107aedf65164357c8acefdb62aa9b00f40e69d84b57842bf868ab905724a345e

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

911787084971c46f56bbbf2115d533c0N.exe
Size

148KB
MD5

911787084971c46f56bbbf2115d533c0
SHA1

5e1cf87c627e05ae58e1f3acb44b5c84f40bc783
SHA256

107aedf65164357c8acefdb62aa9b00f40e69d84b57842bf868ab905724a345e
SHA512

ec68581748035ecb7bbcf392ed82b84ba5b2bdd0853b46a10620757fd7c8feaeb8d28d79ca77197656938234209a97d12dc2488f71271e94be462c3648d18d5d
SSDEEP

3072:U3QdXsHuEmYzqY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:U3QhKzqKOdzOdkOdezOd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe

Executes dropped EXE 64 IoCs

pid	Process
4652	Kmkfhc32.exe
3724	Kdeoemeg.exe
4924	Kfckahdj.exe
2680	Kibgmdcn.exe
400	Kplpjn32.exe
4952	Lffhfh32.exe
468	Llcpoo32.exe
4740	Lbmhlihl.exe
3588	Lekehdgp.exe
2272	Ldleel32.exe
2104	Lfkaag32.exe
4012	Lmdina32.exe
5016	Lbabgh32.exe
2516	Lmgfda32.exe
4060	Ldanqkki.exe
3000	Lingibiq.exe
1928	Lllcen32.exe
2684	Mbfkbhpa.exe
2240	Mipcob32.exe
888	Mpjlklok.exe
3312	Mchhggno.exe
2000	Mmnldp32.exe
2304	Mplhql32.exe
2160	Mckemg32.exe
4796	Mmpijp32.exe
2884	Mcmabg32.exe
3952	Melnob32.exe
4780	Mlefklpj.exe
520	Mcpnhfhf.exe
4316	Menjdbgj.exe
1316	Npcoakfp.exe
676	Ncbknfed.exe
868	Nilcjp32.exe
1040	Nljofl32.exe
4940	Ndaggimg.exe
3492	Ngpccdlj.exe
3332	Nnjlpo32.exe
5056	Nphhmj32.exe
1312	Ncfdie32.exe
3652	Njqmepik.exe
1496	Nloiakho.exe
4840	Npjebj32.exe
3552	Ngdmod32.exe
116	Njciko32.exe
960	Nnneknob.exe
408	Ndhmhh32.exe
2704	Nckndeni.exe
756	Nnqbanmo.exe
3456	Odkjng32.exe
1208	Oflgep32.exe
2984	Olfobjbg.exe
4820	Ocpgod32.exe
1488	Oneklm32.exe
1960	Ocbddc32.exe
4048	Ojllan32.exe
640	Olkhmi32.exe
3476	Ocdqjceo.exe
1596	Ofcmfodb.exe
1432	Oqhacgdh.exe
1012	Ofeilobp.exe
3836	Ojaelm32.exe
4900	Pqknig32.exe
2976	Pgefeajb.exe
3800	Pnonbk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lingibiq.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1424	5496	WerFault.exe	231

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	911787084971c46f56bbbf2115d533c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 4652	3112	911787084971c46f56bbbf2115d533c0N.exe	83
PID 3112 wrote to memory of 4652	3112	911787084971c46f56bbbf2115d533c0N.exe	83
PID 3112 wrote to memory of 4652	3112	911787084971c46f56bbbf2115d533c0N.exe	83
PID 4652 wrote to memory of 3724	4652	Kmkfhc32.exe	84
PID 4652 wrote to memory of 3724	4652	Kmkfhc32.exe	84
PID 4652 wrote to memory of 3724	4652	Kmkfhc32.exe	84
PID 3724 wrote to memory of 4924	3724	Kdeoemeg.exe	85
PID 3724 wrote to memory of 4924	3724	Kdeoemeg.exe	85
PID 3724 wrote to memory of 4924	3724	Kdeoemeg.exe	85
PID 4924 wrote to memory of 2680	4924	Kfckahdj.exe	86
PID 4924 wrote to memory of 2680	4924	Kfckahdj.exe	86
PID 4924 wrote to memory of 2680	4924	Kfckahdj.exe	86
PID 2680 wrote to memory of 400	2680	Kibgmdcn.exe	87
PID 2680 wrote to memory of 400	2680	Kibgmdcn.exe	87
PID 2680 wrote to memory of 400	2680	Kibgmdcn.exe	87
PID 400 wrote to memory of 4952	400	Kplpjn32.exe	88
PID 400 wrote to memory of 4952	400	Kplpjn32.exe	88
PID 400 wrote to memory of 4952	400	Kplpjn32.exe	88
PID 4952 wrote to memory of 468	4952	Lffhfh32.exe	89
PID 4952 wrote to memory of 468	4952	Lffhfh32.exe	89
PID 4952 wrote to memory of 468	4952	Lffhfh32.exe	89
PID 468 wrote to memory of 4740	468	Llcpoo32.exe	90
PID 468 wrote to memory of 4740	468	Llcpoo32.exe	90
PID 468 wrote to memory of 4740	468	Llcpoo32.exe	90
PID 4740 wrote to memory of 3588	4740	Lbmhlihl.exe	91
PID 4740 wrote to memory of 3588	4740	Lbmhlihl.exe	91
PID 4740 wrote to memory of 3588	4740	Lbmhlihl.exe	91
PID 3588 wrote to memory of 2272	3588	Lekehdgp.exe	93
PID 3588 wrote to memory of 2272	3588	Lekehdgp.exe	93
PID 3588 wrote to memory of 2272	3588	Lekehdgp.exe	93
PID 2272 wrote to memory of 2104	2272	Ldleel32.exe	94
PID 2272 wrote to memory of 2104	2272	Ldleel32.exe	94
PID 2272 wrote to memory of 2104	2272	Ldleel32.exe	94
PID 2104 wrote to memory of 4012	2104	Lfkaag32.exe	95
PID 2104 wrote to memory of 4012	2104	Lfkaag32.exe	95
PID 2104 wrote to memory of 4012	2104	Lfkaag32.exe	95
PID 4012 wrote to memory of 5016	4012	Lmdina32.exe	96
PID 4012 wrote to memory of 5016	4012	Lmdina32.exe	96
PID 4012 wrote to memory of 5016	4012	Lmdina32.exe	96
PID 5016 wrote to memory of 2516	5016	Lbabgh32.exe	97
PID 5016 wrote to memory of 2516	5016	Lbabgh32.exe	97
PID 5016 wrote to memory of 2516	5016	Lbabgh32.exe	97
PID 2516 wrote to memory of 4060	2516	Lmgfda32.exe	99
PID 2516 wrote to memory of 4060	2516	Lmgfda32.exe	99
PID 2516 wrote to memory of 4060	2516	Lmgfda32.exe	99
PID 4060 wrote to memory of 3000	4060	Ldanqkki.exe	100
PID 4060 wrote to memory of 3000	4060	Ldanqkki.exe	100
PID 4060 wrote to memory of 3000	4060	Ldanqkki.exe	100
PID 3000 wrote to memory of 1928	3000	Lingibiq.exe	101
PID 3000 wrote to memory of 1928	3000	Lingibiq.exe	101
PID 3000 wrote to memory of 1928	3000	Lingibiq.exe	101
PID 1928 wrote to memory of 2684	1928	Lllcen32.exe	102
PID 1928 wrote to memory of 2684	1928	Lllcen32.exe	102
PID 1928 wrote to memory of 2684	1928	Lllcen32.exe	102
PID 2684 wrote to memory of 2240	2684	Mbfkbhpa.exe	103
PID 2684 wrote to memory of 2240	2684	Mbfkbhpa.exe	103
PID 2684 wrote to memory of 2240	2684	Mbfkbhpa.exe	103
PID 2240 wrote to memory of 888	2240	Mipcob32.exe	105
PID 2240 wrote to memory of 888	2240	Mipcob32.exe	105
PID 2240 wrote to memory of 888	2240	Mipcob32.exe	105
PID 888 wrote to memory of 3312	888	Mpjlklok.exe	106
PID 888 wrote to memory of 3312	888	Mpjlklok.exe	106
PID 888 wrote to memory of 3312	888	Mpjlklok.exe	106
PID 3312 wrote to memory of 2000	3312	Mchhggno.exe	107

C:\Users\Admin\AppData\Local\Temp\911787084971c46f56bbbf2115d533c0N.exe
"C:\Users\Admin\AppData\Local\Temp\911787084971c46f56bbbf2115d533c0N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\SysWOW64\Kmkfhc32.exe
  C:\Windows\system32\Kmkfhc32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\Kdeoemeg.exe
    C:\Windows\system32\Kdeoemeg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\SysWOW64\Kfckahdj.exe
      C:\Windows\system32\Kfckahdj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        23⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        29⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:520
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        33⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        34⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        38⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        43⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        45⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        53⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        54⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        57⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        64⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        65⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        66⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        67⤵
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        68⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        69⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        70⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        71⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2204
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        75⤵
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        77⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        79⤵
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4756
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        83⤵
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        85⤵
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        87⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        88⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        90⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        92⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        93⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        95⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        98⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        101⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        104⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        105⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        106⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        108⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        109⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        111⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        112⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        115⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        119⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        120⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        121⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        122⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        125⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        126⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        129⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        132⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        138⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        140⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        142⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        143⤵
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2200
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        147⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 396
        148⤵
        Program crash
        
        PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5496 -ip 5496
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
148KB

MD5
10212c23af8a06b6a636998ef3b91c01

SHA1
2d2ba291299bd322b439ad872216e1bdc77af1ec

SHA256
e86c62e47955c3d2eab631056b4af5f9514133db3bca9075190fbe607a5c1f6d

SHA512
a7b71bb95435d26d7ef8dc9aa90d941bd966f025b69ecbb8bebe5807f33ec7e0fa7b63075b36c2e82b0c67355218a1337e6c06068373fcad6843257c9338fd5a

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
148KB

MD5
85ad403391cad60108ebade2bc7c98ee

SHA1
c597409b8aead503fb2e9e88a2a5c482d1e1ef75

SHA256
6774234c73e17f1032c3b8525e06b0648ac887ae1e4f952a7120fee43fdcf97d

SHA512
15ea144d695d403dc37b9fc1923f234bcfaa242ec4be5034b55aef9c052d58653a7701841de3794d8daf291b5e7bcd9720064ec719e89bdec6db6210932ef1e2

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
148KB

MD5
7e4e37255b23d2b4ddf8d7ecc91286ba

SHA1
01de1766c8afeae2b9f8f84ae4083935eeb35b48

SHA256
13406ffc5da0c08ed0e2a11baca75784205b9f3aae92087a57c8128e705d58c6

SHA512
8eaf7529267ad02e5f44528794cff11cfa6199ed33559bb0a6cc096e95644c94832a7ca34ed1143108d89bf82480ef0d34424dd13c3491b1cdf7dc2953671cee

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
148KB

MD5
147b1bb22e9261e1eb3248c41a91815f

SHA1
2dff30a31fa88530ce82d68138a01703acd9f895

SHA256
c7841684e56677acd072e7f166bce11f9f569a5b2359553b9954a8c2251bdee1

SHA512
8e8273f6cf8bba779f268f7703366210cadcee28066693522d0ab9c1fd1f47b1222873bee82d224d2a67ef1e62fae94859df6aa1d37618db62989555fa3a7502

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
148KB

MD5
9ff71cf76bc6e04d3b5fbdf55821845c

SHA1
fc2c3e5dac0c4cf49e9c6ece5a754c2dd8889967

SHA256
f1d7ea95e23986430d8854db35c50831c15299784ed8107f80ec806c1e8aa163

SHA512
5a719c9b21abbf956dc2889227e671d77d0042c414213ad0a64fe75f7784f382dbe2d2e9f73b58fd7282ea841318c1d470729afd6500232ea33faa6e76a34b88

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
148KB

MD5
c3658b57263c9a99e732edc254e668de

SHA1
6bf554e4ab07a43f3556f2e509dd1dff4baec76f

SHA256
ce32f12f996a8b2025a90925a009995c3780653808e4b2888cf68ad64a53f1f2

SHA512
bee44f05b13229586539a6b3c7d529e9c99ce1072b58719dc252c368271c111bcbe2f961a2d76c5968df85b838c6ee0a46ea1ae247e097c7ddc02675aa3a57de

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
148KB

MD5
f69bbe93aeca11502308daa8827880e5

SHA1
7f96ef6237d059e663ee97c8c8db2bc63e7ec995

SHA256
c7c4156fceb3a7179a88a00d53ee0dcfac4ce7008ce7c4e779d6488e994b848c

SHA512
15b113271d8834879a48886c3eaab04ca8a1625ea1d9d569c8dc3493d90fb97f4cded0b9c7bbf61030e01f3b4c58e8cad3aad1f641091b4f9b860d478811531c

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
148KB

MD5
feae6a001f744539d7332245d30ed5dc

SHA1
4e9024e06c21179f1dc2f5705211cb1ca277f24d

SHA256
1651bb574317602d6ce780b09f72e3ca144d612b1157e04e1530733280074d73

SHA512
fc8e858a428379dbef3116b256f2e5867d7bbcc137dccc6d26eb2da82b849a45b7f57615b40bef4c41eb58624ab18df2045d46e698d4e4c2e39dc2a8d867506f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
148KB

MD5
3c59eefe03d76fa8f5f0c0b4d2071fb7

SHA1
5c8c59b9e148e7476270fb8cbdf0b83124ff6117

SHA256
73170b89cb56e5b9cbe36633b1f2f25cc67118beede53f7077a10de3e9ba1923

SHA512
5a4d798dd70abceeaf3df271b16fc2af37464e7daffc4fe40807fb544c941ea49d65acebfcf213b3ee393b223c1ce8d6a375c8c39927657ca57d877111426e06

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
148KB

MD5
67499c7eac43afa21c6e85e6ee06af41

SHA1
ce1b622916553b03314649283943377f60bb8668

SHA256
cfcee94215615e0a1eced58c6401c980412d5fa060d44e08c8c19155724ac436

SHA512
dcbb1eb0149db5059557e4ec135b5c8c321ac1a5e12b573a5db1cdf8dcdb3365507d1fdeeec45066d2c713f8cb1feea1bfcf3de88e6cda0dbf2e81fc3fee3e63

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
148KB

MD5
4b0de8c9266ce3b5b8b8c38dce5eb510

SHA1
fb5bd9789a4b7e976e9db08b4b87b24a35dd0a25

SHA256
9ead4e93225ddb7cfa8fb6fb6ca797158065442d4bda7fffe425ada31290c64b

SHA512
5b2e6fe3552c42c66ae097d75017c2e1a028dba68716ef4cc10e87a293690ff018e473fa0a46ac49ca040632a774d27c74ff5540774da538185b15e99c4e48c7

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
148KB

MD5
7b93b5b346561ee46d83c6d9d964290b

SHA1
cc4dc68ff6f106fdb696559ea141c6d6c5da465b

SHA256
84829a9fb3225a4175c8c784ac472fed14b4bb154255f38ad38494a516dba505

SHA512
e60573ce33b6ac52816c4b52a3afda54be9bec39367fc1eef8d9f8dab750ab9cea5740153878213aed91846e74ce3b7f0096fcb3442064999d4693d60961d76e

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
148KB

MD5
3235232a285563331827e480102d12e9

SHA1
12c5c229c5ec60ad9a183c2b0c3600fd92af53ce

SHA256
c0bba804fbb40878b2a893c36ef9d78d67f2070a05f44dfc9433a4669449b99d

SHA512
9b2470e57f61ebf320ec6f81bb39431baa2710c90cc274f17fc6ca12dc5e47552b07d9faec9ff2faa33f45a891eeae0607d3e91aedd25b56c9fcf715a661c296

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
148KB

MD5
4e48c4f3a354c9043239956f61905731

SHA1
7190ae1a2b4dee8fa60334979676dd782a32e074

SHA256
2a8cb5ca6d17e3fd646ef89f64b23f1e06bb5f0005b9dcc4d00ed548d386177d

SHA512
7d4a0912f2f8e494c58105dd8f4c89137bb00f2d565500a1778b89a4942bb7c65a3c8e5c18da13eed02ec8b3cb4e48e4846676275eaafc32d8bb9be9dfd44b30

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
148KB

MD5
67d1f31aac24a037c4894090c9a82c95

SHA1
1ff358e509a3ea7bc195039cf0594522ac4b04ab

SHA256
39988d8a2e278725e45e23a85e80620b3348da9e9bcd41287f60481c1f199eaf

SHA512
d7e10360165b1a62cc3641538c2cfb3d75bea5fc9b0fe6e9a8163151d000da134300606346ba6d892f31f44e3f131126323b8f04cc874f2f3c406a2b598cc4e9

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
148KB

MD5
a61a2f59f429998c9f2e78c6eb8c3938

SHA1
bc2f7bd2fbad6040fa897d9d3e2c4669f492c717

SHA256
2aa8988177350c2b59dfb76de5addbc555126b2927c0c8a4e0cd14011e03fff2

SHA512
7a1dc5c3fe45f3d7c29beb944e8f8134b9d63879c3d78f49defe327da705f5227ed25b47b361a55389aa83e197a481f7323300ccfdbf53a8ae2dd5e1c8956393

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
148KB

MD5
81a5641d487ee062e3bda1d0146777b0

SHA1
5094d2094de1d13b8a5d7b6bc06eefef024b820d

SHA256
33e73476b56d7c299c6174e542eccb3f16a1a8a07d03fbc3d79c4f811b4c026c

SHA512
bc48a0db78404d86607772b5600c01854e72c9883ab01f3f881bc1517c3c10f6218c96590c9b6a20c933c5e12e32f4632af5a6bae9739e8104e41eda43c3f4b4

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
148KB

MD5
b33558b71343f7462606e8055cf8a66d

SHA1
c8816553834fe980209bf04483c9e47ccc3dab58

SHA256
400f352cd63783f49a197de6678850ebc59f42c51f717088d7d7022d916776eb

SHA512
6b9395005c2a55e235178517f6808868f6c34fd98abd5365b1197f208383872990d8f1fad90b0a7e6a4ef785b4e205f4e87651ba3b38d13c4625b60df037b9ec

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
148KB

MD5
c6e8f61073f2c3d9411f319f47f0855f

SHA1
7b085cedef35a901a84243398d36128f8e8ab99d

SHA256
61d26f2965d70383c522e4e4c2a11d52a1a4294b1962dec6811933fe97fcd5c8

SHA512
08eb81e9441e07ff6253de912355a875c586fb620da3523e633e074679d6d2a6d1e3ab81cb4fe5b7266030b1149456a4018333fd0511d33135fc7d6ccd7b0631

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
148KB

MD5
9ddc1e65c6e2371c9b5e99cc3bf9ee4c

SHA1
fd7099c89cd8fbcd7b44b4e1b67f285e1895817a

SHA256
ea939fc54fcda466eebd6506a475bc22295bd85a1130c2b8f9ea6baaa652f5d8

SHA512
0f4430482cf156a694c1b53c4c66d39f96744f8e64be80b75f909ded74ef9e92ad8b68577a075ed8f4d9de4a354bc1bdc740068909d48a89a4fb8403b4309f53

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
148KB

MD5
5a042473b73f9dd8b7869482d4a44a0c

SHA1
5a468cb6e18924f583a1cfd666f2ca965711d2f9

SHA256
4f7a84e272884fbdd275008f53f7d2ce0493c54467950285facf13ec9cfa18dd

SHA512
ef55978d47a1144019186de778a478477ba79aa687b72a00fa627de56d0c03e011061fe1604ab4c41dedcf89dfa41974a226696fa3b2773394eaf6d2cb463710

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
148KB

MD5
76b4b798994f724e13325dd9dccd2017

SHA1
2c111ae588b4ec220ba7651216c87c75d5f4605c

SHA256
d84420dc2ac47d56a8c5233478d95beda35e15ea4ed163ff5537223c550973fe

SHA512
6392232247f187c41f36a6db150f27001a2f7553c013059a560c873866b7efe114ec21ceba16700e807f2d75e291f7fb22aea530639a893021b0c0f247859038

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
148KB

MD5
a7f6dbf9bd9461ed1d1f7befafe4648e

SHA1
6fd69835f68c0b2ecf02488501c50f3d47e42ee2

SHA256
ec00f86b41b1021b0dcf531deebe384a3497c37ad600f83cf30de85f2d5868b8

SHA512
744929d2c8f62efdb455d32a43ba2ea8849e7a6ffd107be740b182ebad87ecb262efb2691d61fed1f32657e176c09b63eaccf4efdd88be52ce0297a5ab814844

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
148KB

MD5
63eb9db349914a074eecca4a187ada8f

SHA1
88cc31fae997ae98c0955db17ab3ae0d5983e454

SHA256
a8dd84063058a60e87d050f37f4685ef49ff228c04ec19bccbbca4445ea9ca81

SHA512
8bb2d7f8b3849ad79152e7be913dc856e9b7c4ef99c446db13f12e9f5fde47be3430646225ed8cf4cac8228b10c2d022bb5d8dc59b8a9f6e11e3c4606a53ad6f

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
148KB

MD5
0dac084bdf4e7bd55f72ec2fd2bebadf

SHA1
91a404e4279b36a8a14699d36a6e5fcf31502184

SHA256
274b4b19ef3de6f84b865eec4636b279432149cea224e6bff783d97fc483df40

SHA512
2524bed7a2155fec53ed04263fe50ce2750edcb6449117d41b94cd8e870be137cd5291a703dd60855082efa93621d5245103cd61cb364f255c5f8024001b4d29

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
148KB

MD5
fd85ca2ebdd1491a1580b803d379528d

SHA1
47e12a5970933439e5d7de190cfbcf3729e0219a

SHA256
139954f0f4334026b38d48a667197e113f0890af0f3f7bbba0777999924039c5

SHA512
53c298001b4c54f759abb793973f6b474bc1a4a77da170375cb3c2b1f88d0605b08270766c1fd839cb6ec220d9d5011216cd803d2a6ce9504eb210cee85dd109

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
148KB

MD5
a902f9c1e50c778f600990f2efbfdcce

SHA1
09f54fc3d958c34836fb5cc011c5fd6e43586e7e

SHA256
86e7f7312b7a9539b2a8753f88e73656c9916d4d308e1392356749e3db0fbad7

SHA512
fc8dd8b7750feada3b59db9727fedad94213435c2eab5dc198e251f22c1e366e6dc2b6ca4637938ca6fb81150fc42d4cd7d374ef60afeda67d6b55f1109e2a0e

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
148KB

MD5
cb368a2717c2784a7708db5711af1682

SHA1
3825f0c1b56ffa52b27efe1a0ad36b7a661cff4a

SHA256
f85d79bab5702b8f88e80b0dbb1e0643aa9dc5973d3c9dcd30fe9f3e4c27b927

SHA512
ccb4b8dd3b263da9f380603fbebe71d191460182e3d1b6ea986489618c33db9a172ae7c1037eda1ab7fba50f052bc7655c4667c6248638212997f825f7ea6dbd

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
148KB

MD5
4f44e4b349edc495fd624238cf9113c0

SHA1
bb5e5e8053a15324cb3ba4645ecaacda15833737

SHA256
4a6e72ca2d2b44059090fe8686a6ec1cad4afeba4a4309e7ea14ccdaa2292cbe

SHA512
0c5b31604b789cda032d91c51123a00ddd02d2e9707345f252e1b911b9d0cbcdc5dffb8eb57c914a798a1869f111806c4aa970e59876860cdc863aa33fa9e914

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
148KB

MD5
7a22374d5db5d4d46cd19d760cf718b4

SHA1
cb1402cb26933f00c8162dbfaab0c2335ef1ba4a

SHA256
15f42ebc09ce50b2f43e64bd344b63ebd3011519556b5f4c25f670b03cf0e5fc

SHA512
32498c75e8a906e7be15c89edce6d3960faf924a3283ea8090e3dd33d1c34a90207694529a34748734f047b3a4dee27059fadf69e337221572bbff659e48ad71

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
148KB

MD5
adcde419683eaa42ad0fb269137d6e0f

SHA1
2c363db1385ed11a4cc88937ecba6b37be3b9288

SHA256
0cff206429c285f328e0a0eec8a11c74fbc1897393659d207635d0ee36e0902a

SHA512
1e08614fdf125045e20fe4255b6a02af5d3016ef14482411f0d4f67871827e687cc1fe155c126c6436a96454828a537cfa99b41921a34a6ac3ecbff97971d416

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
148KB

MD5
aa60b708ab3169ea88d0d64c9cbafcc0

SHA1
01629845faa67e410317782252cb1ff4bf82209a

SHA256
455acf1d895ed972bf6beabffe490e556409cb54012bac6f918b6e0fbbc660bb

SHA512
defe9ea1b54baffd48288108ec9230c3a8b150ffcb299c7bb50022f0fbd357a63aaaccfd65b3de63a2f651a8e33c108a7250bdd6cfc8c4146e3e7929d8061d0c

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
148KB

MD5
6750e9b74c7da1c4cf3831f044b7a9b3

SHA1
ad834e15c900364a2adf85bfa476210b30e2d62f

SHA256
34b6fc1a01bc43a1cb7d68e573854b8ee0097b10a6f09a61dfa47649652f7df9

SHA512
b88677c0981dcf1f408f8be6243ab25de76c1d59e47ddbe06c100125deaad0d87cc0d485080d6f4e73013d28d8f4e2a9213d7e243849b02eda53c9ff546f456f

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
148KB

MD5
1bb812768a7e971bb58668ceb8ebd299

SHA1
d55006822cee7676cf105787d1b78bdfccb84eae

SHA256
c31af461bd8b4935caef41a4ed8933410569f13ba44abc26e13250f1624b8164

SHA512
b95ce853c31de1478e49394b891cbd0938b56b6b2a3deca2cbbe421916b027668850ec623bd89dd1dc124d63957e96664d986cde12c36c25f35c3d9e80d7d581

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
148KB

MD5
d6b249ea19384cec6e412259832a175c

SHA1
4a4805f4c197794fac136ae4afeac64b40703929

SHA256
8f6f944667175e22148f02068f3d2424075d5a3827d6c5ad0dd9f9f3c729b73f

SHA512
8feac5adecb3343ebf10ac75fb50947f91a170b76dfb58f95487a76b2c5c39c8d8601e776ac7d53f8c27fe94030edb85fb32f269221791cd0f98dba472b93b05

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
148KB

MD5
cf2688c4c0352bf2b3f317bb54b77a65

SHA1
7945a8c70e03bceb7c6706886cfbf7bade5c6af3

SHA256
132e4c84527bffd184ba55eca393a2a0f1693117b02751bb766eb72490346517

SHA512
b5daee2bed84c74cdedfcf50a810c7f67450cf85d8972c07548a4400cb834a42bd7eb6dcd2761509d863a012bef60708407e15869038a0699751eb6ad6c76745

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
148KB

MD5
741f2b6483a1774719350e091c3d905e

SHA1
84b411e039192aa2948c4856fe66593578f9b432

SHA256
ef21f832461f08ea01799b724e1a7a47141dc3685e4ac0345b60d64b2f9ca1d9

SHA512
453fbeb0898dc4a63f10be79d267a06a64a5f8d9777adcaae87e8d7ed4b3d310236ea33c52ff21513655487a3119df1120b320d708db6b8bf2b86678360837cd

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
148KB

MD5
54b7a06d0f777adaa6163139e43c47f8

SHA1
5540732205252f8a056b8a8bd01f48326da2069e

SHA256
84e0c04df9dfce532bcad2fddc99ea48a2ad6f4edff7bcc9e2acda6d9d1478aa

SHA512
ea849d2bb160311de24ed1c49d13107c456bf74fe3e878f613270e84b58d743c7a02e06da7b638dc7fc5a71e7edf6246f97b3e6223ecc41632f87446cece8e3a

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
148KB

MD5
e2085c631d59866b859878c8619d806e

SHA1
15f7fe1fdafcc1e57106b799af63b16cec8bca3e

SHA256
a00f42dcaf73d96eb3b40d8a51c559bdf4c9ef38963052681c3d427a5f2342ab

SHA512
9cde87e2523efd1468f554a31147481c5fa5cbfa42b7d5e90c08c30e6ee78d53ae24885ce50a5fa9c01cca12105b3c1fdf946a787b91166894b25665fe8243c2

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
148KB

MD5
e17944cc55ab23547aafc4ba53f12dca

SHA1
6af1f17826ebc0903f27031f29d031662041a059

SHA256
c575f94c19ade10fa0c412dc1cc019f020a8f234f6b7eedb06cbc9cbfbb8dcbb

SHA512
bbc0fcc7a3037e5d90fc3484e3d00bc01c72eb75682ddeffc350c601328fca6bca23fd65d165dc206279036876c3f4d193442ece71fe76eb823a129a962ebac7

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
148KB

MD5
3445b56a6f9ed950b66c6ed3d11f0569

SHA1
1619ea8aee62924ad3dd7d4b959fdb3b19526646

SHA256
e7cadf86c8b30bc556f775cd3eea9eeb670349ed1abb89912b86346f478115e7

SHA512
c5ef686ec2a732d7e61d5206943e0e8581f0b5aec1da309a71f17dede03c0853448d3aac33d86d5bd03a8926bb2212679ddb567d202f06c2395b84917857fa7b

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
148KB

MD5
e80ea2fb5d5669f1f642ce470d23ce27

SHA1
46a43d03650c37593c9aebdda770adf0432a783f

SHA256
1b6b68b7d8b6dadb17eeb10a5d9beaaa2e47d10aaae373101493b1cdefb80b02

SHA512
740750cc5d64fd23e9a842b90fc4be9afd735b89f79994cf44c3a4dfdd7d3d86d34688b8329ae3be23d4677e432617bd54440b552399f58e0424b9709083db12

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
148KB

MD5
704c6fe7fcea3f9d2b3633fd7db1cbf7

SHA1
d1fa395b5edf6c343645a93d0334cbe2fcb65bd3

SHA256
85f0f0d9f12332807429336f0b5f0ca3b8ec4c5e06ec420daf20a5ea39c845c9

SHA512
abc1f985b8e1576eba53e0e3e8f490fb0357493fa650b01915a144d5e9026e012072401b64bd09a5bc8acd582348f671235190bad995ab5f4b5f634685e1ba2a

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
148KB

MD5
d07c2aaf17491f77d2c0e3079eb260b9

SHA1
a5ad0ea5440478a536561fede2856dd5bd2a5657

SHA256
d1c4a35a50903ac8817f58ca1280e0e8b71263de96d53a59e999c03dbe37cd9c

SHA512
7ee3f801018ecb36d9845012f957965086ce48f8ac0d6cb8d411557e0e72ef04c780a9593b12471f371592e3d38d69c1e841cdfccc4ed744c5e18d020b2914f4

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
148KB

MD5
ba5d21bf75442b7905f2ed9dcc3fd192

SHA1
d886b7d832b633df50802f7287fdf6d432f5121b

SHA256
2789ad058003fea88b955497a13e339d61c6794255e2648031e1b22309e56f63

SHA512
3f8ddf4c2b5faf84814c5f21ef41ff799ca31bd814fee3882216a58aab9464444213ec62f57d6a505c98f291ca4ba1f9c7365b0b83c96d692224ae12ccd003a4

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
148KB

MD5
52367f5a99c5bfb9f7796f0b8bb7f238

SHA1
ef7a509576fe71707911bbbf2458c86ee8ffeb99

SHA256
aad87bc5f79e90100bcea79b57ea2425e405a7ffe75afb73d6587deb98b28272

SHA512
0ee41d3ab0a2d82ce3fa0b52c50eec8b9617c61b2b30d9997784dbdc196e608e37297c639db1b9961fd21e1c0592a0b6f4fb8f7c71e6972a71b12f3d12c6b204

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
148KB

MD5
7006aec83f091e8400c85996e00b4785

SHA1
8cd7f91b6a547e0f5242f2f8c5b706945c5b44d9

SHA256
22093b557db53646b8aae22863f55f4fa96aa8f45b346d3629fc926b261715cf

SHA512
6b368bcce33dc6ccf7d3e526efd72d8a9ede7e3124a3e78819d687d4e34c9a2a7bbb6164b23822442da8fa3cea9941fc959c7b16aade5b8db79792f2a2b143eb

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
148KB

MD5
560c77b08818991acc234915703bb18d

SHA1
c077d597035011e4e67744ed2cb57bc7755cc161

SHA256
4a2d3c0fabb74f773d2007d7062b305bac26c886abbf9b9fa4f781d54edc68a2

SHA512
cdd1dc44202a94a61e6bfee5faef3c7d49fbdbc2a07115e34c517f8141d29b1bd8ea1634fb16a2db366b0a7a670a12c55b720bb035c7a0dc3e8f3c6163a1cbcb

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
148KB

MD5
8e74da6032aba08dc3b31f6e0971b2d1

SHA1
4bf17d6635022970f508662442f1d5cd4bbf7ab7

SHA256
8827f01b4fa45dbcc04dff1435c075fb13527fde91b11ef52f775ae94489f688

SHA512
30f640ce622bdaf48d5cb0dac34ff75c5cc2adc2c9dd67f824c6c6cebea7db18f0b406798ad6ee7191b35be20c35e9a225579cf6d3b10ae99b7da2f0fb55a55e

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
148KB

MD5
686b010795e6ead7ce9e47af0b97a28b

SHA1
c459545852b0a9823ce7935f4f7b95cae2865c02

SHA256
09663532f9c9d3600d4ed06cc4c269fe4bae3c502acb14c49c5c8a706808376d

SHA512
146c2f72603c7d663dc3de542c0b6a95832450203932e2fd2134d64844dd97b77dc3daadb5bb81d23bafa2cb0a80bfea53c6c94a2a3fc2a8144661517a79acd1

Download Submit
memory/116-1171-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/400-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/400-567-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/408-337-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-580-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/520-233-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/640-397-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/676-257-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/756-349-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/888-161-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/960-331-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1012-424-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1040-272-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1084-518-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1084-1107-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1208-361-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1292-543-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1292-1098-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1312-302-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1316-253-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1328-1106-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1432-414-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1488-379-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1496-313-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1596-408-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1616-473-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1616-1122-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1852-499-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1928-644-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1928-137-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1960-385-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2000-176-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2104-89-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2104-606-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2160-193-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2204-484-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2240-153-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2240-1222-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2252-490-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2272-599-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2272-81-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2304-185-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2448-531-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2488-581-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2516-626-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2516-117-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2680-561-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2680-32-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2684-149-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2704-343-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-209-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2976-437-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2984-1158-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2984-367-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3000-129-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3112-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3112-530-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3112-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3156-455-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3312-169-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3332-1185-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3456-355-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3492-280-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3552-324-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3588-1242-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3588-593-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3588-73-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3600-507-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3620-568-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3724-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3724-549-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3800-443-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3836-426-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3952-217-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4012-96-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4012-613-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4048-395-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4060-632-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4060-1230-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4060-121-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4188-453-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4316-1200-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4316-241-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4652-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4652-542-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4740-1243-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4740-587-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4740-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4748-524-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4772-467-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4772-1124-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4780-225-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4796-1210-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4796-201-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4820-373-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4840-314-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4924-559-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4924-29-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4940-1190-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4940-275-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4952-1248-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4952-49-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4952-574-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5016-619-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5016-104-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5056-293-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5076-1125-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5076-461-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5180-1081-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5220-600-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5264-607-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5292-1002-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5348-620-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5376-982-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5432-636-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5512-1066-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5556-1064-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5652-1020-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5724-994-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5924-1046-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5968-1043-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5988-1009-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6036-1008-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6096-1037-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads