	87
PID 2396 wrote to memory of 4124	2396	Eofinnkf.exe	88
PID 2396 wrote to memory of 4124	2396	Eofinnkf.exe	88
PID 2396 wrote to memory of 4124	2396	Eofinnkf.exe	88
PID 4124 wrote to memory of 8	4124	Ecbenm32.exe	89
PID 4124 wrote to memory of 8	4124	Ecbenm32.exe	89
PID 4124 wrote to memory of 8	4124	Ecbenm32.exe	89
PID 8 wrote to memory of 1548	8	Ejlmkgkl.exe	90
PID 8 wrote to memory of 1548	8	Ejlmkgkl.exe	90
PID 8 wrote to memory of 1548	8	Ejlmkgkl.exe	90
PID 1548 wrote to memory of 3744	1548	Eqfeha32.exe	91
PID 1548 wrote to memory of 3744	1548	Eqfeha32.exe	91
PID 1548 wrote to memory of 3744	1548	Eqfeha32.exe	91
PID 3744 wrote to memory of 2612	3744	Ecdbdl32.exe	92
PID 3744 wrote to memory of 2612	3744	Ecdbdl32.exe	92
PID 3744 wrote to memory of 2612	3744	Ecdbdl32.exe	92
PID 2612 wrote to memory of 444	2612	Ffbnph32.exe	93
PID 2612 wrote to memory of 444	2612	Ffbnph32.exe	93
PID 2612 wrote to memory of 444	2612	Ffbnph32.exe	93
PID 444 wrote to memory of 392	444	Fmmfmbhn.exe	95
PID 444 wrote to memory of 392	444	Fmmfmbhn.exe	95
PID 444 wrote to memory of 392	444	Fmmfmbhn.exe	95
PID 392 wrote to memory of 864	392	Fcgoilpj.exe	96
PID 392 wrote to memory of 864	392	Fcgoilpj.exe	96
PID 392 wrote to memory of 864	392	Fcgoilpj.exe	96
PID 864 wrote to memory of 1388	864	Fjqgff32.exe	97
PID 864 wrote to memory of 1388	864	Fjqgff32.exe	97
PID 864 wrote to memory of 1388	864	Fjqgff32.exe	97
PID 1388 wrote to memory of 1956	1388	Fqkocpod.exe	98
PID 1388 wrote to memory of 1956	1388	Fqkocpod.exe	98
PID 1388 wrote to memory of 1956	1388	Fqkocpod.exe	98
PID 1956 wrote to memory of 4636	1956	Fcikolnh.exe	99
PID 1956 wrote to memory of 4636	1956	Fcikolnh.exe	99
PID 1956 wrote to memory of 4636	1956	Fcikolnh.exe	99
PID 4636 wrote to memory of 2308	4636	Ffggkgmk.exe	100
PID 4636 wrote to memory of 2308	4636	Ffggkgmk.exe	100
PID 4636 wrote to memory of 2308	4636	Ffggkgmk.exe	100
PID 2308 wrote to memory of 1556	2308	Fifdgblo.exe	101
PID 2308 wrote to memory of 1556	2308	Fifdgblo.exe	101
PID 2308 wrote to memory of 1556	2308	Fifdgblo.exe	101
PID 1556 wrote to memory of 4688	1556	Fopldmcl.exe	102
PID 1556 wrote to memory of 4688	1556	Fopldmcl.exe	102
PID 1556 wrote to memory of 4688	1556	Fopldmcl.exe	102
PID 4688 wrote to memory of 64	4688	Fbnhphbp.exe	103
PID 4688 wrote to memory of 64	4688	Fbnhphbp.exe	103
PID 4688 wrote to memory of 64	4688	Fbnhphbp.exe	103
PID 64 wrote to memory of 1440	64	Fihqmb32.exe	104
PID 64 wrote to memory of 1440	64	Fihqmb32.exe	104
PID 64 wrote to memory of 1440	64	Fihqmb32.exe	104
PID 1440 wrote to memory of 3168	1440	Fobiilai.exe	105

C:\Users\Admin\AppData\Local\Temp\912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe
"C:\Users\Admin\AppData\Local\Temp\912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\SysWOW64\Eleplc32.exe
  C:\Windows\system32\Eleplc32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\Eodlho32.exe
    C:\Windows\system32\Eodlho32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\Efneehef.exe
      C:\Windows\system32\Efneehef.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        26⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        28⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        34⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        35⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        37⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        41⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        42⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        48⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        52⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        57⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        62⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        65⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4584
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        68⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3556
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        72⤵
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4860
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        75⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        78⤵
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        80⤵
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        81⤵
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        82⤵
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        83⤵
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3276
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:932
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        88⤵
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        89⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1808
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        91⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        92⤵
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4088
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        95⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        101⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        103⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        104⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        105⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        109⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        112⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        114⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        115⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        119⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        121⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        125⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3992
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        127⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        129⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        133⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        136⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        139⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        141⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        143⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 420
        144⤵
        Program crash
        
        PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6112 -ip 6112
1⤵
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
136KB

MD5
a76b44a69de53fb411782845c53b8d76

SHA1
8542940b49c74918d400e64a52f572b1cce9e2fc

SHA256
212b937902eb6b2b84ce3dd585176816b77dc3dadba9bcdce48f42b5ed16ecb0

SHA512
0a45b71c5e66030faa81c78a5977a71989fe3a54b11379bd6aa1b204e29863cd6ebcee442266f88e3a76227652316ab638c7f73aba5aa21ed70fff2b2ea61d03

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
136KB

MD5
a783e586d90e933797f93f101a152cf6

SHA1
27e7ab8078c697021775c4a9173bdb2118204826

SHA256
7c7cfafde074e000687ad7565b8c4b965e37abbb3f5524913d2e444aec4d2484

SHA512
aaec350f708debcba23ee69dcca1516e30bb151e6312b8fb869f14faec18898db53f06bfc976b80ab6d665be957e11055f72d7c19b9f402ddfe309105aabf34f

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
136KB

MD5
0f8e25ac4e19e1d79c021c5394208c13

SHA1
67d10474d18acba21fa719cb544a7f8f82ac3eca

SHA256
54cc31f4056f3cfa752d51143bf78eda1edd09791e19ac9d6abab2da30d6fc82

SHA512
fdb3046c8b9aeab0f79ae221a73f75162f543bb484c57a22e8fce6e3089a31dfbc77ed1836a88c1a4ef47609da1dbfae6eafadb0548919f4ba89b7e52e3b5845

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
136KB

MD5
61eea7b3d89b5238fe94a3e6ffb4ea74

SHA1
7855562596b16d3dc3fa8ad441a853c557e588e2

SHA256
abf183bcdc34a99a08ed76dc187c03e2ad0e3db45bcb08f62b05bcc4f78b3d9d

SHA512
103676f0886bc81f1570e195bb5ccc1fc9d45dafb34cdafbb261965740df6fbcac6f5798a584e2e3c8d65a043342e5b9ebac883af5498ceb714c20e8dd93a0b8

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
136KB

MD5
fa8a48776f056f83ddf8635f8b5eafb8

SHA1
9a8f1a67e2a5d1faee81b32221330ec62b0726e2

SHA256
f96e290d922928d9107bebb93541b9476950e15096a43c8fc0f9b0534232ea9d

SHA512
bdc22b4aff098cd6f187607c388f0c54870e5afed3c1c85d9b3786ea97110e8b60369fd6d728c7bdbf59baed2148a9f523c45fb6342b721557ac99916bda65d1

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
136KB

MD5
41344da5b93af313509e0d4020cd1e08

SHA1
924c2982cabca6061ceaf19ad0cd2a4b991b784c

SHA256
8916a36c224cafb86e8c82d75e78b1332a9a19dedad4d11774664d64406f5298

SHA512
4ca0846e359d998c1a89ad1e3e4ad20bef0f9428f240b95eecaf1e1021b39384df200023b3e13782e333b3a5b6ae140807c801a6abe51662295ccdfe8ac8075d

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
136KB

MD5
ac730eabfb4fe2c1df0dc60dc76e8ae2

SHA1
6ff2dd48b1c0eeedbde9258af8170b3bee110f6a

SHA256
31df68fa5a77f4ecc6ac46c91fa78cea4f3f63548da2937fc3020d1a0c30e4e5

SHA512
4b7f9c26c33b4ba5d5981e8686654b2b01d4912e12fac51c3b98294c46897e4dd7d9254b325fdd7cf99a892d6b3c2f268a5e18b0044abc1d5c034de38c9c61e3

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
136KB

MD5
89efffb1dacb550241cd41f989b12a30

SHA1
fa6550c82e1610e6872d9e038758557b052593f6

SHA256
9684201f070bc811a5e6111ed789962731c5b1307e4aabb70c5ed97fb0ffdbb3

SHA512
d8c8272d0ef6c00aa7b34a05b1f7d62a47aa551ae185f459368d095e57c21068c561a338c5940e391045d08a25594777fe6679fc4c4866538299bba4886adc21

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
136KB

MD5
3f6861145ebafc3a07a6af569922ebe8

SHA1
8e5ed7c2b405f3c6bb00339291fe0a088a7643fa

SHA256
0d53f2d26180a40a1a6898bef8a7c778decafe87336bec521ed9631080fea5a4

SHA512
64ac3f04ba8d933549ed7ee43a0cb07d73c2f5c54a192469f12c907f11bdbee7dc057bb2dbdcc82751f01df8b5d5106e99d5ef09e9e59b48cfd3af79b749e1ca

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
136KB

MD5
de61607d46f169ec887fd19ac6102c25

SHA1
a6ceef5796a2508187be63c60719e850780470ae

SHA256
82d8339c8f6e6f5657ce1e20a2844a800aab86047b6b153b1173c719966aef8e

SHA512
a84525300f79ebf1a5b3e5f8d91761e72331e68c2bad82ef30e44963d7e4668a448c615b97cbc2a411ea4af79e6dc3d71a1a7c396d0823112dd3744c6828f520

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
136KB

MD5
07925771d42d47772a9fe6b78230b9fb

SHA1
64e705e4f44e14d86fe616391d675fe8492843eb

SHA256
74a7d64d368ab22d7998d6685e8b2ff7052c5e02159f041f495be08382f8bc88

SHA512
ef490eef4fd580918ac0a6ed0c203458a92bc3c9cec0543821c38ad7c36fae19368f35b3a30d2dd182a3b037bcd7f89e8207af89fb02be8c5c0008401ac52dfb

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
136KB

MD5
aba52923c7cb9f401438952248742c77

SHA1
385857f751c0adc9434a582c8050230821b26b7f

SHA256
590db23ae8bd47edf20293adf429f34004aacf4345d9101a62b99ff08c34225b

SHA512
e6e18ab5adfb786bf166b16b5120da8325c127da887b778276173cfdbd5f4fce661bb6c99369025641a92892ed47f2c01fffde40b8662deed8ef04f2a8daca06

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
136KB

MD5
22174c36edd0bff11e51ae167409d15e

SHA1
e5b32e7a543556c8b52dd9cf0de8dba8ed88d5be

SHA256
e0f84dab728b14830f10912ddf2ba59c8b4d612dc17602cbf4222758e8c9e5bb

SHA512
dca3949cc19b475ec9eed9c26abad9d9124a6baacd654838e0ee72acc7751e3fb9e30cf3e09666f81e3d62c7e7bf759f44616389610c9486bc1bf07be1a4c31b

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
136KB

MD5
2572de209764d2365dce0692ee417c90

SHA1
3508ac5e4c6d81503b979e69935f4a750a6ddb0b

SHA256
dca29a9193a64e34afe540ae05e4963b5d411ec5e9cb0dd618a003c84115fcef

SHA512
17f2c2c8bae4358b2697730c293a02d358b75d63f1986a8be47d74aec29d093a1741903aa0802bb049a63c565f7087b3d5be4256f182defb19a9b54fc83cd087

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
136KB

MD5
c8145453bd59cc39bd317196250459af

SHA1
1efb6bb482b5e3f289c5b0bc5890ad5024789cd5

SHA256
7642173788dc8c461382d21b79f5fa8bbc6656635566d03e50afa557a9a3929d

SHA512
1167e16d1bd5d13ca71bdce871b959139ff2679faa2e6f25bfc2ce368286529b972e53d51f0b09e7e0e0289e9f424072d7d57b51099c9ca37197d191a20c2e51

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
136KB

MD5
ada66af668320784c329d0a979608029

SHA1
9c592af7af0bf4efd32508f953d960fba5e81f53

SHA256
c1282f23a06d456377ab8d8b2cb12117dcc5eaaafe5cca554cbd6a06853ae500

SHA512
6a6d457c66baf85b56e0cf5ea7825e344653e5078a694219021f328d2f72a26aecccc8c73dd77238c1d3c32e8a83b9642e3427dabaaba70f3ed8ba764e4af7a2

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
136KB

MD5
c7a6b07eca4ec791ba97885af8eb6768

SHA1
67555fba45cf0e6396d282463a1c8e38f986da86

SHA256
fc5bf40bd73d66e26fbbdcac3e06e7c379968110d53abcc393d9c1e02c06cae6

SHA512
60613610c7d190412589ce67cc995887feb290b9b6598bbdc7b658459028e4eafa4382973d682c8ae45b311a7bc2d7360b27f154b5801c9761518ab030c29425

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
136KB

MD5
2856528df87fb5f62a44c84b7c324aeb

SHA1
ba6a50a82ac46c4ae70d4e8277e7798d5675a94e

SHA256
ff084f8f614cb81c57c69e05e364d52f6fefb4fa174eccf649448b22a294863b

SHA512
aac506e152e440393d7c4ff84a3e91eae7850bb9122f286b3b857bfa625540026a8fb2e1518e140fafa67a429f6d711854b01de6547ea3079be20d0b2b353e62

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
136KB

MD5
d5175369123ac6e1ec7cec36fb8d1e17

SHA1
1bd63587150ae1254aade252e2147f2b87bf030a

SHA256
9159b1b5eafdbd714cff4c8dde242c643f4e165d13d67be6cc08db1e7455a831

SHA512
06ea42db6b2ec993af213b742fa404a48236b6b546a54743e516d176606341ef63191212b40c247cf85aba5281c201ac4a42fdb467bc0ac86e1a0d2cc9460b4b

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
136KB

MD5
da6aaa6e928f179152f470a14e47237b

SHA1
35e0100ff49b19b54fb9773705647af5f0e9acff

SHA256
575b5f36120761dd62b9160c4eedfb9b72a2bdc24e6bd9a0eee8c64340d3cecf

SHA512
474abdad2aee72ef4b65da691c132f82a31f1220df67e9c242a6d550b39356f98ab69ae0471d82205980bef8c6762f4d6e428f38e32281d194416aff52581a9b

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
136KB

MD5
4d71813563f516782ad5dfdfb5a6eaf2

SHA1
ef9fa57d92aabf841bd552da52e959e490357507

SHA256
507596190241fb5f37ef1a95c51c41e6ff36916319ad56b15338bb5376c53169

SHA512
c22c0771f0de81191135965be7a4584d2f7ab99ccd1577efecd19437e80e48251379e5988621d110162d89cee30e520b3c0bfe4ec9e326f23210881ba2d026ab

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
136KB

MD5
3e6a110b17a9ae525e62b95b9ebaf8ac

SHA1
f0e40f213c47266cddba271a4ff26f5df3b8550e

SHA256
5ab98cbd7b5a9400f3549ff990cbf49cf96f2d9fb731a9771e6050274a93eaa4

SHA512
f8858ea759438b109efb1804f07ec896ed134d7bf33a678b540a2df65b33cf261e4e036c017832399f14bf2ad8d11fde67dffc6af1e886352c205f6d3d24d957

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
136KB

MD5
110769fd16af8b601af805c503317515

SHA1
e8dd9f3cd17c1ef779fdc7e323c5fd05422e5df2

SHA256
df00a7f6ab682175606bae5817baef0a29e4560555005177e1569d9aec56e769

SHA512
c821381bdd61c1eb7d1004fbbb7d925525ef386d44a46a53b5b807a7b52dcbcb428efd78f20b92055d80f96159a45cf2852adc9e39a6bba2c20973f8c879acc7

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
136KB

MD5
406e6d0e11c697f2fd4c0169763b5ab5

SHA1
9640f6a5ca5ae8bc9a81d5880f3731555c3ff199

SHA256
8b2bea1a7265091c02a42381ec03246907ec12b614bdbc36270c8e9bf5357bd8

SHA512
5863f4a4b2ffd55f156035759a5c0637763d7a4d5f7054cede6439b2951ead3b27951b4763e7605391eb3b9e39d58fc68780dbdd784a0708b49ff9bba20c584a

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
136KB

MD5
2b1acabd60a6b31a5c46616e01663a4a

SHA1
0a22e43e82fa6173abee1192106a153e1dba3d24

SHA256
6e7561366b08f29504486673c4162b991c335273c8a3a95c5dc2039cf391c75b

SHA512
31d9c34cde63f1b9b9814bf7994aef5c1c9984fd5cfaa66bf385fc80e42740ff59ef45239c7e3e09f11dd2d8dd3a25eb098533fcfdba147fa9118ef0e1385d2d

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
136KB

MD5
601f138bfa7fdb917e761799911d1d5e

SHA1
2d36a08ac6983958698a3071b18cfe92acf5e555

SHA256
750fa681bfac6bd02134597be90954662e733b6a892777bd514cc950cb3208ef

SHA512
dd0c0e588b1069227b84c0a856ab22c80916eb3238917ca33ed9b8da94c09d5a9248400fb8673225f8a3eb84f46a75c4a999753009c1461bbc848fcc3760bd9e

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
136KB

MD5
1199b8b62c5b10c5ff3750b95ee828a3

SHA1
8cf94b2412123e4aa3d23d6220068005c02e30bf

SHA256
bd96e6b88c9cac72772bcfd772bc26a477d6f37e5eab20d5f16d65b1caacbddc

SHA512
c78521846c33ca1818ad84a21b20cd42a6f57c7392df9538a6b5422ae8f44e3f47cff0c5f8e18cbe9b3eedca8dc5281dad5540b154226578062332c747ab8a27

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
136KB

MD5
94c5c6dae3fa4508526174c0da6a2cb5

SHA1
461d4d2fe190646c47584c4fce35aa8497a7f23e

SHA256
fa16a84f54f778dab473db009b930a76b1bde6a2265a02a33d30dea2023ce48c

SHA512
8357ef2b74198f926c6d4f5a7b1ef1508f258bc434ad9d6497b765f36c148e03b67c1b5b51e01dcc81d53faba3588c6b135d9262947b2d011ad7dd52a2ccfe29

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
136KB

MD5
9872f9abe49a569da4e93dbaafcd71f5

SHA1
e2a18b619ef201b7a6b1b62f2afe87f7404b08d0

SHA256
0ab24dedc0df2c41e5ade0855303a72e03b7d8783f58594c1f25ea79c33c958c

SHA512
d6fb75e3f6023e21b3cdc33115ea1a9c05d5f6ee421693ee2dcbb3a6c5488d6eed5d0a3a8c26faff1c52b7ed1db1a922971d48f04637feab01b44e39a4902905

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
136KB

MD5
ab531094e470dfacab7d0d3f3318d11b

SHA1
83bd8abd3888096a09f74db685381c7859657f05

SHA256
5fa68e166eea9f1ea73f07ee13509b4562108a22ec6a8135c3fc611eafc9f6fd

SHA512
b1766f57a799df75b18cf674848b164d01080d61666e6fbdd492dfb1c3169dc7245680a6afae5ed84655d0bc2a57a46136b75e4b6b49bc1be849f36ba0a636c1

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
136KB

MD5
4410161dcb25ba528bb474f53830f0a6

SHA1
11d827b732885a18b1e33fab0f0c3bb27d3bb30c

SHA256
e23f332c23f0c1a3f665767bfb142b68358ffee592d58f4ef6c6ec429570c61c

SHA512
88fa79ffefbc70533878a8f3200751b5c5c001c3f36cb5e61f060d4f8924ae5f0e9b0b99e9b79347080f05eb4dae051e0ffa0465826fc2b09e99d7ce446eb634

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
136KB

MD5
05d62561653b613bd86d3b9697700b4f

SHA1
d6430a518662f7ba7ced1f0865a9b4ea2913c144

SHA256
912593e6f55194dccb6eb5a4e254997d18a30fa1d7fce2cb129eb4213d57e921

SHA512
db6c15a1d6ec2300b2fb31bf3a3c2608a749f00e88802502394f5b90877b3b96c98823d8de0a17228d11f6d0c415955372ebc2d7a39e844027c58788e4d50516

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
136KB

MD5
d950dcd9ada78fb1043088df7e855280

SHA1
91aa19a1940f72ece6183d4a7adea2d2efed1678

SHA256
95b9a0f0538442501b8e50081e563ee23969817b1a30c3f5382b43977e2017d6

SHA512
badf194d8292fb802a1473ea95cea9271bd519904a35c05c2a844e584c352165c6b1895df4f8dd4ba2e98a9470e4aaf4fd423df2f93a43b9bd6d270827381766

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
136KB

MD5
7d7852844bca4e38fbbbbe0fd50fa230

SHA1
262f69412b3ca1f035b0f88b8f4f05dbf594e339

SHA256
2c3e335ff11a0710e6f44dcbe1c4b7c5d3f23a8d1ad6646089f355366f18adf6

SHA512
0f77e50ad0ef937e46eadce3f2f16f93ef2f991b7fb6e4d49c8ac746c28dc4d0c86e42ab7435254b18a48f618a4c848010944f2f9d97870b5d707a2ad9c0ec5a

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
136KB

MD5
ac4c83cb909b13d980187d78aaceeecb

SHA1
1c350d6ba81f9b0acc1e1ff50bb3727b693e1b4f

SHA256
76ff33a3fc01dc36c2da025a7d35c38c37afd5b7c505ee1a3cfec9a817a6cf97

SHA512
479acff4c278bc2d9b44acd6ff664fb0193e229f859b9a9fb56cc445c7bdf929467566faa58e9eac66a9813af2d5c59e9dd75a64187b71993427566501f89a02

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
136KB

MD5
4bb59d3dbe6acfe15dbca9955d8ce379

SHA1
4b4a01681664ad406d73dff0699e8558db4002ca

SHA256
84acda3eb4dfc19959dd4c0be9eaaf92839c0cc0c43de97f310445528a60d733

SHA512
92c852d6672e1e12bb066f535ac00e8ff6c58b01e092a9ecb0ac9ff092eb9503342d8dab1dcc234cf8f0e71d8846144538b9d407ab4fa9dc27f0970617f5dee7

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
136KB

MD5
22e4c74175d5852d27d7bdc88ed6a000

SHA1
f4e1882a7e3a476612bfad76c6cd1feee24b2e43

SHA256
1ae6cfe70fbd020f65b42b1f1413620dc77ce8181ef104def40ee1d9761cb112

SHA512
caf0cd10b3d59bd00b403ec389d06a37186fa9a02c7d62211b947c0e5a31e63ace36622d6af7079253c6106b5248333a6e33f7bf246d87812fbd24d389585269

Download Submit
C:\Windows\SysWOW64\Miimhchp.dll

Filesize
7KB

MD5
85e94e690a86ffeb01aa2f27bc309377

SHA1
28689f8c70a3b354ade6dc3a450b70124d35f4fe

SHA256
2551745b3c9295ba307b01969ba585baf59140225f78a3b379a6cec9560ef295

SHA512
b2fdce61eea83d9f930cf6648c39d7de305a14eefbb3b33e6e9df4559632b518d546ccdd9ef3e42096747035633a4f601de528e7fc6d85ada88a1c6200318291

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
128KB

MD5
4b7d7caab510d648ea01171be048a67d

SHA1
fab8865a3919cd5bc5dc61d8773a5c561cc50986

SHA256
f0d2d5b1a6dfc6fcb8789d20fd7ee8589db1140933e8a5f2aaaf2f88a1bf212b

SHA512
84e939bb887467452e7191eb125c2b678fb83fab870ac9002d7d1251e2e3da0e49b8b82143c40fc75bcc57fa996c93e0bb7efac1bc98fde0222ae6bec8558ce8

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
136KB

MD5
b908fffec472272a57fe9050cc81bd40

SHA1
af4b05913f2193b7dc07dd0411401821f6e3eb24

SHA256
accdd7b3791bfe46e1c209047e6168c6f4126c61b0c687549aa84103939f267d

SHA512
432d845736861054f88fc85a3ff6d82b65e1d8c82d4363a8eb5752e406606ff4a6c107e20dac0f14aeea5fb2a6cdfa6fd67f6e8a5350b395588e2526fffb93a2

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
128KB

MD5
d22066e5257e990683fa154dde4c3a12

SHA1
a052dbff8b7cba8bcada3bdfdc8f370cdda171dd

SHA256
c890586c0aacf245591f6c2dad5899fffd986efe338316089cef62c0babfaeed

SHA512
2521e96018d7893150a8837a4f03a82721a4c9851433075f287d08599e99978ef87304363129ec2283d142f1ead4a2f9827660b61924c09fe91a54e8b4d2a219

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
136KB

MD5
a63b5e80e2cee54adbfb78139535d197

SHA1
d9d73dae50b0ad5b71b5fbd77cab15bf1a291d8d

SHA256
32882585edd2f46b11b53431f370b24214128cc0ff9685059ed55cdeafeced66

SHA512
b7040194097b957c5e537df2f27e994ba75ccdd05f74526533a1902cb466d430c6b59f7f4567e98d9a2081ca836f49cb899cc73debaea90e7658eee0fd9684bf

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
136KB

MD5
cb831fee345391f0df68eefb5d6c7b2a

SHA1
714f3fd8d9b5850f737608c2aeb22dd63ddfad35

SHA256
24d213a1661526f6f81aff1fc0da1f1101277f6f9b6f312f2808c5350b533258

SHA512
1594e19dcfdbf4f248aec1df68d6c4260356221d29e486a0c2ae9febca91060adae7f3196c7b395f3c438deb5129f63588f8e75e34db5878315a3636d51cbb0f

Download Submit
memory/8-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/64-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-1074-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5836-970-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads