79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23/06/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0.exe
Size

96KB
MD5

29ec42f1ef34cce2d66c1014f1025695
SHA1

87c077aa4a2078da3ddbdcf64afe9ee735367016
SHA256

79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0
SHA512

d10097863fbb9e1b0df6dd5bbb018a06d3a68bb80111c93e9024a5201b3236e757177a1734995be8738b2a6f9d78a3030042d898c51c9580c38162a346e26998
SSDEEP

1536:1cj3t8jWCZmutqnXsxsvOwduV9jojTIvjrH:1cj3uq9n1mwd69jc0vf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakbckbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe

Executes dropped EXE 64 IoCs

pid	Process
3680	Debeijoc.exe
392	Dhqaefng.exe
1520	Dokjbp32.exe
1916	Daifnk32.exe
4556	Djpnohej.exe
1332	Dpjflb32.exe
4372	Dakbckbe.exe
3936	Efgodj32.exe
4256	Elagacbk.exe
4428	Eoocmoao.exe
3252	Ebnoikqb.exe
2940	Ehhgfdho.exe
4076	Epopgbia.exe
3676	Ebploj32.exe
396	Ejgdpg32.exe
2728	Eleplc32.exe
2472	Eodlho32.exe
3140	Ebbidj32.exe
3584	Ehlaaddj.exe
2748	Eofinnkf.exe
2108	Ecbenm32.exe
4956	Ejlmkgkl.exe
1620	Emjjgbjp.exe
2640	Fbgbpihg.exe
3760	Ffbnph32.exe
4088	Fhajlc32.exe
2088	Fokbim32.exe
3420	Fbioei32.exe
4224	Fjqgff32.exe
928	Fqkocpod.exe
4764	Fcikolnh.exe
1224	Ffggkgmk.exe
2752	Fifdgblo.exe
4948	Fqmlhpla.exe
2080	Fckhdk32.exe
3044	Ffjdqg32.exe
968	Fihqmb32.exe
828	Fobiilai.exe
4804	Fbqefhpm.exe
460	Fjhmgeao.exe
3864	Fmficqpc.exe
2992	Fodeolof.exe
1888	Gbcakg32.exe
3184	Gqdbiofi.exe
2424	Gfqjafdq.exe
1432	Gmkbnp32.exe
4468	Gcekkjcj.exe
2784	Giacca32.exe
432	Gcggpj32.exe
1040	Gjapmdid.exe
2204	Gmoliohh.exe
3972	Gcidfi32.exe
4084	Gfhqbe32.exe
1460	Gmaioo32.exe
4052	Gppekj32.exe
1932	Hboagf32.exe
1144	Hmdedo32.exe
336	Hapaemll.exe
4384	Hfljmdjc.exe
4324	Hikfip32.exe
2772	Hbckbepg.exe
5028	Himcoo32.exe
4304	Hpgkkioa.exe
4776	Hfachc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Efgodj32.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Dpjflb32.exe	Djpnohej.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Omccgkde.dll	79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Dakbckbe.exe	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Lkakml32.dll	Epopgbia.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Debeijoc.exe	79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Fkokhc32.dll	Dokjbp32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbpihg.exe	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7044	6956	WerFault.exe	256

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eodlho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3680	4424	79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0.exe	82
PID 4424 wrote to memory of 3680	4424	79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0.exe	82
PID 4424 wrote to memory of 3680	4424	79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0.exe	82
PID 3680 wrote to memory of 392	3680	Debeijoc.exe	83
PID 3680 wrote to memory of 392	3680	Debeijoc.exe	83
PID 3680 wrote to memory of 392	3680	Debeijoc.exe	83
PID 392 wrote to memory of 1520	392	Dhqaefng.exe	84
PID 392 wrote to memory of 1520	392	Dhqaefng.exe	84
PID 392 wrote to memory of 1520	392	Dhqaefng.exe	84
PID 1520 wrote to memory of 1916	1520	Dokjbp32.exe	85
PID 1520 wrote to memory of 1916	1520	Dokjbp32.exe	85
PID 1520 wrote to memory of 1916	1520	Dokjbp32.exe	85
PID 1916 wrote to memory of 4556	1916	Daifnk32.exe	86
PID 1916 wrote to memory of 4556	1916	Daifnk32.exe	86
PID 1916 wrote to memory of 4556	1916	Daifnk32.exe	86
PID 4556 wrote to memory of 1332	4556	Djpnohej.exe	87
PID 4556 wrote to memory of 1332	4556	Djpnohej.exe	87
PID 4556 wrote to memory of 1332	4556	Djpnohej.exe	87
PID 1332 wrote to memory of 4372	1332	Dpjflb32.exe	88
PID 1332 wrote to memory of 4372	1332	Dpjflb32.exe	88
PID 1332 wrote to memory of 4372	1332	Dpjflb32.exe	88
PID 4372 wrote to memory of 3936	4372	Dakbckbe.exe	89
PID 4372 wrote to memory of 3936	4372	Dakbckbe.exe	89
PID 4372 wrote to memory of 3936	4372	Dakbckbe.exe	89
PID 3936 wrote to memory of 4256	3936	Efgodj32.exe	90
PID 3936 wrote to memory of 4256	3936	Efgodj32.exe	90
PID 3936 wrote to memory of 4256	3936	Efgodj32.exe	90
PID 4256 wrote to memory of 4428	4256	Elagacbk.exe	91
PID 4256 wrote to memory of 4428	4256	Elagacbk.exe	91
PID 4256 wrote to memory of 4428	4256	Elagacbk.exe	91
PID 4428 wrote to memory of 3252	4428	Eoocmoao.exe	93
PID 4428 wrote to memory of 3252	4428	Eoocmoao.exe	93
PID 4428 wrote to memory of 3252	4428	Eoocmoao.exe	93
PID 3252 wrote to memory of 2940	3252	Ebnoikqb.exe	94
PID 3252 wrote to memory of 2940	3252	Ebnoikqb.exe	94
PID 3252 wrote to memory of 2940	3252	Ebnoikqb.exe	94
PID 2940 wrote to memory of 4076	2940	Ehhgfdho.exe	95
PID 2940 wrote to memory of 4076	2940	Ehhgfdho.exe	95
PID 2940 wrote to memory of 4076	2940	Ehhgfdho.exe	95
PID 4076 wrote to memory of 3676	4076	Epopgbia.exe	96
PID 4076 wrote to memory of 3676	4076	Epopgbia.exe	96
PID 4076 wrote to memory of 3676	4076	Epopgbia.exe	96
PID 3676 wrote to memory of 396	3676	Ebploj32.exe	97
PID 3676 wrote to memory of 396	3676	Ebploj32.exe	97
PID 3676 wrote to memory of 396	3676	Ebploj32.exe	97
PID 396 wrote to memory of 2728	396	Ejgdpg32.exe	98
PID 396 wrote to memory of 2728	396	Ejgdpg32.exe	98
PID 396 wrote to memory of 2728	396	Ejgdpg32.exe	98
PID 2728 wrote to memory of 2472	2728	Eleplc32.exe	99
PID 2728 wrote to memory of 2472	2728	Eleplc32.exe	99
PID 2728 wrote to memory of 2472	2728	Eleplc32.exe	99
PID 2472 wrote to memory of 3140	2472	Eodlho32.exe	100
PID 2472 wrote to memory of 3140	2472	Eodlho32.exe	100
PID 2472 wrote to memory of 3140	2472	Eodlho32.exe	100
PID 3140 wrote to memory of 3584	3140	Ebbidj32.exe	101
PID 3140 wrote to memory of 3584	3140	Ebbidj32.exe	101
PID 3140 wrote to memory of 3584	3140	Ebbidj32.exe	101
PID 3584 wrote to memory of 2748	3584	Ehlaaddj.exe	103
PID 3584 wrote to memory of 2748	3584	Ehlaaddj.exe	103
PID 3584 wrote to memory of 2748	3584	Ehlaaddj.exe	103
PID 2748 wrote to memory of 2108	2748	Eofinnkf.exe	104
PID 2748 wrote to memory of 2108	2748	Eofinnkf.exe	104
PID 2748 wrote to memory of 2108	2748	Eofinnkf.exe	104
PID 2108 wrote to memory of 4956	2108	Ecbenm32.exe	105

C:\Users\Admin\AppData\Local\Temp\79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0.exe
"C:\Users\Admin\AppData\Local\Temp\79505323b4cfafbd1f723f81bfddf1a80b54594c581be6be34ad7642b8a972d0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\Debeijoc.exe
  C:\Windows\system32\Debeijoc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\Dhqaefng.exe
    C:\Windows\system32\Dhqaefng.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\Dokjbp32.exe
      C:\Windows\system32\Dokjbp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        23⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        31⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        42⤵
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        53⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        56⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        61⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        65⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        70⤵
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        71⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        72⤵
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        74⤵
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        75⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        77⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3496
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2492
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        80⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        81⤵
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        82⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        83⤵
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        84⤵
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        85⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        86⤵
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        89⤵
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        90⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        91⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        92⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        93⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        94⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        96⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2604
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        99⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        103⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        104⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        109⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        113⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        115⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        116⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        118⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        120⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        123⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        124⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        127⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        128⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        131⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        132⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        133⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        134⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        137⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1540
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        140⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        141⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        144⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        145⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        150⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        151⤵
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        152⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        153⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        155⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        156⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6432
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        159⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        160⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        161⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        163⤵
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6780
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        166⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        167⤵
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        169⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6956 -s 224
        170⤵
        Program crash
        
        PID:7044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6956 -ip 6956
1⤵
PID:7020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
96KB

MD5
197643b4fa1067de28df4bdd9fb9807a

SHA1
015ced702592fe4d97a96e31bee8f726bb919d4c

SHA256
2850f83d14d03d0daa5f4aa3c4bf90e00e04c96d5ff595487c631c893f824aa1

SHA512
7da969101908c580fa94662d6b169e3921ab70309bd6b5a3e73e476d6597c65ad5cf2bec9f4a2ca896f0aba4bf8ef398201dd75f7bf20ed641ab9ce651657ec0

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
96KB

MD5
2d8dc1113b0765ab17a5df30f11ce0c1

SHA1
ea23f98d6ba4b5ffd244e5e1ab56b04ed442ce29

SHA256
ef92a3a329af1a0c2998f4d4f7c2b00c8ed53773ae1510b3f9a9418737185b00

SHA512
6ce845268163318e0bd3c9f9cde80ec5084ed64811388ad998cadda91e278089ac4825298434b3325bbe9c7a4a99341ee9d03440624de44a022a04ce6a141ea4

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
96KB

MD5
6288d6053d87b47b47cebd392d20e47b

SHA1
dabf4d53a20467833a7465ca37ea834fd2304b0f

SHA256
3ddda40180066b9e05b5a46297b4b3f40d2a32fce2675d1082827579b9148845

SHA512
badc4e0b969065a2190393ec932321fd7c2841bfb30af11809aa24f8d92f619577e327e05cb7bdb348d17f43a8066c63032c50a34e9be18944351693720e1ac7

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
96KB

MD5
69bac518b2d395809a2d23b0cc48a884

SHA1
9a9eb459cc049905d20c5e72c14b9ca4787a1003

SHA256
2c65801ed8d5e478c75c3c4ce5d4a94850da1658bac7dd8c9296dc2b2f18231b

SHA512
cc0778fbe6e1a6b77a32ab5fef2fa93df32f6af1374e485a8df31ddcb7db33d9bb0e7a20a9fa40b3a4842983b2bbf988c9a1b512bafad6585bf3b44fc162b1e5

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
96KB

MD5
45721d9c858eca6fe8f034b5a502bb6e

SHA1
1129f83c0d3522e79f860b4488db54a9ad2e3468

SHA256
6d5dcfffad93c77074fa6c202cd180c2a6715b629a6208d72d43d1600f50a97b

SHA512
76111a1673ab5b72d03606b9cde2cde2b4bb49f7cb5519330218293d1d016991c3b370a17fb2e0f8d7c5c3bffc575186951b31f1564a6ccd21492f86c183d7a1

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
96KB

MD5
bfbe142ef328f550d1f11ef3d7bda0a3

SHA1
663a6c2dc4969ee42d7eef472d4a22fda4b858fa

SHA256
64203e70512a971865ce7f9c25ce21c793ff8cb761e5a11018f5c4495776389f

SHA512
41a6968d0ee4b9fb38b9643edc9e7ab2056c03433a2e1829b04def4fff84d9c70b9ed120d09d43e60864b611266dfff376a3c343a4b9b177e3537a1ba83e27be

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
96KB

MD5
6f1fe0ddfa32dabafe427ebbef6ff37e

SHA1
0cf11a91b6b0e735957ce55fca4130813198796b

SHA256
fa5afaca9d0db4afc9c5c79d108c24f0efbd6a208f64013e3f050c091b8b17e3

SHA512
24663b8f5742561248ff46fac58e15b0639ba18dc87b13d6617300df0ae436c8cc7799bd004bd956d8f9776cd435fe07941f8ca8a999d93ce7185fcccfbe21c2

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
96KB

MD5
c487e16c07b1cbb47821d8eedf1b718d

SHA1
132f31edb67ab0ed7681a99ed9673b6416a108e1

SHA256
ff8cf9a7d8f5e44e06a00d8f6b81fe5f68bfc31776ea9d079e63e17926dbfefa

SHA512
fc39f4f9010887fc75f7c599216d8ce64f8c7a3c3161999cd775d65ec39a668bbe134c2b9fb5a9b1eea1efa92db2c6894f91ce4c7fc9aeda8d70b2ff9373bd02

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
96KB

MD5
6bc58807be3737dd6afe9140c61ed6bd

SHA1
c9e6cccdd3e7401f8042a51c1e9df2ca7800c725

SHA256
118516fce426ce81067f632acfc744e081ece25406d777daa2d8e3000ca89ab7

SHA512
de4a256c2b51a0c0de186fe73cc4e1298b4b3091c6e97f613b7b5b45daf47b7040bfb8f9619a6cf2a10a8b9e608ab5b96a1d89f957e7671564809e8399bdf669

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
96KB

MD5
56351497771954653a0905b77c45d2b4

SHA1
34c7d0962c4a2edec0b7e52ea06f83280919067a

SHA256
a7c8cf52a26d49543c058cc69a1c41944f1f9b2cc6f8deda4f029c4f1f28bf05

SHA512
9f7604d64bae638c55c4256c5ecde7e730bde833aa06b1c2aebfcea7b524af96700c28840254e9de98ff22bf72bcad34f302ea7e7c9b8c11876b00ec7c96b3c4

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
96KB

MD5
d1111b804ef9a53e02d099eb5b482403

SHA1
06e729c8beb096e7897cb58e68841a4921023630

SHA256
8ba6a44b5c37d1730cdb81ea09f632e2dcc037fd5238c0df1e22489c15ebfe37

SHA512
687e0d087d6587b408b01ed484d9fa5466ad7099a67fea012f03ee95181217ace55c8c16fdb661170e56abb4a9172f091da0aa37028148e27645c44a9e2c9e13

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
96KB

MD5
60d1286b01e602280067c214bcd1bda3

SHA1
f98d2a11b45ea604f49426961db42527d1d8ee73

SHA256
2bb26b6852bad642ed1b4a5d47e6c2e1083bfb02f11a23afae7a2a88e943fa6a

SHA512
01127490dd3ad564e097dfc18eaa244817c32c0b10c5fc0c0c3d5c8ddeb23222a418ff7df822f78dc9e85aa1427efec9ce1d9701deffe3328b4ff9a24aabea8d

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
96KB

MD5
2938ab81217362e193a94271d5373203

SHA1
9bcc8cfad2c06dfa71a2b7c4f175455ada3cba9e

SHA256
f5506672e348690df7992115a14ea604958da14c39ea819559252df6351f3ba3

SHA512
061208b1855a37b8ce5e8913394e54d4411587d81c84d3974c03db27caae0fba1a979d19568d20d2065a18fce65368515e43ddf2a5265e7b9ee69dcaff5cf9e3

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
96KB

MD5
6966d7c74c2d24388908951d64ea994d

SHA1
f440297eaf6b9ea5c10cddd78aa2e94858989a71

SHA256
e4784014882270ae1d18f541f69732da1af44ee2b796313f66bf5a74f09dbfbf

SHA512
2315de07b82457ee079ea001c4cb774291e76d8f3e6852e02a752bc6c9ae6ded7bc876673d5f2f3d3a34d379842869134d2a0e6e40846eaf40dbd53e03af4e90

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
96KB

MD5
f6978a52a1781052bf34cee37232e57e

SHA1
3ac40eab93005c1b4a49e08e0488054338a314c6

SHA256
7cca7cc0b4e1c478a8d6eafc97c955c3f2fc797ea179103c94670a764a399abe

SHA512
7daaedcffeea44cfeb01ea70bbbe5fcce2c5273b5d1f67b7903be25e7f93b00f42d22cfee58b634feab9f3d2d74faec941438eaf2f008fc95555bb5a266ebeff

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
96KB

MD5
9fe6ee1ec8a50b1a77dc3e73c63cb72b

SHA1
e27b91fffb49f3798390f1e0551f50fc8c039a19

SHA256
06dd11bdc97d6c56f3644894e9fc93ac5d22304e23c7caecb23df2765b069a7f

SHA512
f394d15af709f29e98e3651baddb1d577db592044721f076512afe2727e9a0f4c586490930f6af3e7e911dd436f66988057099b99e8784d0df9259ff2919972c

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
96KB

MD5
8866d847c95113c24b5a879872a4d812

SHA1
76e1317cc62fdabd8caa327af405fa2cae2e2421

SHA256
78702d36001138c082cf284436fe10c69632c46d33e7f5fba3dbbf6572655543

SHA512
81718a3a02a476e5bfd703672e3a919a036bd695d9ea1853495a6f08aa586bb7b0f8d5c07f40004606e56dfee55d6e35b90a911548c9cee3a043e61d70d4c965

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
96KB

MD5
2074530b2c2c0d04ace7fce5a76b999b

SHA1
788f2184d10fd01280010c5a7fc42790ba7b55e5

SHA256
20398963c64ef2e47dd350b16992bdd0e36b50a4063d2ab045b0593cb7b3dd47

SHA512
285ccfe6866e52139e8ac1f2d4b0e886803d4be6be3b8a469e02cae8828d938cda02a95a0db84e06da5310cbe9c75ba11c8211b246faabab52e94bc494b0bc4f

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
96KB

MD5
d9454b7427022801dad3d5129774409f

SHA1
435f5f7541c3813b38fafe83c972ae48636ce8ec

SHA256
82f909310a227adfa94fdf9df94f27573e62beb27f127d2d78d1c80124a697b7

SHA512
ff31bd8b1eb59624c5990af3519c64dbcc3dd8cc286bc0e9d473082ffa69a6ba8e76cb914494f3663f035698c69b625e28365e3239a75d2b32e2790494b50ff2

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
96KB

MD5
88a3ef69936227843fee875e3f83558e

SHA1
a35412ffecd6c8718a1acb49cd4bab03672ef7f2

SHA256
1f8b3767378f170e7cb0476fbe764c53df66ff6b12c1ae75747be27743db9c3f

SHA512
fc9d65dbf2d604cf8685a40fc0386ed89bc3e6786980e6fc54b047543ea5b41a36b7df8dc8df0c1b20ce8f652b4447a4975b3b31773421f04174db26c057df00

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
96KB

MD5
06a20426f78986e3cd5ce1a10332111c

SHA1
4116ac86a89ae190adf170b5c703a4111c52b967

SHA256
5dc2e74d22596b24d259a56fc78974dc45d6fc25f1e6d3850f822c2bd7a591ce

SHA512
968cbea44ff1008eadcd0ae6b3bbcbc121f602165c7d9b64538be9b37c34e4dc68ab6b06bfbe801e086a191493eb1b31ccad79f088873dd71296a7cc7e30d89a

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
96KB

MD5
ff757a91593a0f8779b52d0e2a734c9d

SHA1
60f656e0f8fca5460776600c98e6be9581701927

SHA256
a99b2e30fdf6f166075fd45d088d65572d2fee804e45a758515a6d99f3625d01

SHA512
3edb4586e97616a01590327afd708984a5f19123d93d3fc945e337790f84fef0dccf6313c40c627c9d87b564ed4b000a5f7c57d1e8ed67126bbc31918c64d42c

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
96KB

MD5
cbbf3e35114a62b0c82557bde1b8b9a3

SHA1
d84d6253d4049473e67d79979a305724f5539dab

SHA256
8966e6c2f458c21828495bc0e3880c515f7c15798eb92411bb43e92038dc4d8d

SHA512
c452b56118f4489aa167c57b73e726ec35d930025a99bb7a87c25d610e17de6d70f7b03fc46b2247e515ef471d65501cd8b1e6230cb4fef9a0e95cf471ea5c1e

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
96KB

MD5
cde875c4e50d89ab0fcbf237865b6c1e

SHA1
84a245ba9493f485395879e7134b95f160aaed2e

SHA256
5237e19a03da8280e85c965a18bec9cf6cc5e7c3a349edd455ab81c1f76adc3e

SHA512
7dc143f65b4b2ad7b8d452cd5136d169716d35b1a67c8427cb5f3d1216d7199710430c0e82f83103fed059a573092d662c7ccfaee8eabfec91343eddac80c21a

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
96KB

MD5
e866b41ee84a872b2f587d2ab538ed95

SHA1
f0b3b6ce8088faae588c85a60c26bc2c9083e243

SHA256
03edc34c768877527e64317efb5a117e7b4635d528f0b08e9a74d783c81c2c4e

SHA512
a813b1b54edc659a6b8011ee781a8562a675955f84d13bc65f839ea0f7174f8c1eb38b64e8fce9b4a6b195829e9e04c69bc175ca1f05c68775a431450e24cfe9

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
96KB

MD5
c395e6dfce24f414439db67c498eddd4

SHA1
5df7830972cf5eaea2db21fc492dc50bb8e0189b

SHA256
e23c81e52e90eaf98d77ca025e8f2b426035a3b80f861e8885cc17cce0fc0547

SHA512
464d91d8bb6a0b38f9472f0e36b052b7341fff366945c62f5ff4eb5a00fe396290becde2bf4a454584a722ea25d76231fb0216e23975aaa128d69130af32e1e1

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
96KB

MD5
296224f188773d1b9d643dc96f539e42

SHA1
851ecb2740ed3d122407e9f59f873ecdf6f11f21

SHA256
a6c32808c3812ce5a4ec022ecf56aa0ff2f075acd5dad26429e1efec838e2d46

SHA512
f5f8d9982d4e68ff70054ec65460e6aef8e658a57b6f3f95cef585ea99dbd3e8cbcf8bbc7d0ede8cb1261fc0a382945254643e291c0e1d1b14e321c0e2b0fb0d

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
96KB

MD5
84c511305758cc9a77c8d3bdbc74f022

SHA1
2cd0d3cf0472538c15498f04ec896c7284818f31

SHA256
ff3d134d15a557de00ed952267169ba5c2d836afbdee3e9d22eac894875f61bd

SHA512
e8c7eefe29910c3b398a6330125a816b1a711803a20666aba5c9982c63cbf3044c0d674e4e63f0bcab8144f76f4e1dce4d562b32b3243548241d4ac8784256cb

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
96KB

MD5
3682eb5d860d19bfbe51f325388b3b8e

SHA1
f1414cc3e0f9d3da65508cb4bbf86934f0863383

SHA256
753d5de8bc66332103e837b542c3383fb0bbe74e443eca106a7c9d0bc555c605

SHA512
d0f36c0fcd5e42aa2e4f717d2d5ef89e1503d62dddb3e9f23eb68dc855c3023cf370a833c3056f6f56948357f80ba7180cf26c6c420f29954c8e99e6e671e912

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
96KB

MD5
1529fca9df18e97fffb54596ba3cb17f

SHA1
f9f4dddb006cfc98d5951f738502b7d8edb5f443

SHA256
41c873255e5d629ea2bd57ae6f1d6bcd5db0146f6a9e2d100692939c5505e74d

SHA512
1c9a2e796973206a3d9473f91ab4339421b4d199b0ce77bc394be7891a69891ba8bf14e8e9851532ad222e3fbac791ebdef55753a6b893ff2224f2c4c220bdcb

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
96KB

MD5
c810f38d956c810cb54f6d9718e04845

SHA1
76a71bc3d1f9ee9611cd89bf62ebfd16dd9f8282

SHA256
dfd06f16563516b747ded66ec62e89d5639b6ab5e139971879fc4f0a545d82d3

SHA512
9330480350f072b8f2877d34641a9e207e6ba5e9550be469cf3b13862ad4e0666972a19bc1e4a70de7fe3cb7ff460c7dbead55511c343a583736c573089a3773

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
96KB

MD5
83c94525a0b8aa5152ee0557bcd7d9fc

SHA1
0632a7adf2e1605e56e702dd4f50b294c8611660

SHA256
d138c24a9cda6343ec0096a3d51b6918a75f22ea1040de03881e3a418c167268

SHA512
21cb497b385e2c434974ea4a3ec9995fe795d8623fb3a3d03de3109b5ef708998b606958340cd0e8a836ddab95b21b726404fd8ba03fde1e72dfc7356d64137c

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
96KB

MD5
3ea9608012194775f7b9af89e91b930a

SHA1
d1c5749734f2a6661ac5c21700d04c8c7916f450

SHA256
f3fc6c9f7a52ba55a30563c6ab93fd51ac4e25e3c3ac08d60e7a2c11911d8911

SHA512
8943c44b53ee82488373f041df81de4387ab1dcc21f995305283137628fe99028aa0ef01c00f9f45c8f992af76f0d661d2f886f8a8208ba5bffb681a2b940e33

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
96KB

MD5
d6fcdf0ecf235c9201a02f012ba1dd3d

SHA1
22586908c4d1010b183b56ad59dea70e5eb2e817

SHA256
42e83fde86af7b1258bfd27cf87904553932f5445bcba245b651029285e5107d

SHA512
c0472eb398371a244828ed51a398cd31e61d163a5e72809755d9175e09e243d05760692d58299e290f6aa8f9b97d78f5855ae7f982c7fe3bd57cd7087f7db5b8

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
96KB

MD5
168121b452481c55a7b14914564711ba

SHA1
191d8ee333cc01c677f7a2bf526f39fbe8243676

SHA256
91a2d45e5d874fbab2b418c9f74d0caf03fd1e0483a83947af3d2431f066aa04

SHA512
a82d5eb1dbda194cbcb12208cef49a0a1c7c5e40c8d1be735f3deb3e73b3b2c2a9c0534e192cdd5444503fddb0c51ac2b84992027c50311fbb312127a3376251

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
96KB

MD5
26fece4298711e1922e894a9a2c2d4e7

SHA1
a7f00021bd1c36979a6f9b871b3d0084419bce9a

SHA256
4298032470debce6b678c9d7c75f4c544d8c69bba8093b304a795e5a8a7ca037

SHA512
9fded32b63fe76c71b6473c4f0373370c48ddda6e7ee506e16beb004154c05812c4a68d7153c396214e2c7485935ddf0d8345e27292a047b4c1a5756c575c5f1

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
96KB

MD5
2b11399efbba8d1d763ac2f5463a2695

SHA1
5616befbd7ffc50b9ac8c634284cf38736db6a50

SHA256
d8f9f54333bc574313b9eea2466665567e547f3988d820509507e7f3e25de4e0

SHA512
ba92361be343f6abd7065e50839670183a617d24f9a6c02e64c2a2239a0d2ff26c6fd56dff3298303eaac5716d201b725a0f9ac9d0202aeed9851e3e93e5ecd9

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
96KB

MD5
63f9cda47e8f11549f2c0f6b0456a3cb

SHA1
51b2d11602ef6058cb14aa0876a53ded842db6bd

SHA256
2f4f58b4e94660fbef2d87e576fe33a564eeab5b4dd4aaff27487a6d15c158c1

SHA512
27f5c63f4c4479f3db82420ba0a6eda67e18085ede5ff6bab4b9f7b7043c56fe73b92c98be1d0c2ee0dd6844892a8a3aedbda605c0546d9fcdd523410618e509

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
96KB

MD5
c780e07efb48310e11834f16d0a5d908

SHA1
2bf2cf3297e2fce78a49963d74bee8c6560b23e2

SHA256
c8e59ffa86e150cf8d0b7b54fe9c3538cf936d43aa331a703f1cecbdb6d44568

SHA512
d71d19d31b34fb0dfbf50cdabefbf3a94f73721f74565135a2c35021063e99d71ff6ed9ea394737e46f313e1433febb3f513faa84c22c8304b73d115df3414ee

Download Submit
C:\Windows\SysWOW64\Jfjdddho.dll

Filesize
7KB

MD5
9523773066bfc209c46d119bf4b70144

SHA1
99520c1a075ad8ea929f3ec059eea3f2231869af

SHA256
1686e6ba04f6dc89c8f983e496f1a561fe6cfa0e3324f3a94e5e449eb34d632e

SHA512
88a3cc11f0b022367648c1500146b72889979334c4086af328003e8c247c33fe54ded4411c314e3de2cb4c81dcf0415b9f26b7335761b7c62b7c0de8a290a399

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
96KB

MD5
c9e50b0b04d11dda05d96f1d20275911

SHA1
0197941f1d7ef77e618fdebe09973911d504c07c

SHA256
114a65398319ff6e74e9830c35232a538ed49bd03092f09b1aca23a1a96cd516

SHA512
0734f37b296f995ff2a6291c6ad304c471c0b3167f04ee38b77a678411f976e44a496a515aa02011c1cf5b280fc041ca81db30e37bd6c6dc6af881b2c93abebb

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
96KB

MD5
6b3db20949f06443392de28f0640992c

SHA1
51b032b6cf506a9c64ba584590f133eaf1491ecf

SHA256
6afd24bedef321d32715215076167d9ebd4757099189b5143e5c16879298b9fa

SHA512
69e9ce138dde11c127bd7ba6f37e3d8c5d0e8edfa49b2a585226608030d42c7603f2cc7db12eaacbaf396b6d961855275a8fd3d5c9f7832efccabbc94c5fe6a9

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
96KB

MD5
f5b113d99e693a442e5d4c16a0cf3b01

SHA1
d6faa5546fbf624c78bce1de7040dc36f4f16e11

SHA256
96f7aa1b23d8af874f39f1af409c84c395a75e38bd3a7fac92a62b5fe01f47ad

SHA512
b950ad6a0ccd2f69566bff76f8d2c8a18d7ad133554a59ef91cf5562879d07b109894adb5764da20fc01047dbd0d1223dc97c9b97d4cac7639d98f166564b962

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
96KB

MD5
cdd9b7954dc55bf3efd20cc08928d59a

SHA1
2bae21d299c0d1a440d35ea1cd5e1fefd47c7a4e

SHA256
4c8e72aa2a04bb20b07f388bde2777b8d5ababf90b68fe113cd4591079b8997f

SHA512
9bde9e4f81c77119a84fbeade71838add14fb96d322889b07546d16d9cbc68d8d22003c665b66f31cdf4120ed749e9b30964450d5d7ab328c5ba313ba1d6541a

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
96KB

MD5
90e23a6d1d286118d13843fd3ac854bd

SHA1
dfdcaf2734d795c0821826c532523c25cc84eba8

SHA256
953235868a2cc7a184730f715f1658ff43271cba0b59ad9751adbb73824565a2

SHA512
90aa1cd97bd2d450566bfd8467cec669385fd68208243cc538e5474db4211c3dd2260bf849d982971888d4c4ec61dd2e6068ac790a1e2e2346bdc49b5c77c3fb

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
96KB

MD5
9ebfd946ca9197f6b75440290dd391b6

SHA1
7fde8d6fa3e8c8e2fecf3b8354646e142ecb777f

SHA256
f8d28f54f64b88e2cd5a4fe6b54411262e18d8a1ea3dd5b6bea437900ad2a09e

SHA512
ce32f6b96eeccb77c7e838d08b51cb2330b7fe94afe47ea3b5d93377e628b3902bffbc97aaa3c3ff82b8093d717e44c89704edb9e32b9a62078887e7418f8690

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
96KB

MD5
afb8adf90c879c59aa3589c2dd4a488e

SHA1
0313c83eddcf4a469dd98ab4963a050a1ac2af6f

SHA256
0fb1e451336ee54671a6b6e9ce9710e93105f782e63be8f051ab5115cd40f3b1

SHA512
2d50b7aaf18696489abde534fc0f18fe06df65750be45043043eb07d62aa8080ec90725b931c05639447bea71df6344bc8883cc8effe9846418f960b91480d38

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
96KB

MD5
24480cdb2a1a5e5f05cf834178506aa8

SHA1
f35fbaf059be7dc88c3d9b4d452ba0a6720a4f8a

SHA256
dd4a55896de64ebca4d1bc91e81f48ccf2235fd4252df8f950e03af21a7f9d20

SHA512
b60144e5fd7b6cb0f36e8226842ac1d539cdfdde59d50f283d71e5035a4af0472dbbc52fda6d999c44149628af71f2d9b59d06ab7eee355a67db0fceb8cdd3a2

Download Submit
memory/336-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/392-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/392-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/396-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/432-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/460-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/676-482-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/828-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/928-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/968-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1040-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1100-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1332-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1332-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1432-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1436-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1460-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1492-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1620-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1888-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1916-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1916-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1932-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1964-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2024-500-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2108-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-550-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2204-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2276-507-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2492-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2728-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2752-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-587-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2784-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2892-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3140-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3184-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3252-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3312-561-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3420-227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3496-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3528-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3676-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3760-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3864-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3936-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3972-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4052-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4076-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4084-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4224-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4304-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-573-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4428-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4468-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4572-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4868-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4916-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4948-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4956-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads