bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 00:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Size

64KB
MD5

b8d22f9ed899b1b5f96dd72889593ee4
SHA1

568483f92dc116a846735e5639b714ecc1bd0417
SHA256

bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098
SHA512

2857a9839e0f8f550b17f49652f62759e19547dd3977edcad6ccd26815eb830893b1f5b34a3074573eef370e7e6eb134b8aee7976888f82a063722c96561e860
SSDEEP

768:p+u8QoY1OHjkAfsKEAIa7mbMaVBMd3F18flVsa/1H599e6XJ1IwEGp9ThfzyYsHv:wuOYWjkTKbybSF18NVsglXUwXfzwv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpeohh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnlgleef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hidgai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgnbaeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffqhcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbjena32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gehbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbbch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpeohh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihnkel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gikkfqmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hidgai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amodep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qofcff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpimlfke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gihgfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edemkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkogiikb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcclld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pajeam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjellmbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcgnbaeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkoch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkegpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggpbjkpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnfjbdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lndham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhafeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmfmhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipeeobbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpnoncim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifmqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eagaoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hajpbckl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfghg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cadlbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmaopfjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmfmhll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbjoeojc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cippgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbgjbkfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcikgacl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aogiap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhalefe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcdala32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnkggfkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgpogili.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejflhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bihjfnmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jklinohd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinjhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehfcfb32.exe

Executes dropped EXE 64 IoCs

pid	Process
3948	Pgkelj32.exe
1896	Qgpogili.exe
1476	Amodep32.exe
4980	Bogcgj32.exe
2460	Bidqko32.exe
3560	Bgeaifia.exe
3532	Bifmqo32.exe
520	Bggnof32.exe
4332	Bihjfnmm.exe
4028	Cpbbch32.exe
3900	Cjhfpa32.exe
2268	Cpeohh32.exe
2624	Cglgjeci.exe
1700	Cadlbk32.exe
4084	Cippgm32.exe
3028	Eagaoh32.exe
1012	Edemkd32.exe
2244	Eaindh32.exe
3048	Efffmo32.exe
3760	Empoiimf.exe
4632	Ehfcfb32.exe
2964	Epagkd32.exe
4532	Ejflhm32.exe
3396	Emehdh32.exe
4232	Filiii32.exe
4772	Ffpicn32.exe
3388	Ggpbjkpl.exe
3340	Gphgbafl.exe
1832	Ggbook32.exe
4620	Gnlgleef.exe
3344	Hkpheidp.exe
4108	Hajpbckl.exe
5072	Hhdhon32.exe
1768	Hnaqgd32.exe
852	Hhfedm32.exe
4848	Hjhalefe.exe
3256	Hdmein32.exe
856	Hkgnfhnh.exe
4972	Hnfjbdmk.exe
4996	Hhknpmma.exe
3756	Hpfcdojl.exe
2172	Ihnkel32.exe
4284	Iddljmpc.exe
3620	Knkekn32.exe
4404	Lndham32.exe
2340	Leopnglc.exe
4636	Ljkifn32.exe
456	Mbbagk32.exe
924	Mbenmk32.exe
2104	Mecjif32.exe
4216	Mhafeb32.exe
1292	Mbgjbkfg.exe
1892	Micoed32.exe
4524	Mjellmbp.exe
1356	Oimkbaed.exe
3584	Pkogiikb.exe
1428	Pemomqcn.exe
1432	Qofcff32.exe
4880	Qepkbpak.exe
4320	Qhngolpo.exe
1880	Qcclld32.exe
4068	Ahqddk32.exe
4924	Akoqpg32.exe
2700	Aeddnp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jcikgacl.exe	Jjafok32.exe
File created	C:\Windows\SysWOW64\Pkbjjbda.exe	Pajeam32.exe
File created	C:\Windows\SysWOW64\Qdphngfl.exe	Phigif32.exe
File created	C:\Windows\SysWOW64\Ppebjo32.dll	Pgkelj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgeaifia.exe	Bidqko32.exe
File created	C:\Windows\SysWOW64\Plpjfnfg.dll	Gphgbafl.exe
File created	C:\Windows\SysWOW64\Qepkbpak.exe	Qofcff32.exe
File created	C:\Windows\SysWOW64\Mchppmij.exe	Mnkggfkb.exe
File opened for modification	C:\Windows\SysWOW64\Pfoann32.exe	Omgmeigd.exe
File created	C:\Windows\SysWOW64\Looknpmn.dll	Bidqko32.exe
File created	C:\Windows\SysWOW64\Epagkd32.exe	Ehfcfb32.exe
File opened for modification	C:\Windows\SysWOW64\Filiii32.exe	Emehdh32.exe
File created	C:\Windows\SysWOW64\Pebndcpg.dll	Hdmein32.exe
File created	C:\Windows\SysWOW64\Akoqpg32.exe	Ahqddk32.exe
File created	C:\Windows\SysWOW64\Copdgb32.dll	Pajeam32.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bajqda32.exe
File opened for modification	C:\Windows\SysWOW64\Bggnof32.exe	Bifmqo32.exe
File created	C:\Windows\SysWOW64\Mokmqben.dll	Aahbbkaq.exe
File opened for modification	C:\Windows\SysWOW64\Ljkifn32.exe	Leopnglc.exe
File created	C:\Windows\SysWOW64\Plmmif32.exe	Pknqoc32.exe
File created	C:\Windows\SysWOW64\Ahpmjejp.exe	Aogiap32.exe
File opened for modification	C:\Windows\SysWOW64\Hidgai32.exe	Hbjoeojc.exe
File created	C:\Windows\SysWOW64\Cippgm32.exe	Cadlbk32.exe
File created	C:\Windows\SysWOW64\Fdnpclpq.dll	Jjafok32.exe
File created	C:\Windows\SysWOW64\Pfoann32.exe	Omgmeigd.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Pfandnla.exe
File created	C:\Windows\SysWOW64\Hkpheidp.exe	Gnlgleef.exe
File created	C:\Windows\SysWOW64\Mecjif32.exe	Mbenmk32.exe
File opened for modification	C:\Windows\SysWOW64\Gnepna32.exe	Gihgfk32.exe
File created	C:\Windows\SysWOW64\Ahqdnk32.dll	Eagaoh32.exe
File created	C:\Windows\SysWOW64\Kmaopfjm.exe	Jcikgacl.exe
File created	C:\Windows\SysWOW64\Ogigdpmb.dll	Gojiiafp.exe
File created	C:\Windows\SysWOW64\Empoiimf.exe	Efffmo32.exe
File created	C:\Windows\SysWOW64\Hdjgko32.dll	Jcikgacl.exe
File created	C:\Windows\SysWOW64\Opclldhj.exe	Iinjhh32.exe
File created	C:\Windows\SysWOW64\Haffcnib.dll	Bogcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Ejflhm32.exe	Epagkd32.exe
File created	C:\Windows\SysWOW64\Flcmfp32.dll	Mbgjbkfg.exe
File created	C:\Windows\SysWOW64\Pnclimck.dll	Qhngolpo.exe
File created	C:\Windows\SysWOW64\Fpplna32.dll	Bihjfnmm.exe
File created	C:\Windows\SysWOW64\Hpdclcbj.dll	Emehdh32.exe
File opened for modification	C:\Windows\SysWOW64\Qepkbpak.exe	Qofcff32.exe
File opened for modification	C:\Windows\SysWOW64\Qcclld32.exe	Qhngolpo.exe
File opened for modification	C:\Windows\SysWOW64\Alnmjjdb.exe	Aeddnp32.exe
File created	C:\Windows\SysWOW64\Mebcop32.exe	Kmaopfjm.exe
File opened for modification	C:\Windows\SysWOW64\Hblkjo32.exe	Hpnoncim.exe
File created	C:\Windows\SysWOW64\Hhdhon32.exe	Hajpbckl.exe
File opened for modification	C:\Windows\SysWOW64\Fpbflg32.exe	Fmcjpl32.exe
File opened for modification	C:\Windows\SysWOW64\Ffnknafg.exe	Fpdcag32.exe
File created	C:\Windows\SysWOW64\Chkobkod.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkoch32.exe	Pkbjjbda.exe
File opened for modification	C:\Windows\SysWOW64\Cjhfpa32.exe	Cpbbch32.exe
File created	C:\Windows\SysWOW64\Ghoqak32.dll	Olfghg32.exe
File created	C:\Windows\SysWOW64\Hmmfmhll.exe	Gojiiafp.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Opeemh32.dll	Eaindh32.exe
File opened for modification	C:\Windows\SysWOW64\Hkgnfhnh.exe	Hdmein32.exe
File opened for modification	C:\Windows\SysWOW64\Aeddnp32.exe	Akoqpg32.exe
File opened for modification	C:\Windows\SysWOW64\Olfghg32.exe	Ohhnbhok.exe
File opened for modification	C:\Windows\SysWOW64\Fpdcag32.exe	Feoodn32.exe
File created	C:\Windows\SysWOW64\Ndoell32.dll	Gnepna32.exe
File opened for modification	C:\Windows\SysWOW64\Pfandnla.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Eiahnnph.exe	Aajohjon.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6252	6924	WerFault.exe	243

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knkekn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnhejgh.dll"	Plmmif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpeei32.dll"	Aomifecf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajohjon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinjhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bidqko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpplna32.dll"	Bihjfnmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leopnglc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchppmij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phigif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcgnbaeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbdcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hidgai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edemkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggbook32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aomifecf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bggnof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecqieiii.dll"	Aeddnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfcalbj.dll"	Qdbdcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclnnc32.dll"	Dbndfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchppmij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljkifn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkogiikb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcdala32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aogiap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjhfpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcclld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hphlgp32.dll"	Cjhfpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cadlbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amodep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gikkfqmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigcfhbi.dll"	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjellmbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gehbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphgbafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogacbllg.dll"	Pknqoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edemkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opeemh32.dll"	Eaindh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmcjpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbjena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmhbnnof.dll"	Qgpogili.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfohjf32.dll"	Phigif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qepkbpak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkolm32.dll"	Mnkggfkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filclgic.dll"	Gimqajgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll"	Gmimai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefiblfk.dll"	Cadlbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnfjbdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngbbg32.dll"	Knkekn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fliabjbh.dll"	Bggnof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gihgfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjafok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfandnla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Filiii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljkifn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnepna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amodep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbbcjfp.dll"	Oeokal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncijina.dll"	Mchppmij.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 3948	4136	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe	87
PID 4136 wrote to memory of 3948	4136	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe	87
PID 4136 wrote to memory of 3948	4136	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe	87
PID 3948 wrote to memory of 1896	3948	Pgkelj32.exe	90
PID 3948 wrote to memory of 1896	3948	Pgkelj32.exe	90
PID 3948 wrote to memory of 1896	3948	Pgkelj32.exe	90
PID 1896 wrote to memory of 1476	1896	Qgpogili.exe	91
PID 1896 wrote to memory of 1476	1896	Qgpogili.exe	91
PID 1896 wrote to memory of 1476	1896	Qgpogili.exe	91
PID 1476 wrote to memory of 4980	1476	Amodep32.exe	92
PID 1476 wrote to memory of 4980	1476	Amodep32.exe	92
PID 1476 wrote to memory of 4980	1476	Amodep32.exe	92
PID 4980 wrote to memory of 2460	4980	Bogcgj32.exe	93
PID 4980 wrote to memory of 2460	4980	Bogcgj32.exe	93
PID 4980 wrote to memory of 2460	4980	Bogcgj32.exe	93
PID 2460 wrote to memory of 3560	2460	Bidqko32.exe	94
PID 2460 wrote to memory of 3560	2460	Bidqko32.exe	94
PID 2460 wrote to memory of 3560	2460	Bidqko32.exe	94
PID 3560 wrote to memory of 3532	3560	Bgeaifia.exe	95
PID 3560 wrote to memory of 3532	3560	Bgeaifia.exe	95
PID 3560 wrote to memory of 3532	3560	Bgeaifia.exe	95
PID 3532 wrote to memory of 520	3532	Bifmqo32.exe	96
PID 3532 wrote to memory of 520	3532	Bifmqo32.exe	96
PID 3532 wrote to memory of 520	3532	Bifmqo32.exe	96
PID 520 wrote to memory of 4332	520	Bggnof32.exe	98
PID 520 wrote to memory of 4332	520	Bggnof32.exe	98
PID 520 wrote to memory of 4332	520	Bggnof32.exe	98
PID 4332 wrote to memory of 4028	4332	Bihjfnmm.exe	99
PID 4332 wrote to memory of 4028	4332	Bihjfnmm.exe	99
PID 4332 wrote to memory of 4028	4332	Bihjfnmm.exe	99
PID 4028 wrote to memory of 3900	4028	Cpbbch32.exe	100
PID 4028 wrote to memory of 3900	4028	Cpbbch32.exe	100
PID 4028 wrote to memory of 3900	4028	Cpbbch32.exe	100
PID 3900 wrote to memory of 2268	3900	Cjhfpa32.exe	101
PID 3900 wrote to memory of 2268	3900	Cjhfpa32.exe	101
PID 3900 wrote to memory of 2268	3900	Cjhfpa32.exe	101
PID 2268 wrote to memory of 2624	2268	Cpeohh32.exe	102
PID 2268 wrote to memory of 2624	2268	Cpeohh32.exe	102
PID 2268 wrote to memory of 2624	2268	Cpeohh32.exe	102
PID 2624 wrote to memory of 1700	2624	Cglgjeci.exe	103
PID 2624 wrote to memory of 1700	2624	Cglgjeci.exe	103
PID 2624 wrote to memory of 1700	2624	Cglgjeci.exe	103
PID 1700 wrote to memory of 4084	1700	Cadlbk32.exe	104
PID 1700 wrote to memory of 4084	1700	Cadlbk32.exe	104
PID 1700 wrote to memory of 4084	1700	Cadlbk32.exe	104
PID 4084 wrote to memory of 3028	4084	Cippgm32.exe	105
PID 4084 wrote to memory of 3028	4084	Cippgm32.exe	105
PID 4084 wrote to memory of 3028	4084	Cippgm32.exe	105
PID 3028 wrote to memory of 1012	3028	Eagaoh32.exe	106
PID 3028 wrote to memory of 1012	3028	Eagaoh32.exe	106
PID 3028 wrote to memory of 1012	3028	Eagaoh32.exe	106
PID 1012 wrote to memory of 2244	1012	Edemkd32.exe	107
PID 1012 wrote to memory of 2244	1012	Edemkd32.exe	107
PID 1012 wrote to memory of 2244	1012	Edemkd32.exe	107
PID 2244 wrote to memory of 3048	2244	Eaindh32.exe	108
PID 2244 wrote to memory of 3048	2244	Eaindh32.exe	108
PID 2244 wrote to memory of 3048	2244	Eaindh32.exe	108
PID 3048 wrote to memory of 3760	3048	Efffmo32.exe	109
PID 3048 wrote to memory of 3760	3048	Efffmo32.exe	109
PID 3048 wrote to memory of 3760	3048	Efffmo32.exe	109
PID 3760 wrote to memory of 4632	3760	Empoiimf.exe	110
PID 3760 wrote to memory of 4632	3760	Empoiimf.exe	110
PID 3760 wrote to memory of 4632	3760	Empoiimf.exe	110
PID 4632 wrote to memory of 2964	4632	Ehfcfb32.exe	111

C:\Users\Admin\AppData\Local\Temp\bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
"C:\Users\Admin\AppData\Local\Temp\bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\Pgkelj32.exe
  C:\Windows\system32\Pgkelj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\Qgpogili.exe
    C:\Windows\system32\Qgpogili.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\Amodep32.exe
      C:\Windows\system32\Amodep32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\Bogcgj32.exe
        
        C:\Windows\system32\Bogcgj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\SysWOW64\Bidqko32.exe
        
        C:\Windows\system32\Bidqko32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Bgeaifia.exe
        
        C:\Windows\system32\Bgeaifia.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Bifmqo32.exe
        
        C:\Windows\system32\Bifmqo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Bggnof32.exe
        
        C:\Windows\system32\Bggnof32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\Bihjfnmm.exe
        
        C:\Windows\system32\Bihjfnmm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Cpbbch32.exe
        
        C:\Windows\system32\Cpbbch32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Cjhfpa32.exe
        
        C:\Windows\system32\Cjhfpa32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Cpeohh32.exe
        
        C:\Windows\system32\Cpeohh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Cglgjeci.exe
        
        C:\Windows\system32\Cglgjeci.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Cadlbk32.exe
        
        C:\Windows\system32\Cadlbk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Cippgm32.exe
        
        C:\Windows\system32\Cippgm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Eagaoh32.exe
        
        C:\Windows\system32\Eagaoh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Edemkd32.exe
        
        C:\Windows\system32\Edemkd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Eaindh32.exe
        
        C:\Windows\system32\Eaindh32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Efffmo32.exe
        
        C:\Windows\system32\Efffmo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Empoiimf.exe
        
        C:\Windows\system32\Empoiimf.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Ehfcfb32.exe
        
        C:\Windows\system32\Ehfcfb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Epagkd32.exe
        
        C:\Windows\system32\Epagkd32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Emehdh32.exe
        
        C:\Windows\system32\Emehdh32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Filiii32.exe
        
        C:\Windows\system32\Filiii32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Ffpicn32.exe
        
        C:\Windows\system32\Ffpicn32.exe
        27⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Ggpbjkpl.exe
        
        C:\Windows\system32\Ggpbjkpl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\Gphgbafl.exe
        
        C:\Windows\system32\Gphgbafl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Ggbook32.exe
        
        C:\Windows\system32\Ggbook32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Gnlgleef.exe
        
        C:\Windows\system32\Gnlgleef.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Hkpheidp.exe
        
        C:\Windows\system32\Hkpheidp.exe
        32⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Hajpbckl.exe
        
        C:\Windows\system32\Hajpbckl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Hhdhon32.exe
        
        C:\Windows\system32\Hhdhon32.exe
        34⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Hnaqgd32.exe
        
        C:\Windows\system32\Hnaqgd32.exe
        35⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Hhfedm32.exe
        
        C:\Windows\system32\Hhfedm32.exe
        36⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Hjhalefe.exe
        
        C:\Windows\system32\Hjhalefe.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Hdmein32.exe
        
        C:\Windows\system32\Hdmein32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Hkgnfhnh.exe
        
        C:\Windows\system32\Hkgnfhnh.exe
        39⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Hnfjbdmk.exe
        
        C:\Windows\system32\Hnfjbdmk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Hhknpmma.exe
        
        C:\Windows\system32\Hhknpmma.exe
        41⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Hpfcdojl.exe
        
        C:\Windows\system32\Hpfcdojl.exe
        42⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Ihnkel32.exe
        
        C:\Windows\system32\Ihnkel32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Iddljmpc.exe
        
        C:\Windows\system32\Iddljmpc.exe
        44⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Knkekn32.exe
        
        C:\Windows\system32\Knkekn32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Lndham32.exe
        
        C:\Windows\system32\Lndham32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Leopnglc.exe
        
        C:\Windows\system32\Leopnglc.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Ljkifn32.exe
        
        C:\Windows\system32\Ljkifn32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Mbbagk32.exe
        
        C:\Windows\system32\Mbbagk32.exe
        49⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Mbenmk32.exe
        
        C:\Windows\system32\Mbenmk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Mecjif32.exe
        
        C:\Windows\system32\Mecjif32.exe
        51⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Mhafeb32.exe
        
        C:\Windows\system32\Mhafeb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Mbgjbkfg.exe
        
        C:\Windows\system32\Mbgjbkfg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Micoed32.exe
        
        C:\Windows\system32\Micoed32.exe
        54⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Mjellmbp.exe
        
        C:\Windows\system32\Mjellmbp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Oimkbaed.exe
        
        C:\Windows\system32\Oimkbaed.exe
        56⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Pkogiikb.exe
        
        C:\Windows\system32\Pkogiikb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Pemomqcn.exe
        
        C:\Windows\system32\Pemomqcn.exe
        58⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Qofcff32.exe
        
        C:\Windows\system32\Qofcff32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Qepkbpak.exe
        
        C:\Windows\system32\Qepkbpak.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Qhngolpo.exe
        
        C:\Windows\system32\Qhngolpo.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Qcclld32.exe
        
        C:\Windows\system32\Qcclld32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Ahqddk32.exe
        
        C:\Windows\system32\Ahqddk32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Akoqpg32.exe
        
        C:\Windows\system32\Akoqpg32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Aeddnp32.exe
        
        C:\Windows\system32\Aeddnp32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Alnmjjdb.exe
        
        C:\Windows\system32\Alnmjjdb.exe
        66⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Aomifecf.exe
        
        C:\Windows\system32\Aomifecf.exe
        67⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Dbndfl32.exe
        
        C:\Windows\system32\Dbndfl32.exe
        68⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Fjhacf32.exe
        
        C:\Windows\system32\Fjhacf32.exe
        69⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Gikkfqmf.exe
        
        C:\Windows\system32\Gikkfqmf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Hkpqkcpd.exe
        
        C:\Windows\system32\Hkpqkcpd.exe
        71⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Jcdala32.exe
        
        C:\Windows\system32\Jcdala32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Kmaopfjm.exe
        
        C:\Windows\system32\Kmaopfjm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        78⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        80⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Ohfami32.exe
        
        C:\Windows\system32\Ohfami32.exe
        81⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        82⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        83⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Oeokal32.exe
        
        C:\Windows\system32\Oeokal32.exe
        85⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        86⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Phodcg32.exe
        
        C:\Windows\system32\Phodcg32.exe
        87⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\Pknqoc32.exe
        
        C:\Windows\system32\Pknqoc32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Plmmif32.exe
        
        C:\Windows\system32\Plmmif32.exe
        89⤵
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Pajeam32.exe
        
        C:\Windows\system32\Pajeam32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Pkbjjbda.exe
        
        C:\Windows\system32\Pkbjjbda.exe
        91⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3228
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Qdphngfl.exe
        
        C:\Windows\system32\Qdphngfl.exe
        95⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Qkipkani.exe
        
        C:\Windows\system32\Qkipkani.exe
        96⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        97⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Aogiap32.exe
        
        C:\Windows\system32\Aogiap32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        99⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        100⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Aajohjon.exe
        
        C:\Windows\system32\Aajohjon.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        102⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        104⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        105⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        107⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1528
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        112⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        113⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        116⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        117⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        118⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        119⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3944
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        124⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        126⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4840
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        130⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        131⤵
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        132⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        133⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        138⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6568
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        140⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6668
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        143⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6884
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        145⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 400
        146⤵
        Program crash
        
        PID:6252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6924 -ip 6924
1⤵
PID:6964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajohjon.exe

Filesize
64KB

MD5
e9787f93588d25e749e261c466e79358

SHA1
4b123077f434f2de693a722ee368ebeab60cb5f0

SHA256
3bfb96d0f8ad3c167bae807417ef0f0ce46a47f16c82123ceeaa5e91a60f7db7

SHA512
aa40e22ae2ff0f5abb47198e31decbcdcc226b013d376bec7cc27f547da9d934e40a17878fc69c02e383e19f0b884ee03e5100656eb4b2e79790671709b9b244

Download Submit
C:\Windows\SysWOW64\Amodep32.exe

Filesize
64KB

MD5
0d11d71c5264ff1abf8e4ee47aead6ee

SHA1
b02ae786210dce42b56dbc09d9c09cf52f40ffe0

SHA256
380bd435a66e7a0c8b963c262311f8bc3a1c32c8f0c88360b9bf36a079c02dd1

SHA512
672819d6e4e66814c3e1b025031c1367b655158197b2182cab551f6809019b5d70dc9fbf157b3e2660195c106a9539948305a660248633d7af2aec1b23390803

Download Submit
C:\Windows\SysWOW64\Bgeaifia.exe

Filesize
64KB

MD5
3a370011e5e74794161ceccfeddcc47b

SHA1
f8a02681558545cedd2bc5ff62aeca205e1db7c4

SHA256
30cab475edf41fb9823fbec01358f4c6d787497ceadcbbb98210a693d8faa52b

SHA512
7576a838c326dfd3028e0f4c0db18f8b3f9db87dc6b993347fa66658c7be14247cefed325b0ca0819dde924647c57d11af3df2a106afce4bb455695ac6748d35

Download Submit
C:\Windows\SysWOW64\Bggnof32.exe

Filesize
64KB

MD5
573b3ad6547e52fbe5cb92b72ee35496

SHA1
8cf2758e192526de8ad7fa35e54f41ed6f9ad450

SHA256
a81b08ed8abd37d04084c3b601be3e7a87a1fc86a4b934b49d2a5831d2f5a3af

SHA512
502177d6f54a4a212975f3326e1b1905bb666e2b10e7f1e40bd79067cd910c2085f221a80c68e3063ebe8039ce818f53db1b1e1cd3552146abaf662e0590f029

Download Submit
C:\Windows\SysWOW64\Bidqko32.exe

Filesize
64KB

MD5
12ed911ce0a2994e560e2ae6a8e2ba1b

SHA1
58efcae84361c03cb351c6b21a461afa556f6094

SHA256
d6d7f509ab4dfd488ec3b2af89359d3c1daea100b6283569001d5339daf17de1

SHA512
b538065ec333062af1e2815e3d1762d58690e07c94673ea6d93b191c571bf9ead7222b12e8097fb2052407c8f50718c04e9b4f9d28605dd3a1b544516f09caa3

Download Submit
C:\Windows\SysWOW64\Bifmqo32.exe

Filesize
64KB

MD5
7ef254f129b7638ff9ce649af77cc31b

SHA1
cf26f1caf39a27d3e6346e79989bf5b0408e0865

SHA256
f298cc0c904ca597163a8c5b1f8d765a22e3af60d9f28bf60f9a2a5e45bad2ac

SHA512
c1e6564b0eff81a3a260ffc69500491ff2818a979ebd6885750bcc2f63203cc39159b4ef1ada4b43a343c1a42cf58b54695bc03f4739ab4e706e11c13494adfe

Download Submit
C:\Windows\SysWOW64\Bihjfnmm.exe

Filesize
64KB

MD5
8822be45ef169886dcd8720fd616031e

SHA1
fdefe6637e0ebb6d63932aa1240859b3343bbc16

SHA256
0587fe0290724a4448aaa99c2cf11a306b70d349a9556f235e8ae5e9fc0270f6

SHA512
1c292ec80ad6a1129673353145dc496c677686c4339f0a8bc36cfecefda451c54566b36bc708dcc5157ee6a600c9852fdc3d19b3ae3bf3be29e5d0a1a9248e45

Download Submit
C:\Windows\SysWOW64\Bogcgj32.exe

Filesize
64KB

MD5
6b430323f20bef427683feb725be7c10

SHA1
b9b019e3b6c3d49d84af704a816af065bb4ddcac

SHA256
63ebb151584bb773c56427cb1c6847efdfc8fb980f9725359becf3496d6a09e0

SHA512
fd35d0bb4d0b8c53cfc429b760084fde528ca6a837662202b3f2229d0e3caf1f5948b7bf8e45fc10715a6207d96a29787574fd4e253350324b9a2f3df149e654

Download Submit
C:\Windows\SysWOW64\Cadlbk32.exe

Filesize
64KB

MD5
ff4148984ed21c13449cd348b2ab0da6

SHA1
e0486384d5f1d4df01f536d108a5c8033e8eb35b

SHA256
b156fbd3ea252d6d90fd1da14ff40be1d7d09b0e629f169c488031cbdb7b8f07

SHA512
912ac8e71bfb9c432f2c4502f94e872e92d3c41ef7b7f8e1325746d7dd2a27f294363af77acaf3832c44a01f632947caea8ec2f12b9cd72d28ce50bcc2a2e1c0

Download Submit
C:\Windows\SysWOW64\Cglgjeci.exe

Filesize
64KB

MD5
e0bdc9bc247df9385dee9be3a9150f22

SHA1
0c7de70c9ee3260e2000f5bc47de2d8fe35000e2

SHA256
9532f5fe6ae0889dd97268da01f0609d66e5857ef09c6e686e16d05c322a3a9b

SHA512
42d4dbd6d1f349e74908a29141767e87448e9543ef0c6b4475bf8f99fa9886b6a55dfff7232a62ccdf821c847515c1f0251d043adf02ec2b00a3b7f07decc66f

Download Submit
C:\Windows\SysWOW64\Cippgm32.exe

Filesize
64KB

MD5
ebdd5d84a7cdc013f7d60585e68cbfcc

SHA1
0df017f5c8e1eff6b6532ea4dcfc3d4ccf77ec0b

SHA256
171ec8b2891ea7744f8cdada1742e5861559b19c748a634e2f17371e79b00b96

SHA512
c49030517ec70c6820393ccc219c93b2ee2e8891c0eb4a6173c0a7233db8ff836458968d333c62f4c1f5612d2c4f10897769888f60e20528f133c88dbdef1382

Download Submit
C:\Windows\SysWOW64\Cjhfpa32.exe

Filesize
64KB

MD5
c3edb7ea55afdfd9ff07c66a15d80d44

SHA1
9c83f4b2d1486d74b4c0f91c567f611b27c1134c

SHA256
65dedfd7fae4dbca2669128471bfb466fdcdd77b3ef7cfc5578cdb3de4b0aefe

SHA512
5aa68d854b16bb357f5c63c0b61c874b8a520a2283d028471fee75ffef6e2735e1b40968e08ab742b70d3b56213055523eaa2431ed14f4f8231b666bdcd5dab1

Download Submit
C:\Windows\SysWOW64\Cpbbch32.exe

Filesize
64KB

MD5
0b27f5a3b82dafa40b179d06b0243021

SHA1
a5c96e1a6baafe2ef07df63a22a7fe32df7834a1

SHA256
22ef360300365790637fe6c760bb582a20c21b089837760683cfaed0a626c243

SHA512
0b7641681c1b527cbe5e23eaf0c18ce68ce3fcd4cd1454935f558dc0c68a859412cc43c587c54c4a47ba432cd8e993bfb582c1967c3694bec29892a5e2928711

Download Submit
C:\Windows\SysWOW64\Cpeohh32.exe

Filesize
64KB

MD5
ab617a12ae44a5be4919ae6a3073303d

SHA1
c7e47dfba20c7a7a1c6e51b6573b4fb3a90279b6

SHA256
ed51d7a6719a801f34f7fd1397e2600e55844f199839365a6124792dc8b5c846

SHA512
0bf9a1503dd2400defd156e812fb7f73c4a885f500b2022bca13ce9f0b2fd186346d0704063f1ecbd5a3afb7916119c665663d88a9bd08b1758dbb97aca02d32

Download Submit
C:\Windows\SysWOW64\Eagaoh32.exe

Filesize
64KB

MD5
bf4f45c34f5cff96c24b66b46fd6d1e3

SHA1
25c7098bff8aac2ec9e68427484ad834543fd4f2

SHA256
518775458fde3b415f86b61f09e662544b68fe5007a8d4a6cf4e1de2ca5b7bd0

SHA512
10db48eff6a7fd5a62a5e33ebcd05a3414452547fab3ca682c43ee7f0a7fdcd4c08ba3a6632ef6dd9e397f08423478767f51fcd2a0c2989475a3771d7e15d003

Download Submit
C:\Windows\SysWOW64\Eaindh32.exe

Filesize
64KB

MD5
b356d36316a28796ecaaeaa61ac75b9b

SHA1
a00db34e700c080ad3c66357dcad7b40af23cff1

SHA256
f343af77f18c6a1b5247f3fa911169f37edf73274a71dcf8eaf3530d1b6324b4

SHA512
1ea88f2809bfedcf9582e37ff64b11c55d82c5231d107d0c089bcd9cf527fdf3c178cd058abb3da3f71893cc1bf6fc9acd4b37a6be8710d4011de51a0bfabe10

Download Submit
C:\Windows\SysWOW64\Edemkd32.exe

Filesize
64KB

MD5
247e15cf4ccedd58628febce8d4485a8

SHA1
052386fee162a70b22c3553565603ec15a9f1a2c

SHA256
f3bcdc71674e5add5282aee777b14f2981bfd2a28b1083f1a8948ea722504a34

SHA512
712be25547773809f900cb69191be4a3691473e27b0d7439bb33ce7f6b57d2b5bd4e8842836ca7e0ba37d83b138b4282b23ba3b019df09a41dff2bdac08de527

Download Submit
C:\Windows\SysWOW64\Efffmo32.exe

Filesize
64KB

MD5
db658346812eb7787facc74e7d882bb8

SHA1
ddf4a9009568cd73c4e222151fa61d13de0be5f8

SHA256
88a2b5c1407907d0eb94665678d596abd1bfe6c2bca33884a47d352957dbdd12

SHA512
e65db15dcadf259e70cc976bd6b7c4781cf499c1f55078b13e7b8af228b824283a8c520ffe690b517e44bc5ec340b8155a7348d72653d58c4df5511ada4de585

Download Submit
C:\Windows\SysWOW64\Ehfcfb32.exe

Filesize
64KB

MD5
da0648c870300cc3e093a60441e287f2

SHA1
60a00d28f2ab3b0382f2557502f6f36c1eea0ea1

SHA256
9ccf6c7a89a50e343fe01b58d5f69b926cbebbf8ea997e71f7462bf237ef0e8f

SHA512
33a197f1c70a6e619c131ea942433ce030df8ff8dcde1da27e41365bc8286628ebe254e516da0b94ec629b7c0fd350cb13c00f95d03158ea14a4f218e0e6422f

Download Submit
C:\Windows\SysWOW64\Ejflhm32.exe

Filesize
64KB

MD5
15ec626a8a2e9c131baee60c2625da1f

SHA1
565246d75256acc1f98b5968f96c90de13ac2097

SHA256
4c57680797c2d2ae99272e9d40b6ee5f416d99ea80bd4da0f2bf2759c1b7b57f

SHA512
4e4c6d1ff2f8317614a9b643c95516728dce43fb958de4f8e81db1836c72f0007d5efff39d8a05d2d7a9292632873d944c3be94b4d6aaf43106b57467f9dcf97

Download Submit
C:\Windows\SysWOW64\Emehdh32.exe

Filesize
64KB

MD5
5504680fc2f9055b516653d9efb07014

SHA1
bd6a1fa923dc873dd787563d4343646d4d0970cb

SHA256
69487236c8803665ab8b208a73927652bb69e44cbff13c629c221b9fae7673ed

SHA512
355c8068bad4b1286d158c6f1d9c820e8341ac3bab3102b6b888824ae0ada27034241787d440e5b075848e5c1d4bad645e0901023956549475bc68e594dcfdab

Download Submit
C:\Windows\SysWOW64\Empoiimf.exe

Filesize
64KB

MD5
41b0eade369703970d48cbc3b29f31a3

SHA1
a5cf037720165bb4a1d6600d0d6e2768394b72d2

SHA256
47b3e54bfad29e8c7e90916b0d6b68f2a5dd1d4e04aa25bf34d8d3c770e8ca09

SHA512
83ebf0748118f06be597926e241168115eaea5e25d679063d497a170109fcc6710f033d1f238d7cdaaffd35e46a7da398d739a5060c4522c130b4fd1f95ac2ee

Download Submit
C:\Windows\SysWOW64\Epagkd32.exe

Filesize
64KB

MD5
9eef155ec06a8407ebd34a0457f41000

SHA1
d0a18f64216f045d422ff8d350bbd23572a9fa17

SHA256
bdd0e8542be0df53cf4a40ac2dd63758c2a4ef2f3f3365943e0179cfadae526a

SHA512
436e60d8c5f2fe4aeddb219b0e0984c0b0acd852b20bebb47bbb0788e0a637ebf3bab60d67086dcd354ab4b5a3ac6c28c0dcd4e077ba75ca9686082bc84fa50f

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe

Filesize
64KB

MD5
6708fee2b2a1dbb48e532dbeb9cc1eba

SHA1
096bf4aee72343f255e9bc768369dee7b0a152f8

SHA256
2300c9d7d326451a9f598a7e855b051357cd8be287a081dcd7f47716034826c7

SHA512
5c449c46992ae314dcfeb61b969f402675cee58e31e4834767b21347389f7201520fbfd0418b7a0b8343f1dedf7155a6e9b65405a142da8edef86d6c4507353e

Download Submit
C:\Windows\SysWOW64\Ffpicn32.exe

Filesize
64KB

MD5
6a2718028e52ed24a69c9aaadfc3c381

SHA1
ed1a56bfe5566b58b309f8696da292284dfb6178

SHA256
b2abfc4dd41d6f99f2ae6497dbdbce8361c2f81bab7df697f5a6dee6ffee9365

SHA512
fee69d7a1d03609e2db48667b87fd6db31b541f3c6f4d8d5bc087c1149dab260a52ec180ed549d385d47663aa09c61a2c61e5dc4cc487ad28de7978c002371f3

Download Submit
C:\Windows\SysWOW64\Filiii32.exe

Filesize
64KB

MD5
07bc33fd2d07010f94c6cbaac555242c

SHA1
998f5020bdc4a80f3b124bdf8b1c601f0714ea6c

SHA256
df45fdf452b7a07f791adc2486b6059312bc30b7fb43aa09b417d704196d99de

SHA512
195ba4c95a896ad1ef88313125b64bd0f0e77186e2f84da6493f7fdba4f5908b44e8c1096dbfd7ca83f4746f970150b7508a32f5d056cc09ea5fea9b919741bc

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
64KB

MD5
45f735e73d1cb7e86a1fe7e43184ec02

SHA1
da39a98401b1128c310e6b73c182f19cf8527620

SHA256
62049ab77bd535a4cbe426901d99af6529c3c5b4609689ac82b0fd7765b4cce4

SHA512
366e87e84faeab7c0db54e03f47f7d997777805385f2a9d65772f56a14cb13d1a39527d41ade6aa1a639e1cc70227cb1589fa2e773ce75a17e3d7318f56961e1

Download Submit
C:\Windows\SysWOW64\Ggbook32.exe

Filesize
64KB

MD5
75819ef9c73963e3f34c8068d983a321

SHA1
276b86228238fe88050bfd9112605fa04d498414

SHA256
a40391abbdd2c85d0e97c8431c63bcfee2b1df615b28ec25b377fb5b2ea6534c

SHA512
a8cddb6f1020782e3f90751cc4b4ade7416e32f173a60f75d97a00bf5014c9ce176c8e3f3a83220184c1e0a56d23bfaf59819c20e6e238177ba284e9767be054

Download Submit
C:\Windows\SysWOW64\Ggpbjkpl.exe

Filesize
64KB

MD5
bad7cce69c8b2955d628fd42ee9283ef

SHA1
cc90c41203446ab6116da7b47ec355e2a05e7c28

SHA256
26888115b05b856ad23c68615e02ca09e4851bb10a3d11c1e7cd2b172331f6ac

SHA512
55177db57bd6090a9f6367df4c0aeb6a69a34244f9581948a0a69e3abdd78dedadd4bd109d766464fb9a5c72d0176110a599417f1c3680f87b5eb9bdd7cae7ac

Download Submit
C:\Windows\SysWOW64\Gnepna32.exe

Filesize
64KB

MD5
fd23891d088f17a01ec7f89bd90e027c

SHA1
d8e662b336f98b34c381026632987682e7baca36

SHA256
9223a76f742368800abb473eace1833165b10f67f81bcc98758dad77eefbdf46

SHA512
5f45ab91ff14c1bc5804c1055a055aab6989879ea13a7deff02f31db68dd0d3548e68c34779ee03f3842db86f5e154469eb3933cd7ad3e3d4735a06987f39f7b

Download Submit
C:\Windows\SysWOW64\Gnlgleef.exe

Filesize
64KB

MD5
f9f1a50d718d5dc5f98d3c8abaef9c5e

SHA1
f8d2e7479d2045447b56609d585707d3c1d9333f

SHA256
526315a26da8171fcf6d7d34c8b923d0097a76149761b4f81479dcd9ff310aa8

SHA512
201504bb341b4691f472c964a9dfa8b694e5eb040428aa8d8aa32b2523b56f1283ac2b896ede025e74505bbdd8d28c6b88fbca82d980b14268e2b65512108c3e

Download Submit
C:\Windows\SysWOW64\Gphgbafl.exe

Filesize
64KB

MD5
cee9918cc9d4e33b0523f58e9d2223b9

SHA1
134a07486bb8bbc9b2584f7e96932055a9c44d56

SHA256
f5cd6159aa688749930be7d91789581b2688a0ee46714e71d689956faeae2f8a

SHA512
76fccfb4bea5c7a738aa2166e42bec2927d0baba5873d61a7b579b183f44397e9f7f19ecf604f53b0e760bc6761781be4b4a6d565a2bbbf49f1200cd696a66ca

Download Submit
C:\Windows\SysWOW64\Hajpbckl.exe

Filesize
64KB

MD5
1412eba1b17cf57df01ca3b7283aa6f4

SHA1
411f9879a40bf79e0e8ecb6a27196b58e9fe99b6

SHA256
ce883a6da4d093bde6efb48ffe33d0c84317f7d979502d7bd54f74b09f736f70

SHA512
136f3666318be4152016946e96b9c21e8a10224068e4db66b79a200794415d06d365a9f80f65501e95118791f692c8974e2663ed45b796709999cfa6ed49d85d

Download Submit
C:\Windows\SysWOW64\Hkpheidp.exe

Filesize
64KB

MD5
a2b2cb7d3e4ac8abfed21f778b919d84

SHA1
8efe2a3f0002f702bd0e243818c0cb21f781f415

SHA256
2387b0021b49e5ea74b5931c2110d70bc854dfcc3d75b2c0c292fa937e44ca70

SHA512
c35d6f76137d6226cf5a8482eff565d5238a4ecefa3ea3e48b9a8fa337443ca1d465863d221b850bf1284b6738c473662cab4e569102b60f30b64f2028154b88

Download Submit
C:\Windows\SysWOW64\Hmmfmhll.exe

Filesize
64KB

MD5
03ab6f4a32292b493712a46adbf75fec

SHA1
b1c6c33d1d500782ad08449ef3ad440ad8db0cfb

SHA256
e1c72b47faabc7f0658f541b1cf90a22c9db52b00b38ef00c466d44cd4cd0d5f

SHA512
4f125707aa9a28dbec8b30838d835e815c1fe46b7d3a6f4808cbda8b71e11faee6ff7d0a6709f7e5b4ee7c5d0a1796ae45b5eda32e0ca342e5da8cc1078d8841

Download Submit
C:\Windows\SysWOW64\Mebcop32.exe

Filesize
64KB

MD5
080b8aae4f76df9fd692fb3df97c7d66

SHA1
c34068c036c449a027151ead853c467525034199

SHA256
ae923a2816a5977a2cf64ba07f310c2f95af1a6ff30e47b41946a5c189514b52

SHA512
04f73050d0e7d273f6758de76c9660aa7fe1a18703f9bf7af327e130a1a683764988b63153b2b7904d15b44e3fb4dfba6d91e028a586a4f45d89dd436755e6ad

Download Submit
C:\Windows\SysWOW64\Oeokal32.exe

Filesize
64KB

MD5
e36be0ac1919b8d3d37f0dcc806c901d

SHA1
ac12813048afe9278b90d6fa9f19a9f06e85f468

SHA256
c5e78881c9fb91502b034ab96aa5ec5435ffe78d2b1d20cc3eec3f107b332e0c

SHA512
ef2db6be273cb1d1d5b6e3f0d50c1bc08fb96f77d58f5c0ac49318b1cb77a3d67a41cc8804c90e090c569f94e29e655b1a5855a57bca983178df869960b5dac0

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
64KB

MD5
2063b399608b012727aff18703342018

SHA1
35188249405eeff704d7e3aa89d1f225b592ec01

SHA256
2110b7d020ff637c4595c268e4cb305494e5ab86c37490e4654b56e91490553b

SHA512
aca937fa1851eed494c482a850a05ec09d2a6fe2ff81b3c3c6db48f826bebffcb2b008047cbcebb891cf928eec7728e48c64c37f19967040dd1f7671a91d1d6a

Download Submit
C:\Windows\SysWOW64\Pgkelj32.exe

Filesize
64KB

MD5
879ec4085dd58f4b92fa1b2bb33625b9

SHA1
6640bfbd99ce2ea3f293d8fa139660e817214983

SHA256
38c05ad532415b9091dc817790bd9b344ad54088cd229b4baea37476d879520a

SHA512
1d0e6df30faca7664088ea70539c5fea1bbbf5a41a64d390e0f6d53462cdb0f39f14208562751ea9f6b93d89b97ceef1471b460f43d81aa20eda3f9e5d4db902

Download Submit
C:\Windows\SysWOW64\Pkegpb32.exe

Filesize
64KB

MD5
697ecc7da47bd5049b191058af0f4949

SHA1
313030bb43600c4f4c1f88309990f9dbdf476c55

SHA256
8e3a7e17ca2073032f5209a8631c534b94adb5717fa82ac3b1c3ea196ae4fd1c

SHA512
5d937adf26f2087dbbc5338a8a477014aba12cec51d721067b9f16939953d106aad6284dd0bd1ce348b68aa3dc835325579dd6f441e2e241d8827fbd653074cc

Download Submit
C:\Windows\SysWOW64\Plmmif32.exe

Filesize
64KB

MD5
8d6916e41ba23c959c5b38eefea985bd

SHA1
d4524302dca67423aac7682a9514347803f847ca

SHA256
4ab5c8a4258f89af57e8b27fafe9a8443783a906d8e8db481eb81f7df30e79b9

SHA512
47906ab720ef5f384a77c75bf2975a63f3cf755bd2401f2c1b33676b1f3b0d43d38566d2a41233e010c43ad0207da0985d52f774b366a4ee281e1b3019147b62

Download Submit
C:\Windows\SysWOW64\Qdbdcg32.exe

Filesize
64KB

MD5
355f5c93694d20810f906e4c6a981d4e

SHA1
69a9c1b88ba8f016cfb0bbcde7681d429fb8961b

SHA256
3ffae2e595f1a3c1bc73a4548bb9d5c4a3c38182c443f31a9b3e9697a86c5a6f

SHA512
6be1da239dd99465286d263b8ca14be2bbd952c2be92bef47acc9c8298c0e69f662342dda5d24d69f36391173937f458724b187a87300b98c3c70301185277ee

Download Submit
C:\Windows\SysWOW64\Qgpogili.exe

Filesize
64KB

MD5
3d9c4da8342d82915cd99158a65dff5b

SHA1
a282ab8a913b31c43f6ff0a9757e90d34d9b8a24

SHA256
5d87cb8d42f1070055b8c5994f4e58eaa65f5fe396af2b1095ce27ea5776ec95

SHA512
ca3ce4a96edbd627b0f9042ceb97ce4f3f260ebaf4818c047afece65c0a47018fae6cdfa3d9e4f096ec1795b3fe1576876c8cb9a60b99f0f45285e9c7a33db8b

Download Submit
memory/456-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/520-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/520-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1356-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3256-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3388-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3388-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3584-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3756-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3760-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3760-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4320-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4772-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4772-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads