9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1

Analysis

max time kernel
143s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1.exe
Size

161KB
MD5

b3938018a3dbff51119c833cb1c823c8
SHA1

1907475fddd91cdc22321084a894cd81a0e64711
SHA256

9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1
SHA512

17344a67bad11c031d633ec75c55b6060383347c9ea23915c4c7b79a715d0eff4f5a53ca3129bf914076fd2d9e6f2949958f78a3ec267afc3a6ae031d9fb29d5
SSDEEP

3072:fMhKForjarifGZJg0EHrQkRVwtCJXeex7rrIRZK8K8/kvV:fIFPaI0/kRVwtmeetrIyRV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blennh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clihig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dabpnlkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgdkeje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhgehi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coojfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Diihojkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dabpnlkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjmoibog.exe

Executes dropped EXE 64 IoCs

pid	Process
1980	Behiln32.exe
1324	Bhgehi32.exe
4632	Boanecla.exe
3364	Bbljeb32.exe
1968	Bifbbllg.exe
2792	Blennh32.exe
3992	Bockjc32.exe
3732	Baaggo32.exe
2028	Bemcgmak.exe
3720	Bhlocipo.exe
3420	Bpcgdfaa.exe
4176	Bbacqape.exe
3156	Badcln32.exe
2916	Bikkml32.exe
1624	Chnlihnl.exe
1892	Clihig32.exe
5084	Cohdebfi.exe
4996	Cccpfa32.exe
3516	Caimgncj.exe
2400	Cipehkcl.exe
2228	Commqb32.exe
3216	Cibank32.exe
4004	Cpljkdig.exe
2300	Coojfa32.exe
2352	Camfbm32.exe
4580	Coagla32.exe
4064	Capchmmb.exe
4432	Digkijmd.exe
4652	Dabpnlkp.exe
4368	Diihojkb.exe
2924	Dlgdkeje.exe
1068	Dephckaf.exe
64	Dpemacql.exe
2872	Dohmlp32.exe
2340	Dagiil32.exe
4564	Dhqaefng.exe
4872	Dphifcoi.exe
2172	Djpnohej.exe
4976	Dlojkddn.exe
3632	Dchbhn32.exe
4972	Ehekqe32.exe
4660	Eckonn32.exe
2336	Ebnoikqb.exe
4644	Ecmlcmhe.exe
4400	Eflhoigi.exe
4620	Ejgdpg32.exe
2908	Ehjdldfl.exe
3908	Ecphimfb.exe
4164	Efneehef.exe
3936	Elhmablc.exe
4936	Eqciba32.exe
2280	Ecbenm32.exe
3692	Ebeejijj.exe
2164	Ejlmkgkl.exe
3192	Emjjgbjp.exe
4148	Eqfeha32.exe
2176	Eoifcnid.exe
3628	Fbgbpihg.exe
4756	Fjnjqfij.exe
224	Fmmfmbhn.exe
3332	Fqhbmqqg.exe
2576	Fjqgff32.exe
4616	Fmocba32.exe
2904	Fomonm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Blennh32.exe	Bifbbllg.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nbdgmn32.dll	Bemcgmak.exe
File opened for modification	C:\Windows\SysWOW64\Cibank32.exe	Commqb32.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Clihig32.exe	Chnlihnl.exe
File created	C:\Windows\SysWOW64\Cpljkdig.exe	Cibank32.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Jfifijhb.dll	Coagla32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Iindogea.dll	Camfbm32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Dhqaefng.exe	Dagiil32.exe
File created	C:\Windows\SysWOW64\Jdmaid32.dll	Efneehef.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Chnlihnl.exe	Bikkml32.exe
File created	C:\Windows\SysWOW64\Knceql32.dll	Dhqaefng.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Onkhkpho.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Boanecla.exe	Bhgehi32.exe
File created	C:\Windows\SysWOW64\Imbjbq32.dll	Bifbbllg.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Ecphimfb.exe	Ehjdldfl.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Emjjgbjp.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Efneehef.exe	Ecphimfb.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fjhmgeao.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7784	7668	WerFault.exe	303

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Coagla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdgmn32.dll"	Bemcgmak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einnhi32.dll"	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bemcgmak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bockjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlgdkeje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhlocipo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjdddho.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnkchm32.dll"	Boanecla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ifhiib32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1980	1564	9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1.exe	88
PID 1564 wrote to memory of 1980	1564	9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1.exe	88
PID 1564 wrote to memory of 1980	1564	9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1.exe	88
PID 1980 wrote to memory of 1324	1980	Behiln32.exe	89
PID 1980 wrote to memory of 1324	1980	Behiln32.exe	89
PID 1980 wrote to memory of 1324	1980	Behiln32.exe	89
PID 1324 wrote to memory of 4632	1324	Bhgehi32.exe	90
PID 1324 wrote to memory of 4632	1324	Bhgehi32.exe	90
PID 1324 wrote to memory of 4632	1324	Bhgehi32.exe	90
PID 4632 wrote to memory of 3364	4632	Boanecla.exe	91
PID 4632 wrote to memory of 3364	4632	Boanecla.exe	91
PID 4632 wrote to memory of 3364	4632	Boanecla.exe	91
PID 3364 wrote to memory of 1968	3364	Bbljeb32.exe	92
PID 3364 wrote to memory of 1968	3364	Bbljeb32.exe	92
PID 3364 wrote to memory of 1968	3364	Bbljeb32.exe	92
PID 1968 wrote to memory of 2792	1968	Bifbbllg.exe	93
PID 1968 wrote to memory of 2792	1968	Bifbbllg.exe	93
PID 1968 wrote to memory of 2792	1968	Bifbbllg.exe	93
PID 2792 wrote to memory of 3992	2792	Blennh32.exe	94
PID 2792 wrote to memory of 3992	2792	Blennh32.exe	94
PID 2792 wrote to memory of 3992	2792	Blennh32.exe	94
PID 3992 wrote to memory of 3732	3992	Bockjc32.exe	95
PID 3992 wrote to memory of 3732	3992	Bockjc32.exe	95
PID 3992 wrote to memory of 3732	3992	Bockjc32.exe	95
PID 3732 wrote to memory of 2028	3732	Baaggo32.exe	96
PID 3732 wrote to memory of 2028	3732	Baaggo32.exe	96
PID 3732 wrote to memory of 2028	3732	Baaggo32.exe	96
PID 2028 wrote to memory of 3720	2028	Bemcgmak.exe	97
PID 2028 wrote to memory of 3720	2028	Bemcgmak.exe	97
PID 2028 wrote to memory of 3720	2028	Bemcgmak.exe	97
PID 3720 wrote to memory of 3420	3720	Bhlocipo.exe	98
PID 3720 wrote to memory of 3420	3720	Bhlocipo.exe	98
PID 3720 wrote to memory of 3420	3720	Bhlocipo.exe	98
PID 3420 wrote to memory of 4176	3420	Bpcgdfaa.exe	99
PID 3420 wrote to memory of 4176	3420	Bpcgdfaa.exe	99
PID 3420 wrote to memory of 4176	3420	Bpcgdfaa.exe	99
PID 4176 wrote to memory of 3156	4176	Bbacqape.exe	100
PID 4176 wrote to memory of 3156	4176	Bbacqape.exe	100
PID 4176 wrote to memory of 3156	4176	Bbacqape.exe	100
PID 3156 wrote to memory of 2916	3156	Badcln32.exe	101
PID 3156 wrote to memory of 2916	3156	Badcln32.exe	101
PID 3156 wrote to memory of 2916	3156	Badcln32.exe	101
PID 2916 wrote to memory of 1624	2916	Bikkml32.exe	102
PID 2916 wrote to memory of 1624	2916	Bikkml32.exe	102
PID 2916 wrote to memory of 1624	2916	Bikkml32.exe	102
PID 1624 wrote to memory of 1892	1624	Chnlihnl.exe	103
PID 1624 wrote to memory of 1892	1624	Chnlihnl.exe	103
PID 1624 wrote to memory of 1892	1624	Chnlihnl.exe	103
PID 1892 wrote to memory of 5084	1892	Clihig32.exe	104
PID 1892 wrote to memory of 5084	1892	Clihig32.exe	104
PID 1892 wrote to memory of 5084	1892	Clihig32.exe	104
PID 5084 wrote to memory of 4996	5084	Cohdebfi.exe	105
PID 5084 wrote to memory of 4996	5084	Cohdebfi.exe	105
PID 5084 wrote to memory of 4996	5084	Cohdebfi.exe	105
PID 4996 wrote to memory of 3516	4996	Cccpfa32.exe	106
PID 4996 wrote to memory of 3516	4996	Cccpfa32.exe	106
PID 4996 wrote to memory of 3516	4996	Cccpfa32.exe	106
PID 3516 wrote to memory of 2400	3516	Caimgncj.exe	107
PID 3516 wrote to memory of 2400	3516	Caimgncj.exe	107
PID 3516 wrote to memory of 2400	3516	Caimgncj.exe	107
PID 2400 wrote to memory of 2228	2400	Cipehkcl.exe	108
PID 2400 wrote to memory of 2228	2400	Cipehkcl.exe	108
PID 2400 wrote to memory of 2228	2400	Cipehkcl.exe	108
PID 2228 wrote to memory of 3216	2228	Commqb32.exe	109

C:\Users\Admin\AppData\Local\Temp\9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1.exe
"C:\Users\Admin\AppData\Local\Temp\9007c6cabc2389bb01ffb294c73b67e3346a407c878c9baae68243abc8449bc1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\Behiln32.exe
  C:\Windows\system32\Behiln32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Bhgehi32.exe
    C:\Windows\system32\Bhgehi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\SysWOW64\Boanecla.exe
      C:\Windows\system32\Boanecla.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Badcln32.exe
        
        C:\Windows\system32\Badcln32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        24⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        28⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        29⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        35⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        39⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        40⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        42⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        43⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        44⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        47⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        51⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        53⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        56⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        57⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        59⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        65⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        66⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        67⤵
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        68⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4708
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        70⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        71⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3428
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        73⤵
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:428
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        76⤵
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        78⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        80⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        81⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        82⤵
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        83⤵
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        84⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        85⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        94⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        96⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        97⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        99⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        100⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        101⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        102⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        104⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        106⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        107⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        108⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        111⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        116⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        117⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        119⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        120⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        121⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        123⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        126⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        127⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        128⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        129⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        130⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        131⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        133⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        136⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        138⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        139⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        140⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        143⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        144⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        146⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        147⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6436
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        152⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        154⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        156⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        157⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        158⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        159⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        162⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        163⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        164⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        165⤵
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        166⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        168⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        169⤵
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        170⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        173⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        174⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        176⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        177⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        178⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        179⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        180⤵
        Drops file in System32 directory
        
        PID:7024
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        181⤵
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        182⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        183⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        184⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        185⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        188⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        190⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        191⤵
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        192⤵
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        193⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        194⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        195⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        196⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        198⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        199⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        200⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        201⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7280
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        203⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        204⤵
        Drops file in System32 directory
        
        PID:7408
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        205⤵
        Modifies registry class
        
        PID:7456
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        206⤵
        Drops file in System32 directory
        
        PID:7500
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7540
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        208⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        209⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        210⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7668 -s 412
        211⤵
        Program crash
        
        PID:7784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7668 -ip 7668
1⤵
PID:7756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baaggo32.exe

Filesize
161KB

MD5
417fd1f73a8e3d1f0171f948406925c8

SHA1
dc12c5defa0b0fb9db878581a4c5d8ac4f2803b0

SHA256
432f2b4d9f378877a54cb101e1a96a632427d301acbf12fc13dc378f2d051da5

SHA512
1fc781a3ddf18dfc828bc0015ac28ff306c626b05fbc43a5c34d3587adf29657cb00ab205472ab0a53e79a2004848856e64d209531fc33a2430333c8beadb73e

Download Submit
C:\Windows\SysWOW64\Badcln32.exe

Filesize
161KB

MD5
ba95b3a3e50da5db22420b3d7ed6de10

SHA1
afa4957fdfe7dbf4c77c46647bfcf6a66c78cb53

SHA256
ebed68d89f3a5df2da734589f31b5596a5bc9901a80333152fafde4ac29a5b68

SHA512
e0a59778a5f162889f6d5819d991c7805e038a670999c51ef1ee76e1bf8c232ab9d0ad033ee8c16a24029c638057d84504794bb8177e41c82c45b36a053e1436

Download Submit
C:\Windows\SysWOW64\Bbacqape.exe

Filesize
161KB

MD5
0fe98193abdab7549618dddd0b9802ad

SHA1
b75c6ce44ec606e9a5b2cc1763624ac7f91feca1

SHA256
7c5818a7c27425b02797db5209d0bd65bdb2857921b3749f2938612ddd3056a2

SHA512
d1428d358457f3d7ef3e9349f8bff28c339aeb38a40be699c6c687d9d381e50f8e958bf1c9201d28785777dbac0f7b4990411ec377ad618177cb347c33161ded

Download Submit
C:\Windows\SysWOW64\Bbljeb32.exe

Filesize
161KB

MD5
5cfe9f0adea4c8d2333630d9f690d745

SHA1
25f95390390321fa0bb1b9270f638be1da8db5d0

SHA256
57b3670f0e6ae6838e4997316690ada286f12041c5371de19d9a26f6766b5bf4

SHA512
0c6da67251a9476c0b1f353727ee656b59d1ed2407f70fb05c2fd9a5afcf31018a0543147e20a4db33c049586f9038645041bdec082763fead79d697c81ff5c5

Download Submit
C:\Windows\SysWOW64\Behiln32.exe

Filesize
161KB

MD5
ed75f08b4d2ff196e49a934b417d2f53

SHA1
404b9ec293d8ada86d820b53fb14884a0538139e

SHA256
6494e51e9b660222e0226962c3937be406597969e46b87af0b8193e398d9aba3

SHA512
7da059540a7b2f2c2e640b7ddd72f4d98e467d7921b0bb26da9cff3ffd45348ef60d7d61cce1752ee1031489e29a462878c9c2256cd2062dbe449d24c3b552f2

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
161KB

MD5
040092450f19f5405cb16a86b2c4ec4a

SHA1
3d6f859c0c8d456eaf5fc29872a118992643da0a

SHA256
0ac6d6c33e78c80dd6c92cf63b2854fe91ea9577a75e820d5f139e3287a167ff

SHA512
a7c1972eb53a2462cede6d4dbc91e02aa93e4195cc2475ec85d4f31f4396930baebc111cb702df0250f77c3b49585d4aeae1f46d9916c7dbef581cb5fd987611

Download Submit
C:\Windows\SysWOW64\Bhgehi32.exe

Filesize
161KB

MD5
a97e6fd9b51ccec9deaca99c6301b182

SHA1
b96dd02429fa205889359ea6bd0aef7792f633e8

SHA256
f584185203f57262a00d0cdb2a7d19d205f48088bc1635689de9a03d43283bfa

SHA512
669867bd13a0fbf4efdd420fecab711c8b83a907512e1563fd87cb86c601c0328172188875deb92686ace869c085b72d28a72c683df28212246a95b2017ff84f

Download Submit
C:\Windows\SysWOW64\Bhlocipo.exe

Filesize
161KB

MD5
0448004d58bc938fee3133d927eda3e1

SHA1
9608f7a5433d53083e1bd551b40086ba547e25fa

SHA256
024f14c024af244a870fece124b6047da11573acc37715ff396d77cbb9a282ab

SHA512
f90e0bfd4f81521cf8ba76d9b252f4dc1c89bc2ae45ab1f2a84dd1b8da39c0cbd7061cf51ea569518f0980a9836cf6905be57bf29a71cf6ce38c9e4ad4d44538

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
161KB

MD5
2ce2d48f8a1fffc79e03ab1011f15bff

SHA1
c91e3e154e500897b3b0ace938c3f87687d55209

SHA256
8f81faa5f2d27c133dccf3f3d61acee655eea94fa7be1c352684e928fe3b0f39

SHA512
c7b93dba0c864b42456a5b48e9ad7f5fecfcf35c7da227d15c626cd16b6ee978748a002cff09f1402c71db2d3e8a4a68630803c6cf369fa6bf0789edc0adab93

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
161KB

MD5
54600d7e7b7daddf1eef23a9659c45b2

SHA1
a2310ce050fa486a142728d34a2dc077988212ee

SHA256
0665f14626059e30f7ac9279f254ac57ce4ed83b0fd5845798d56804bf5afb9e

SHA512
9a38b1639ad85249d5a94faa1cdee355693bd6c0d0b2169f7257d6334141708f446b999252ce1a519e2d1a78e0c408e748f2551371f5e386ed52839c306917dc

Download Submit
C:\Windows\SysWOW64\Blennh32.exe

Filesize
161KB

MD5
ac71a702e9d9808d1c72b287033a706b

SHA1
e6414d1f3d009d0aa8e806c8c80e35eb19365cc3

SHA256
3750837e1e9ee5df3ffe14c2b317837bae00227503b1a341546f9ffe13cf8ee1

SHA512
92bd68973477296eca09cb320cbfcb4fe0d8c503adb2103eb7bb5d25d3a6fa6eae8ba3a7413b4fc1d6926bd7c195ad32089bbf9142e0461ea48f91de984a4456

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
161KB

MD5
a6797c9652edc3674f4cb0094b808b13

SHA1
5d4d65f76b8d9d0073255e37ea5df94cbda1ef47

SHA256
788ce51d6fdb8eb63b836b67797dd69ccaa807aa5fc774d6a87da3f040edd272

SHA512
5a9072c4f763073609e1c3ee2ef6f881b052372ce0a6d9bf00549c03732e98cf3a647fd92bb00ee69502b96a0892e5a064b387afb48d92a38fae57abec253d9e

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
161KB

MD5
cd6dd5a3a519fa4b8046b5f0486846f0

SHA1
25cf2e20cf7ea76170dbe9d4e3869568d1a48ad1

SHA256
3266ed99a6ab03b2f848f96a1a3d193cb38905284d690ffeed08d0297271efab

SHA512
d4c574b3c4347b42848ff8f9d43950c9f501fd80a5c810d6201007602d72bf42291c2bbcf2a2a0436ae742e4b836acf2f720516a056007b6a49902daf34fe1ea

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
161KB

MD5
5e9e701cb981d58ca1158a819deedc4d

SHA1
9c60f395af200e44363e99208672c081e396e590

SHA256
77d020076c4eb63d7d65e10fe99589259bce9c50b63426e8a949802b34134447

SHA512
9c1f66db7bbe29e48e05c14268c929210d1f7f2f533ff159e5d76875f4be72bc7087f9cd4aef46fcee42fbb8671f00b1c77b4ba059e4e48834db36d86ab4b2bb

Download Submit
C:\Windows\SysWOW64\Caimgncj.exe

Filesize
161KB

MD5
8d09b6312f617813fed537868a8d218a

SHA1
5dd6b8d0df92d97062876e5c8a8376bf00e709e3

SHA256
383f20d99d567c9fdeb00a771101ec08a839b6403e99e89923439f1dece40e17

SHA512
d9d40ae10a8b13e00da5c1ce95a091c4fd6335b11fd14c6ffe758be5e1a10c0c9d406f7dcb69b9edc35562fcbabf3307f2f13abac7963fbea3eb1c6e93eb4d33

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
161KB

MD5
1a9bb622b29c26a0723337039df53372

SHA1
d9f1a6292948f478369bcfb6f2313276e4e5f33a

SHA256
7075a9534f7952f9186df3cfadb8f6120e575866f6d5da1a443457060805bdb5

SHA512
daadbc6e9a0bf54ee020a2ea5f19991fa552aef8e2be9d088067621f7318d894543637a64a33d25c7fd4b8f49811ccfe6007981c7721ee7fc022262952c3405e

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
161KB

MD5
4eee038a340f4b870ce0e21c50ef0ba9

SHA1
3b492e3ada1983494a5d326fe6fc81e42e1d9f35

SHA256
8400660c2eff370dc04bd9fb882b39ec7449cd41bc75a63b7ad89d54a4b7b6f1

SHA512
7cbea9daec94655601e241bd156308a5060d4ee6cc64b4e31795fb2c4eb28fffe2cb311f0c7c0dcf33fe8e9c2b2101708db0833e6f9d0a5d0bccf80eb709f479

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
161KB

MD5
51687db2b5cd6078b42aeee4f6c382cf

SHA1
a15ba583af8f62469e24371eff84638dcf1469ec

SHA256
62bef48ef01c38a862e3a264839ea9006113b1aac7ca89d4b889725283cb57fd

SHA512
859531c26cddb3992e6877efec88a0ddb0fb8dd6cbf3b06ae88243fa8fb1f270a2ba6aec9a507ca0a423c105fe86d213a75cab57ce5751b1cac8f61fc616ccab

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
161KB

MD5
e0f1df832660c6e7b8aa5ee0f97b501c

SHA1
89753bf89b6266ced81eacaeef96a7c18dc7148b

SHA256
2e193d77f0965144ad7adf3141fb437f77fd08037fa575c5c1fdd272198494b2

SHA512
d5c0b93ed55e5ee07cb51dc90ba7021bddeb7a1afebbadaaecfc9e73d438549eb1a765c3736865c512ce70e4a9839115fafee4afe28ecd7760d04b2c473e2118

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
161KB

MD5
5ad0d457458c805ca8665b15a36f9df8

SHA1
eece1c602f6c99ce7e36592760aaff729d2ba440

SHA256
381e040ef70ed18c590b9a38eac0b1ced7e9cc786bcf010423ef746c1f0b9980

SHA512
b5c3b575df82ba5493b52c515fe855c6fb2bbc8e504306e393a9342cfe244d19440a66b070edfd8d1b9583d28819867df35439292b30ec13b1174598f60fcf13

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
161KB

MD5
b0c1707f8f869f8b6b6e9edd3608b760

SHA1
3a452f05e3629fff10593c242da2090cdaf1d52b

SHA256
7e7e0b667349b73f0dee5a99c0c3d1147071a6c801a16ac6b85a0ac3c0e41e89

SHA512
a39b0bb2220f1fa5966b531092d77245639692177873c13e32ad626db85388501cffad735064cde6393e8b3b6633e5ae28a2af072603550a3d1b3c51d3967621

Download Submit
C:\Windows\SysWOW64\Clihig32.exe

Filesize
161KB

MD5
ebe2e3a83267cd8103e036cf608c4c53

SHA1
91b1d3d0a9c9b96d882af6c5aa499b541e914478

SHA256
4c585e7180ae559326481837d81871c9d99a4a27fc631710fb94c6f5faca9d9d

SHA512
f28522efdf75824996253a68a38d408c4f88ec5c478dae975537a59ccd673341fa9a2503ecacf622edc57531fd34eeee1a830f1910f5b03edc287f85b2d7fb0e

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
161KB

MD5
bef1a3dfbcd53ba8fe0a6d38592479ac

SHA1
a855dc07a4c641a5d376871013e55f4cb2f55f55

SHA256
de036294fb1bf833cdfa3d9007f8eef9ef445c34c3952bce9b9798cafee9a1f5

SHA512
aaf205a6880fc65b97ad21baae1028173d4b190f668750a7b323834a161dc603ae47ee961ff37fb6455c63baadcc09530246c1423ed844fe8788a31fba7d8632

Download Submit
C:\Windows\SysWOW64\Cohdebfi.exe

Filesize
161KB

MD5
602622582724ae2a08b65c01065cbad3

SHA1
fc84edb546e8cc346cd2e064c0c19c6f341ffeb4

SHA256
a96d4292092867df473e11b52c5363360168bf7fed82dec201b7b20e1bf48e20

SHA512
fe8e9f9c4eb9eafd5ef7bafba2a93f1715d9062e78c6f169f82cafb346ef326cbccc2be16aa6065aac1574186b3d835c54c10b3521a1f7250d5336016191d628

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
161KB

MD5
b73f790ee2c14b7d0dae70404ebba320

SHA1
e99c6d8b277bc8c3d6f3d7fe03b08c47d752f20e

SHA256
2bd0fb7a4520632f7c00ec09a302dc45545e446d293e777ff2bbd8bd65e55ff1

SHA512
130512d48110a4a7caa903b90a9fe3ec511ce521575f58ef381033449265d95cbcc0470c3083cc15402ebbbb1e48765b50b610cef2d1f2a866014781baefe611

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
161KB

MD5
0ac9ba42bd3013720ecc7b22ce140dc4

SHA1
55919446b192b5e35017aba3e06c51c64caa6780

SHA256
a9bb71f73b62d25b70d9ec005d85e86caac4cf3e144db3eb8e1754de2a5e2449

SHA512
ee0927f56b13989e4f86fa6e5e5bf8bce108da70d5b79a165150be7a5a289414aecc3e6e490cc1f29fea62c23c77cf53a4e1b12d65039b591d20e8cfdf5437d0

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
161KB

MD5
0f3ff18221757e330bdc853fe71618bf

SHA1
a0e2fd308ea1694222099c2618003d97b2535cea

SHA256
0c6a8084f01d4f88cd90c6bb22186ad5c6c2ec49e44c23a2de6826048b9f91ca

SHA512
97d824c7babff84c64c3ce147b7f1c246e41e26f8a734c1558269ab36c288e0214c6023271e2c608e38f608d531d5828f28339f6b08fcb439a791317e4f419f1

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
161KB

MD5
d7a0654cbc9eb5e11ede52ad3d387e5c

SHA1
70833eb3e9b78702460287557f147932093bef1f

SHA256
a9492d2518f393b90afc9a2377db4f41492705e688bd1da528b34f58df6c22db

SHA512
19eed072bdff3465fa46cb12511dafd4f32ef2d082544584abde0f4e40def9189b4eee4e67f897c4b9fbc2e60ad1c62fc2f4093cfcedb64076a8f9f94216cf66

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
161KB

MD5
43fb4839eded9f279ed0c65dfcf1c913

SHA1
9f7a3c5574fe6ba5cfee010d3d2a8f0816018d15

SHA256
18490f36ed470cc0395b7a708743f3d7d0648748d774fa5521c40eeb80809768

SHA512
2034cf51df8b778724febadfe5f0f60fdf562b1bf4bd4c683d1284b2f87d558c11629c1843cc5c37abb6b179f9fe89863f928220dd510c9987a31a8c524a8645

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
161KB

MD5
812cb0583b2be425e41cdc61f4739fa4

SHA1
f5511fb1e6a878de4831d895664ac3dbebd8373a

SHA256
9d4afeab0512b13b1956590cc194f9299b7cdf6489f018792ff420fd9fd9c9bf

SHA512
30d520b03d0ed5f40ee8b55e7a1ce0dabc31ed1af6d04f86b1e3852712bd380ff02d1dd33416436c94334736873a63975fa38d1278e70e70461b44e9adb81e23

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
161KB

MD5
ebe37bd22a27ce0f62eafe044b0a9ba3

SHA1
aab29840bb75e2325bf875e91a6b24dc2c7a3c33

SHA256
30e6fa718737e1751954f5343cc60237cf0406e6458678ec3453a53d3fe415be

SHA512
e7c6dd94a7a25df419b8bd76954b969b94713a4c77b6d65e1fbe7f5553591f00a59221458a1bd6d881ed7e87a4d5ab3de02e190fd074fe3dcbe571806ca261c9

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
161KB

MD5
7f0bb5f349486d8dc4dfb21c57f1884e

SHA1
7ce5d394c715e8eeb59027024023495c4fc72721

SHA256
aeff73a7018bd8c460488438e9cea532ce9f22f87acade2651b145d9524bc154

SHA512
98aeafd76989aed0a9de12f81ba8b1d9a6e5a3775983bcd719528ace7383da71986a81a55563246bf425cbd183bcd45d0043401f3a18e0ce5e775f99216d70a6

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
161KB

MD5
3b7353a1558c8689d9d4b7effde53f32

SHA1
1b9d3962f973c65e53404cb5ca597d04fcb77abe

SHA256
9e7ca4d0cb47401fff0bdeec8f7033edd1f9143dbc23c46d47973f538e45bc71

SHA512
470ae046f7765f499b2db24ee18574d8ce44bde4dd44a79ba62a84589fe74bc7f7cf158e612596228fc32007d87bee8347eb2e8584d237ebd35e189c93528563

Download Submit
C:\Windows\SysWOW64\Fkpjfn32.dll

Filesize
7KB

MD5
34e703aa8f4f86f31c11dac4941bd8d4

SHA1
b1a648b666ba2f4d253bafdf27b54952978bd6e8

SHA256
8da2871ff0fc19c6c4b130fc7f4e7b51fb9ac9ff56bc4287b11233749ee30498

SHA512
70d3d504c355cc6dfe472aca5c2b3aa43f92ed639d1fc49910bd27bfa8dfc43026657513c661b14815dd60b2ea1c5b7feb53b8344b8c23013d3d5b9cf9508c37

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
161KB

MD5
63e52a0933b4dfbe07f327a79b9e8f26

SHA1
17e9e22a9641c734c0bcdd79fc66d4f6cd781915

SHA256
4291b927ee419199c14a4468dc424da7e9145b04b6e71d71be0ce27ca79606e9

SHA512
b2ccf811261f52d74c31b10df642e567c994d5cb73721a4a4ba046f01d43b99395d1190ce3ad6dbeccf2c1b9fbd5c101e03afceef71510cedef8a966a016470d

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
161KB

MD5
29776f15e709cc64c005ebf064413f21

SHA1
f1cdbf3815e46a02cca43156b2d91bd0cef6fe97

SHA256
b92c1b412e3f88efbeb8b415ff696234ef1e05426a7f8548e473086cde014981

SHA512
c8a84aa6ec7e78672598d06a3aad8040594982951d33d2aea41d399ce69cc9ecb7ca9fa87aee884026a2f42afffa90124cf3e5e184e8c4773727c3ceedc2e203

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
161KB

MD5
0bb7935342b1313e0c96f8bb44b77036

SHA1
16e115cb44f1ce795e0d52bf9a5f325a42e887f5

SHA256
0961bf111e80aba03eb0c77dcb82a6290bbd9a4caf24ab6a25076c5996e6d876

SHA512
730b27c3e834bc279df3566012716c3bbffd9449fbf71b26c2244fd6aafebf755c3ea5a4d6f2221283126f9ed9f2839e4b00132aa8aff3741847f0a7ad50b031

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
161KB

MD5
6341277c0d61cddd088518ab9b568225

SHA1
4f0d23a5b9f1b0a4bf4c83718b72b6af7ef9d142

SHA256
bfe288036304e862c0cb5e10c6038ba57b657e1304c3b6042aebbafc2aee6992

SHA512
c5306173853d4643917c08b6051c6df2868e690441c53106762d09c35cd13e78ee97e9769d010db2e02614b955424733feefad80c41d7a19ea2f89c3fe6c3a8c

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
161KB

MD5
352367ffa9d4916189eb20c93e70dfb9

SHA1
7725d72cd369d1bbe4de844366ec55fde090449d

SHA256
f04beda478ae9427bdf2d7cb21caaa39379737aef3b72cc69ace4fdd78af4410

SHA512
45c0332d81f89e4bdd69ec49c467414a99b98a7fccf23fd6a9fa82ccdabc011eec16a6517da9cc0d9fd7d1f4b95975da1ef0d0fc5f89cf36475ddf3269cb2e92

Download Submit
memory/64-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/64-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1068-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1068-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1324-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1324-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1892-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1980-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1980-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-76-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2228-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2300-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2340-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2340-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-265-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3156-218-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3156-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3216-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3364-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3364-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3420-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3516-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3516-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3720-86-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3732-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3732-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-182-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4004-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4064-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4064-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4176-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4368-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4632-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4632-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4652-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads