d1ae7a7c6431eb0bcdd21b2d1b9ab494a854a3efa5e31b62f61a0a0fa235a6d1

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c027815f8c076f4f269c0e013ad99501.exe
Size

64KB
MD5

c027815f8c076f4f269c0e013ad99501
SHA1

568622520413e928f277ff466389a6e43c5f8833
SHA256

d1ae7a7c6431eb0bcdd21b2d1b9ab494a854a3efa5e31b62f61a0a0fa235a6d1
SHA512

25c93a32ec9ebe3f7944248e8e598dcff4fa447083600e173bb7eeabc1dc450687423b2d4d8653b543c3e64e1dca251e4082fd9edb78b00339ac84edb7c4ebd6
SSDEEP

768:UEnW+fw14mRI9GcfQHjMVaJjz3a3AVogb4g2p/1H5DjXdnhaBGHBJ1nVql3PH1:jW+GKGcfQpjzbKs2LTsBMu/H1

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geaepk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hefnkkkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpanan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnoaaaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqbcbkab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcbfcigf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnnljj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcoaglhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Monjjgkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loighj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhplpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c027815f8c076f4f269c0e013ad99501.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnegbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnfge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnnljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcanll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpenfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigbmpco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcanll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbnkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehndnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edgbii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iogopi32.exe

Executes dropped EXE 64 IoCs

pid	Process
2760	Eiahnnph.exe
1860	Ekaapi32.exe
5072	Emanjldl.exe
4040	Felbnn32.exe
228	Fflohaij.exe
3144	Fimhjl32.exe
3992	Fbelcblk.exe
1388	Flmqlg32.exe
1864	Fiaael32.exe
1540	Gehbjm32.exe
3704	Gpnfge32.exe
4080	Gldglf32.exe
4392	Gmdcfidg.exe
892	Gikdkj32.exe
2648	Geaepk32.exe
4660	Hmkigh32.exe
2244	Hefnkkkj.exe
220	Hffken32.exe
4612	Hoaojp32.exe
392	Hpqldc32.exe
4616	Hpchib32.exe
1496	Iikmbh32.exe
4340	Ifomll32.exe
1340	Iojbpo32.exe
4368	Ipjoja32.exe
2092	Ieidhh32.exe
4840	Ipoheakj.exe
2368	Jekqmhia.exe
5052	Jcoaglhk.exe
3128	Jiiicf32.exe
868	Jcanll32.exe
4668	Jpenfp32.exe
2348	Jphkkpbp.exe
2880	Jgbchj32.exe
1944	Kpjgaoqm.exe
2188	Kgdpni32.exe
1692	Kpmdfonj.exe
5068	Kjeiodek.exe
2128	Kcmmhj32.exe
3428	Kpanan32.exe
2340	Kfnfjehl.exe
3380	Kcbfcigf.exe
1368	Loighj32.exe
2024	Llodgnja.exe
4420	Lcimdh32.exe
3248	Lnoaaaad.exe
4560	Lggejg32.exe
728	Lmdnbn32.exe
4068	Lcnfohmi.exe
840	Mnegbp32.exe
1288	Mfqlfb32.exe
3368	Mqfpckhm.exe
2148	Mnjqmpgg.exe
3756	Mcgiefen.exe
764	Mnmmboed.exe
3548	Monjjgkb.exe
4624	Nnojho32.exe
4356	Nggnadib.exe
1988	Ncnofeof.exe
2212	Npepkf32.exe
3700	Njjdho32.exe
4412	Npgmpf32.exe
5168	Nnhmnn32.exe
5208	Nceefd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcnfohmi.exe	Lmdnbn32.exe
File created	C:\Windows\SysWOW64\Fpgkbmbm.dll	Nofefp32.exe
File created	C:\Windows\SysWOW64\Ppikbm32.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Cpacqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gpnfge32.exe	Gehbjm32.exe
File created	C:\Windows\SysWOW64\Paeelgnj.exe	Pfoann32.exe
File opened for modification	C:\Windows\SysWOW64\Qjfmkk32.exe	Palklf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmhbqbae.exe	Pfojdh32.exe
File opened for modification	C:\Windows\SysWOW64\Acqgojmb.exe	Qjhbfd32.exe
File created	C:\Windows\SysWOW64\Kakmna32.exe	Kolabf32.exe
File created	C:\Windows\SysWOW64\Fegbnohh.dll	Lhgkgijg.exe
File opened for modification	C:\Windows\SysWOW64\Eiahnnph.exe	c027815f8c076f4f269c0e013ad99501.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Qdaniq32.exe
File opened for modification	C:\Windows\SysWOW64\Bgpcliao.exe	Bacjdbch.exe
File opened for modification	C:\Windows\SysWOW64\Chnlgjlb.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Kldjcoje.dll	Edgbii32.exe
File created	C:\Windows\SysWOW64\Ieidhh32.exe	Ipjoja32.exe
File created	C:\Windows\SysWOW64\Opnbae32.exe	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Kjmgil32.dll	Oqoefand.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Jiiicf32.exe	Jcoaglhk.exe
File created	C:\Windows\SysWOW64\Hejeak32.dll	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Fbelcblk.exe	Fimhjl32.exe
File created	C:\Windows\SysWOW64\Ekfjcc32.dll	Iikmbh32.exe
File opened for modification	C:\Windows\SysWOW64\Lcimdh32.exe	Llodgnja.exe
File created	C:\Windows\SysWOW64\Eiacog32.dll	Joqafgni.exe
File created	C:\Windows\SysWOW64\Idkobdie.dll	Khgbqkhj.exe
File created	C:\Windows\SysWOW64\Ifomll32.exe	Iikmbh32.exe
File created	C:\Windows\SysWOW64\Jcoiaikp.dll	Ieccbbkn.exe
File created	C:\Windows\SysWOW64\Lhgkgijg.exe	Loofnccf.exe
File created	C:\Windows\SysWOW64\Kibohd32.dll	Opnbae32.exe
File created	C:\Windows\SysWOW64\Jklliiom.dll	Iogopi32.exe
File created	C:\Windows\SysWOW64\Ojqcnhkl.exe	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Heegad32.exe	Hpioin32.exe
File created	C:\Windows\SysWOW64\Cmcgolla.dll	Gpnfge32.exe
File opened for modification	C:\Windows\SysWOW64\Hpqldc32.exe	Hoaojp32.exe
File opened for modification	C:\Windows\SysWOW64\Ifomll32.exe	Iikmbh32.exe
File created	C:\Windows\SysWOW64\Bdmlme32.dll	Mnjqmpgg.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Oqmhqapg.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Ggpdhj32.dll	Gikdkj32.exe
File created	C:\Windows\SysWOW64\Pqhfnd32.dll	Hpqldc32.exe
File created	C:\Windows\SysWOW64\Didmdo32.dll	Iojbpo32.exe
File opened for modification	C:\Windows\SysWOW64\Jpenfp32.exe	Jcanll32.exe
File created	C:\Windows\SysWOW64\Pfoann32.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Njjmni32.exe
File created	C:\Windows\SysWOW64\Kpjgaoqm.exe	Jgbchj32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdnbn32.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Okehmlqi.dll	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Bkibgh32.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Iogopi32.exe	Ipbaol32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Njgqhicg.exe	Ncmhko32.exe
File opened for modification	C:\Windows\SysWOW64\Ookoaokf.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Hojncj32.dll	Emanjldl.exe
File opened for modification	C:\Windows\SysWOW64\Ofjqihnn.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Eeccjdie.dll	Kfnfjehl.exe
File created	C:\Windows\SysWOW64\Oabhfg32.exe	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Dinael32.exe	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Hffken32.exe	Hefnkkkj.exe
File created	C:\Windows\SysWOW64\Qbonoghb.exe	Pblajhje.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7544	7404	WerFault.exe	282

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmafal32.dll"	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmdfonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjbdk32.dll"	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgldbkn.dll"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll"	Jppnpjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hefnkkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbegml32.dll"	Hoaojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieidhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baepolni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emanjldl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcanll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll"	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiikeffm.dll"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbfoaba.dll"	Glfmgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgfhfd32.dll"	Khiofk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pblajhje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiaael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loighj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehndnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljhbbae.dll"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gillppii.dll"	Hecjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jphkkpbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfnfjehl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2760	1444	c027815f8c076f4f269c0e013ad99501.exe	95
PID 1444 wrote to memory of 2760	1444	c027815f8c076f4f269c0e013ad99501.exe	95
PID 1444 wrote to memory of 2760	1444	c027815f8c076f4f269c0e013ad99501.exe	95
PID 2760 wrote to memory of 1860	2760	Eiahnnph.exe	96
PID 2760 wrote to memory of 1860	2760	Eiahnnph.exe	96
PID 2760 wrote to memory of 1860	2760	Eiahnnph.exe	96
PID 1860 wrote to memory of 5072	1860	Ekaapi32.exe	97
PID 1860 wrote to memory of 5072	1860	Ekaapi32.exe	97
PID 1860 wrote to memory of 5072	1860	Ekaapi32.exe	97
PID 5072 wrote to memory of 4040	5072	Emanjldl.exe	98
PID 5072 wrote to memory of 4040	5072	Emanjldl.exe	98
PID 5072 wrote to memory of 4040	5072	Emanjldl.exe	98
PID 4040 wrote to memory of 228	4040	Felbnn32.exe	99
PID 4040 wrote to memory of 228	4040	Felbnn32.exe	99
PID 4040 wrote to memory of 228	4040	Felbnn32.exe	99
PID 228 wrote to memory of 3144	228	Fflohaij.exe	100
PID 228 wrote to memory of 3144	228	Fflohaij.exe	100
PID 228 wrote to memory of 3144	228	Fflohaij.exe	100
PID 3144 wrote to memory of 3992	3144	Fimhjl32.exe	101
PID 3144 wrote to memory of 3992	3144	Fimhjl32.exe	101
PID 3144 wrote to memory of 3992	3144	Fimhjl32.exe	101
PID 3992 wrote to memory of 1388	3992	Fbelcblk.exe	102
PID 3992 wrote to memory of 1388	3992	Fbelcblk.exe	102
PID 3992 wrote to memory of 1388	3992	Fbelcblk.exe	102
PID 1388 wrote to memory of 1864	1388	Flmqlg32.exe	103
PID 1388 wrote to memory of 1864	1388	Flmqlg32.exe	103
PID 1388 wrote to memory of 1864	1388	Flmqlg32.exe	103
PID 1864 wrote to memory of 1540	1864	Fiaael32.exe	105
PID 1864 wrote to memory of 1540	1864	Fiaael32.exe	105
PID 1864 wrote to memory of 1540	1864	Fiaael32.exe	105
PID 1540 wrote to memory of 3704	1540	Gehbjm32.exe	106
PID 1540 wrote to memory of 3704	1540	Gehbjm32.exe	106
PID 1540 wrote to memory of 3704	1540	Gehbjm32.exe	106
PID 3704 wrote to memory of 4080	3704	Gpnfge32.exe	107
PID 3704 wrote to memory of 4080	3704	Gpnfge32.exe	107
PID 3704 wrote to memory of 4080	3704	Gpnfge32.exe	107
PID 4080 wrote to memory of 4392	4080	Gldglf32.exe	108
PID 4080 wrote to memory of 4392	4080	Gldglf32.exe	108
PID 4080 wrote to memory of 4392	4080	Gldglf32.exe	108
PID 4392 wrote to memory of 892	4392	Gmdcfidg.exe	109
PID 4392 wrote to memory of 892	4392	Gmdcfidg.exe	109
PID 4392 wrote to memory of 892	4392	Gmdcfidg.exe	109
PID 892 wrote to memory of 2648	892	Gikdkj32.exe	110
PID 892 wrote to memory of 2648	892	Gikdkj32.exe	110
PID 892 wrote to memory of 2648	892	Gikdkj32.exe	110
PID 2648 wrote to memory of 4660	2648	Geaepk32.exe	111
PID 2648 wrote to memory of 4660	2648	Geaepk32.exe	111
PID 2648 wrote to memory of 4660	2648	Geaepk32.exe	111
PID 4660 wrote to memory of 2244	4660	Hmkigh32.exe	112
PID 4660 wrote to memory of 2244	4660	Hmkigh32.exe	112
PID 4660 wrote to memory of 2244	4660	Hmkigh32.exe	112
PID 2244 wrote to memory of 220	2244	Hefnkkkj.exe	113
PID 2244 wrote to memory of 220	2244	Hefnkkkj.exe	113
PID 2244 wrote to memory of 220	2244	Hefnkkkj.exe	113
PID 220 wrote to memory of 4612	220	Hffken32.exe	114
PID 220 wrote to memory of 4612	220	Hffken32.exe	114
PID 220 wrote to memory of 4612	220	Hffken32.exe	114
PID 4612 wrote to memory of 392	4612	Hoaojp32.exe	115
PID 4612 wrote to memory of 392	4612	Hoaojp32.exe	115
PID 4612 wrote to memory of 392	4612	Hoaojp32.exe	115
PID 392 wrote to memory of 4616	392	Hpqldc32.exe	116
PID 392 wrote to memory of 4616	392	Hpqldc32.exe	116
PID 392 wrote to memory of 4616	392	Hpqldc32.exe	116
PID 4616 wrote to memory of 1496	4616	Hpchib32.exe	117

C:\Users\Admin\AppData\Local\Temp\c027815f8c076f4f269c0e013ad99501.exe
"C:\Users\Admin\AppData\Local\Temp\c027815f8c076f4f269c0e013ad99501.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\Eiahnnph.exe
  C:\Windows\system32\Eiahnnph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Ekaapi32.exe
    C:\Windows\system32\Ekaapi32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\Emanjldl.exe
      C:\Windows\system32\Emanjldl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        24⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        28⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        29⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        31⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        36⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        39⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        40⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        50⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        52⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        53⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        60⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        61⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        62⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        63⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5168
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        65⤵
        Executes dropped EXE
        
        PID:5208
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        66⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        67⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        69⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        73⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        74⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        75⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        76⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        78⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        80⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        83⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        84⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        85⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        87⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        91⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        92⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        93⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        94⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        98⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        99⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4304
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        101⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        102⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        103⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        105⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        107⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        108⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        109⤵
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        112⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        113⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        114⤵
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        115⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        117⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        118⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1476
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        121⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        122⤵
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        123⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        124⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        125⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        126⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        127⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        128⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        130⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        131⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        132⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6792
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        134⤵
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        135⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        136⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        137⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        140⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        141⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        144⤵
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6552
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        149⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        152⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        153⤵
        Drops file in System32 directory
        
        PID:7068
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        154⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        157⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        158⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        160⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        161⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        164⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6760
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        167⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        169⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        170⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        171⤵
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        173⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        175⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7184
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        178⤵
        Drops file in System32 directory
        
        PID:7224
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        179⤵
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7304
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        181⤵
        Modifies registry class
        
        PID:7344
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        182⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 400
        183⤵
        Program crash
        
        PID:7544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 7404 -ip 7404
1⤵
PID:7504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:8000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apaadpng.exe

Filesize
64KB

MD5
220e82cbf0d349285bc1e7767f31b388

SHA1
139d99be490d2b21f2539ac8bbfb790a29392e62

SHA256
a9b984374bd730d1bfd6ef17626f3be7bffddb4619f52949ff5d24f79f5537a2

SHA512
544b652f67ce1adb0b0dbd873ed2e51582374b4afe6b398daa6d1a8b6e1456525bcc0d4e060eedf69389ac3d0cb294c3330b190522237fd7bd419f693839f01b

Download Submit
C:\Windows\SysWOW64\Baepolni.exe

Filesize
64KB

MD5
4eeb55a29b57a347aaf07ec15b7f4939

SHA1
95ccf747b4cf1c9f8142c980b4c1113116ca0db3

SHA256
eaa792169344ed2602494293901a105985d01b1241baad248c664f7aa345463f

SHA512
7121205c64cf947546d23e8d00f83e735064530a38af8b32ae0e44676e99b6d48b2f61e376fd247e60cb0f30718ba9a7e7d97dfd6082d878e34c81ea75559486

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
64KB

MD5
b3efca2af8d34b341f88be0e24fcf16b

SHA1
c87f6f344a0a22d14ac7160958101fd33cf9b868

SHA256
7ffb637b407acb5bdb330244f23fb3dcfc777dae1cf8f47167a13f54c712fe25

SHA512
eee4707cbcb73b334765d00742c9db20d04199f865bfafc7582820cad9e024cec675d2f01b14fc67517f27dad93480474d770510f8b4e51a4a20507b8fcb05e9

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
64KB

MD5
9ab8dbd19e137336bd63c9b51300c106

SHA1
197dea8190a3c9e06f30f5e6589fb6409ebe12fd

SHA256
eda7576157e0e98f2372871620f9b8489bd91a98e4266c22b720efaa332d93ee

SHA512
36fda1ec7fb82c4ca22aa2c21107ff7837311f65e2de25a25344f9928b60c4e57b91e42d64f8ec7c6e7ff2812e7325f438d1c6ebe5676d9790737d018ec8c06c

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
64KB

MD5
f0c062992c07c88b411c11348ec4c442

SHA1
4d6bc32950e48498c3a3d60eb1becfe67942c552

SHA256
95d5ba708b95c99235d34993a7f5aeb950ad221187039a098f57638c7776c021

SHA512
2772e4717e59162f3aad3c54fbfe83052274dc38ca876dc51aa30756f2b8b760467d20b54792c28330fe898f1cc5908d507f957daef05846817e4f5b6c488b28

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
64KB

MD5
b9ff25cbe409a7b4c7e63bd4e1134702

SHA1
2a4da62ddba1748c8ccd4972d0c468078f2a73d5

SHA256
160b02df01e2c9cbb190afea78d9754ecff7ea657f02f20357812fcbca46a49a

SHA512
63a3f1e1ffc5dc44419ffdc745210a9cf1743f8b04622daa344c0a08f1adcd8fc33679ce80aacd450cb1b1764eb1605723cda2c848ddb5e25f95cd88f6a6c565

Download Submit
C:\Windows\SysWOW64\Ekaapi32.exe

Filesize
64KB

MD5
6956433475f4bc441657fee7eb9d5b77

SHA1
e9c8bca2381a0c51f6c117ae4ad89f41811bf96d

SHA256
dacb64589a73b7918deca371d406158f0c89066728a554a7e698b924ad3db612

SHA512
c3f8e07f087bf6214f9fff12928052b24f290b712df78ff2c3d6775428b3133598060fe3a14c3e57ab07a6d70ddd49ec4d33bd84c09634e40e26350127b68ff2

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
64KB

MD5
39fc90286a3d4b22072121b8b2f9aab6

SHA1
467679ff75004ca481da6471abfcae75658b6f3d

SHA256
57217a4b8cb91fd8c7527f5a2f59432840eb1d85a8551217e5a67721741a16e6

SHA512
cca8b4c07a74eecfe289fddd9f61676a68f991fa38da1d5dc3613a88e3858264478530acbb97d2ab558bd791d58f1bbc3b0c69608dd529390065c067db8d43f3

Download Submit
C:\Windows\SysWOW64\Fbelcblk.exe

Filesize
64KB

MD5
5e9d84ad29f19b8bc46f97ba36252993

SHA1
c4eacc8b38c9f50b774d08160a0ed248ea75e323

SHA256
c499c1d9e7f25d92020b535de20071e470e67643ccbec630d1adf9bf4837e887

SHA512
97bd30e7daf1600f8cc7b6c1064678af2e81672c7f6a21ffbe96abf86f617137b1e20260f5de68cfd5ce52309917a6359867d6b53e456fb258cf90de9fae9635

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
64KB

MD5
b85e3809d52dab6a31abce7f3f3c671b

SHA1
873a8b7a3a838aa2a585e86e664781c0d38a6c4a

SHA256
32cc30712abc79916b2a67e24e6bb0deb760a9a48f8e94c86864820b84bb7e77

SHA512
8e35582886011e231e0829e164a33476bfb026b31eec5c60223b3d627c5a662d32a456d0c095cd83d23c05753cd8c51d154e12104da59d3bcf84b165aef27e94

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
64KB

MD5
b8de5ed39c083c57fafa61bf4615fa81

SHA1
1d627ab754189dbc3cd372c80a44f73a79f4f876

SHA256
10a81f3a6c04669466779f213cb8d56d51bf6ce7e9a82b41448bd257c3fd4f9e

SHA512
1f13760cd18ab69c69c769eb52318009b348b068138c60dab1579eba3bd86fea6f425fdfa01af0e5dfa892aa48b8a036090f9db1f9e931fde5ce2f40bcb53c34

Download Submit
C:\Windows\SysWOW64\Fiaael32.exe

Filesize
2KB

MD5
e3a60c148c28558120a5c3110ba1a974

SHA1
86de3b46ff369df1286539050f4e8c7050ddb28e

SHA256
66ceb75164e453bd7e654fc9474b35de0250f0575fdf8c2f7f987f652c749cea

SHA512
db2720a50cd6898815c5c93b8a3e5c0263a73285d1abcb56030ae0bdf20ebf04c03fc74421ee6fdfe4daf8068bef931979265c7067680783dba5cdba6a9f2f3c

Download Submit
C:\Windows\SysWOW64\Fiaael32.exe

Filesize
64KB

MD5
7cc61b8ae59b1709515450d89721d2ce

SHA1
ef513bdc992dac5765c68953df74a0269189e0e4

SHA256
f104b4e386160d3ec0a22e47a5cd06adf0f49e1360cdcb514f1dad49cdf71adb

SHA512
9936bfea2e80225927d4cf86ef4117517bbbc97fa27b6362ff0855df8578094ee3b52214f74b2ddee9695fec70143d563acff5fa312cf5efb62031af08d99d85

Download Submit
C:\Windows\SysWOW64\Fimhjl32.exe

Filesize
64KB

MD5
67a17c36e945b63b1b79ebc6c373806d

SHA1
97e9d46da5a20ddbb473a4ab35874e014f1738a7

SHA256
0c5cc53cffaf9e3d9ee711b3f6f46698448a2c5ae87425a5f2efa49170bea039

SHA512
86d51a9cc663e625b36114563aeeec8cd04e5478f8e241a2ca1d459dc96991f4e737888ab475b6f8bc9e4f63cd01c9c2851cdf5e3dd7eb35a416b02a18794201

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe

Filesize
64KB

MD5
021828c42b7541ce03b2e1942a220c51

SHA1
1ee908346fa3908d9b78568653108299f335a8de

SHA256
650db4a6e727adb206f964f1b84f851cca4cd10bd31e987e582b0d1597da29f0

SHA512
0acc73ed0558f1361fb336441c6883106c7d9de83cba65ae836a7ebba5bb4c4ff6112f8dd03e5597705588228006b4d7a8b10e106a53d2d4dd12214530e8447f

Download Submit
C:\Windows\SysWOW64\Geaepk32.exe

Filesize
64KB

MD5
9dc8d69c27294ea1601bf2b3668c2d3b

SHA1
c8dd795007e18e13749b09d76bf9f98254936f98

SHA256
08b6514988de76ed249ad7edaa91a5dc8b9fa4baf8e5d6e572b267c4adec08d6

SHA512
61d5336de6f86698a10b7b7e240fa3c2e89be10649f20effadfc9264909e1d4f3c45477a18bf171b6e8ad94a17a814d7a4e47d73cb04810f6679a495246384e4

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
64KB

MD5
936da87d9f8aa10f4ebed7b1a45d631f

SHA1
8f945477ec1076ddc9137bf8b2d1201b480ea229

SHA256
f4b7b4423a05ed077dd9ce931a48eb8b16cd66772a5a713dc16b77820732abf3

SHA512
4e2bb5c2150b93cf64d4398ab64556a2be273ae9ebaecd969e91dd1832fa87b7ffb1e96fa538c66939e7918521885f06bc5aa52bb8ac755551ae7ad1a0c4ff0b

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
64KB

MD5
a44bcd63835e62a58c7bdf7fae528e2a

SHA1
b8c279e27e29cd25a57d136fb8af63e4d30bffb6

SHA256
2581bd8ee889d11b330ad8de2d53db815ad93dfb0f549f0268300d568687720b

SHA512
0e526dd4b112ae8acecf11a0d83b1c38219497d9d2c17c365b01d18ad2c6e05af4b3f4c2c81a121ffd3d980ed7403f293a92fc942e265cacebd34f39ec77ce11

Download Submit
C:\Windows\SysWOW64\Gldglf32.exe

Filesize
64KB

MD5
3df3a9d362049d2b903f7adc43d16389

SHA1
c2d2b77bcb9a570638af373a1c9935a0634606ec

SHA256
cfdd0422c6cd4dcb381848ebf59edf11a6f67f7e61b4a26616c8871529535bb1

SHA512
ca8f679d7b1e98ea923171f8508c17008a7bcb6c648fc9432a3c9a0327a6837fcfccf2079a087fbb2a2a40091e7482a7dd310b723641b24bb02df2f96bea2fa1

Download Submit
C:\Windows\SysWOW64\Gmdcfidg.exe

Filesize
64KB

MD5
ea060c69e8e88dfaf1c2215dbd007c3c

SHA1
97a466c7f995249f5c3c070db8e7ee9a50bea195

SHA256
522af5bebedc598ffc2def0e8077798779084777bce53efdaa850fb2adbc0ec5

SHA512
24d68a622edebdc9efa8e3a71ebe745b5e4e945fdc8ee3ce6a5b58c00ea7c550ba68db3d4f0cf4a446713eca3449784448cd62854eedd56e9fe065f72b39acbc

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
64KB

MD5
f4ec45edb5551ae728797bb48ae496af

SHA1
71ec49cdee963a604c5165209c68d1125218339f

SHA256
529d1186f76131d61839aea748aa178c192cc27af3e08d3c021ca85f18c7db15

SHA512
bd33312f776783851972c743df67ecf8ba7cc2f9c67e51b4aa1a18487df1e19af165590b3ae10f78ab683c9cea9c70a6cecbbe9f4890d4ad18910acb9856fa3e

Download Submit
C:\Windows\SysWOW64\Hefnkkkj.exe

Filesize
64KB

MD5
1ed84888c2a416242d03abfbac1b412c

SHA1
72246da5c29990b95b8320988ca48f01e4d9ae41

SHA256
3b2b7ad06d7c77fdd71e95c94188b44b926edfa9b5a2d102aa25ba02c7d88298

SHA512
0ec31b72c6c6e624a01aa796ecd6625aed2ab9f5e0ae2f2bb66181ab706f2bd5558997948eb0c67dad84e2b2e386274560df3679c4c4a3ab57a7071d9d64a90e

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
64KB

MD5
34610268dee3c8aaffd42f99b41fa6b6

SHA1
1e10da20bdc5f822d3f870540b6fd96568f0a8f5

SHA256
53118ce0ad0f97e6db4c73ffa1f857b696c3672970e93c61aa99097d5aa8500f

SHA512
85b32b350fb6bb336b09ed31b41b03b47bf442ea179c2e8c8773aef43b3c8d5c377444b8b75d0a65b7e107955117535fea614ed5349d4de6182337f54147151a

Download Submit
C:\Windows\SysWOW64\Hmkigh32.exe

Filesize
64KB

MD5
34d98c9a41d1803a06f0c14ac7c1f185

SHA1
0d4eb2441ffb447421211dd98acbbb060ce93a83

SHA256
1df96f0f22745ccf4ad28ad10f377d27f0c1058daca48cd8272f283fac24684e

SHA512
265369bca3282b7e30547b4811c0a816c0f5ddfb37f5a8dbe4b90c4720b1af66db2e4f28ef1b7c195d8a83caa485a95196d96f76920e07ad57480800c3312b24

Download Submit
C:\Windows\SysWOW64\Hoaojp32.exe

Filesize
64KB

MD5
118ad751f1afb5008f4e664b4059ecfb

SHA1
31edf885e0dbf668064cad527434fd927ec66fe0

SHA256
a5cf1dfe5bd7febaefa5e96b5bac3bf568359017bd76a6190ed6e0d037c76667

SHA512
b40a0149e5531a0f3a225916acce1c450b8edb1326c925c75af9fd0861f3cbdd410fcec04fb48aabd1f682dcbc118261146f5606e811d8339c5555bcfdb7955c

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe

Filesize
64KB

MD5
ba12d4e7b5b76b6371385107b305e9ae

SHA1
c6f8a2ae3af558924f3b351d780033e0266a5b05

SHA256
12b00625ce0c86b70dd3ff076308a88185e6ba934f320602c396cf838710a72d

SHA512
7518ee73686109d4e14e6719ded9a500b007a0625c10dd457c06ef7538b5cb2e2764337b3b7bd9af62f79905693f35c8eabc4ea358292af382bd4bc2e1512186

Download Submit
C:\Windows\SysWOW64\Hpqldc32.exe

Filesize
64KB

MD5
58bd016be66fd71fbb89269bd6d9bf16

SHA1
527b69412b74aa79a12a6e46084a91933943217d

SHA256
e44c372bf9f89f398e27aa4c36d01ba46b4db54f91875516e8ac1e4a1fe28401

SHA512
5ebd5b381874766f05368041e169f7d9909f4335cd8f6880979069f0d94ed1cda9c2d5bd4cc1585896c48fd2a586978b745ce3a88e08ccad8082dde067589915

Download Submit
C:\Windows\SysWOW64\Ieidhh32.exe

Filesize
64KB

MD5
60050cfc0d93cc905916d125e948821a

SHA1
6c2a9759d4f9b6358f6321a1e2786bc6d82e0103

SHA256
8c99105711aff9fc0adf10cd73e734f3565a9cd13241e29ec38616e63453b939

SHA512
bce06e28bf118d60135b543a74f718ec9ae1fabc285f8f53670d68e0ee12daefc8e00086014cb6f163f93167d1627710025527588552d4ae05142b01b47780e6

Download Submit
C:\Windows\SysWOW64\Ifomll32.exe

Filesize
64KB

MD5
0a34488c72959120d3e1465de81bdd92

SHA1
c754e8bea6a6eb5e88f216f07e73e1a0d07959d3

SHA256
70efbd1a5312a7cbeb7e90246e692edb0c6c0b301c6ee62ad75d4fc15d29e862

SHA512
19fa1104d97634b84d3da35e2cb4e68d5bb404779bfe2ddb868d20b8def748d6de4073cddf2a357d5c95edb0b1bd3a653ae074ea6814c9e4a7f11c8276cfcfe5

Download Submit
C:\Windows\SysWOW64\Iikmbh32.exe

Filesize
64KB

MD5
f397d02ddcfd4a154e084a7ff9309f94

SHA1
7593d444be4ffd29b5fe31097f2ce837953103ff

SHA256
07d6e3b2a4488b15c0fe18c7b82e2c05fb89dd794e2e50bb03febe067291e76c

SHA512
423df0187b5193d8a75a4353dd54fe4779407da7ce67e5436e7a7a6a90984a69050b5be3e2cebfe019baa2ee14f7919771f78d1fb748c64cb5f6823be3bc4137

Download Submit
C:\Windows\SysWOW64\Iojbpo32.exe

Filesize
64KB

MD5
22227c43bba18ed4d72b1a8cc2724991

SHA1
3a222c4763c7e8926563741942cb8a6d041cf656

SHA256
7c9723a4cad92b8847c5a71a83cc5fb5fd9522bd83cc482ff4624c770b1806bb

SHA512
fce46f860d81106435ab6863385dd1deb900f82482a0ce84ac8d9ebee915d974fe2bbf2f0aa5fe2164b203dbea8141b2b6b5db8387aaf6a043b26d81aa2c2e16

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
64KB

MD5
4700201404335baacd84f69f9b6ab555

SHA1
85f7045961d926bfc2311f2e7626fca042863ba3

SHA256
e45ac95b0834dc4f50026ef83910c56eb91bf481a057226a716e09b062657cb3

SHA512
42c1b0be2efecf7a3aeae825a134789cdda9f831d5cfef7cf67a427bd74ede9ab049642679331e03a4a0bc18eaf95ea8190f79ee436274e7edab42b1e392eccf

Download Submit
C:\Windows\SysWOW64\Ipoheakj.exe

Filesize
64KB

MD5
e9f32b756305550d23db89429fc4d09b

SHA1
1dd7b0e77217f283098b71093b7fd9f885374af6

SHA256
608be74d43ecd48157b5a023d1fc2bbb9b4505f475c712f583e2d9d6744e340b

SHA512
6d54461a23939b8214cc13d910abd8e3ba2b5cb1c889ec4f1de3dcebbf0b1a8ef33d5f1b7336fa564cc95f9314ab918531d576951f72cd0355b6494dd9657ea6

Download Submit
C:\Windows\SysWOW64\Jcanll32.exe

Filesize
64KB

MD5
7006d8de3285f91c8b71ae8c5645ad8a

SHA1
69ace909c33d0e80ba11809de23ef0096a2101a0

SHA256
a0375cc3da5fc73e6c57e562aac6c323bbd89535845ce1610930760e1c6549c1

SHA512
5f21e1af22ac26882affa6d264a7313b83544529bbb688df2aca1312be94e61cc342b50d22a5e91e4481efee11ee2557fe234fb36764d10fd1cf1f77cea693c9

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
57KB

MD5
0b3ba8889d7f13d41b91fedf9ae840f6

SHA1
3271c4b4f50ae15d94c5f90b7d1feecf1f8a2cfc

SHA256
df3a0a6a6fe5a01f1d65991605f920bd33356eb6c337004e5bd3dd24902020e1

SHA512
53179deeeeae9acf70654d7e49ae076a09ccc7e50e401ebb42251aeedf0f5d4019bcf114a1c44928277e7c51310cfd6a6c1776578704c9f687108aa06c3e2691

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
7KB

MD5
6b8c4bae56382b86e673c7b08d8427ab

SHA1
3d41d7a580868bc830036e1f94e143bd426010d7

SHA256
6cdd091969b6f5762b1f121534a5cb7d86c338111a8d066521f06c0d366eef41

SHA512
ee3c398bb366caf044c3a4f15bfbf4ee3d5c6f43d8d07a3153a190197bc4c454f9c5218644f85afc3c3308846bdc2563f5448ac9f6dc6fb4b58366064e27ca16

Download Submit
C:\Windows\SysWOW64\Jekqmhia.exe

Filesize
64KB

MD5
2a3c721ddbf34b731b2fe3bb5deef590

SHA1
deb616d46eafeb4fbf5fa08a3444e70bf163ed5f

SHA256
4f0d743121056eb370f2d14ad80133bfe82dd42de40607d61023a845c7fbdb2c

SHA512
d2cb593fc5662fa4708c280c2377d3d70114d46f90ca265da47aee5ba941452a059784c1fe26221be80dadaa716f56dfd06a1eae87be00b4bac0e0f79b4c6190

Download Submit
C:\Windows\SysWOW64\Jiiicf32.exe

Filesize
64KB

MD5
8f03e9c6c50b0cd2a3bab0e6e016ea3d

SHA1
231385a8bda696d8390bbc0382143eed665406f3

SHA256
d31e22370cd1d2add5b6f7f3dd1354ced8ca5ce1077178c3b8572dea116b4b4f

SHA512
688012ed19ab7767b8b75099b180f70b66cd83796b78a5df86f476d7049b763448f4a0c8b3ca030dc612c7a5d6cde8446ba5a3d41957288b8836bf4ad6564dcc

Download Submit
C:\Windows\SysWOW64\Jpenfp32.exe

Filesize
64KB

MD5
f3b015432ebe1d333e2f8bde1d37e069

SHA1
b29aa8854a9b9fedb70d70855e494481088b37f0

SHA256
d13646fa2ebc51218f8ce2dd82736414d5a79829982093f1fe6dbb5356d32a3f

SHA512
c006d94b005de8ac1e3712550ad79f4c0b7b5803f124c25cc7ad062b5ac29185ca133ee1f152267225f8eeba4a52b9f7ae2266fce79c523b948b481c435b6696

Download Submit
C:\Windows\SysWOW64\Kpanan32.exe

Filesize
64KB

MD5
5f9182ad0c72b7d7c143c65bac39429b

SHA1
c4ff65e205558dd3217cf9bd860cceee1e9eca5e

SHA256
28156abc1ebe87e5e4278f5f5ba30523a863c414371384477956ab1eb36d919c

SHA512
16661c4a62dde7119f3b5353224bd76f0dbae82aaddbe34cf68cdb3d7eee3bbd1be0c5f954d68b198d3c5b876a5782aa335d0a53db0cc4ca7727c049ca6e30e1

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe

Filesize
64KB

MD5
70f87e9c8c47845f2a3cb49f09b6fa7a

SHA1
89f4e35f042b38e7626fc41c8454dd34b3d96c5a

SHA256
004813b91c71e53753df32dc6e636f5d0b4bdd20e83b168af884a6d0380fefdb

SHA512
7abcd099b78806cb2224c13aac630606e3168055895231f7517fbc1a337ab963f5202015f081b5cc8bba98170d1a6f540d425882cecd48d098323d5053d82172

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
64KB

MD5
3300570f4a38b09b03a446510582e229

SHA1
add9aa1f7730f57c04f3ab304a57a33de05b9710

SHA256
ae01159946f1db538d0487256f7276afb5263e474209641669e6c6a4e55b7b74

SHA512
6358f15cfa6c3c0e85c0d37b26b8a7bca8d38bf2dd3fb099c70caa073539bda98aaf863e5b06d27672edaf29cbe0a1435a93ed30de0ac91f9f3d009803a5ca3e

Download Submit
C:\Windows\SysWOW64\Pidlqb32.exe

Filesize
64KB

MD5
e670a7cdfdab75040346853a8bb25fff

SHA1
1b6f50036190d2d9b22691c9abe3244b4c221794

SHA256
ea52e2bdefbee6724d7c898267c9696e340c894d8e7107677b44a9af7bc9b41a

SHA512
a339a30c5f5589583d7b3c801836db44e115511d5120d86d8e608e76130936c14bc0d1f973a4ef16f63939137151458c608db1386754a85370cb21df4e03d522

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
64KB

MD5
893cff2c4847d97ed3b53da8614d2b53

SHA1
7e48eeae37020a32345d36ad9670b2cc2b0295ca

SHA256
24257cf6378017ea857cb10f703e3534b95994d62d36f4074e9cbf992712c293

SHA512
bfaf5e9f89a4026a71d272fffccceccf36a770fa2561c2220f0a8e71f3dcadb4759ea80547334d2714798e37a8f3a7156feb55ba46e2dcf5b816bbc463efe1c7

Download Submit
memory/220-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-804-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads