65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e

Analysis

max time kernel
177s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e.exe
Size

99KB
MD5

300c514bfcc6ef1dc30265b1184bfe4c
SHA1

a72f5d8367930c5be84976a5af5caa592803a455
SHA256

65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e
SHA512

0b29a37b62e7937e902363114cee821f0b0f08027d5a9e33782baa6810a899662d4e084fd8f83ade1844224c18d27f50bf0b3c1cfbc5c3bb32630430f158b334
SSDEEP

3072:BnMZqJYG0kXA0C5seyRpwoTRBmDRGGurhUI:BnMcJYG0E8nm7UI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opmaaodc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giaaoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oacmchcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnipbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfqogfjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iamoon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iemdkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfeibf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agpoqoaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gadqepkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecoiapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opmaaodc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecoiapdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijkdmhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idkkki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idmhqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enajobbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kjcccm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejhkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odcfdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdgmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifaim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Debfpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokqfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibbklke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Emgnje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhdaao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fijkdmhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjjpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Homcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cckmklac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihkpgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djjobedk.exe

Executes dropped EXE 64 IoCs

pid	Process
1552	Eifaim32.exe
3328	Fijkdmhn.exe
1624	Fpdcag32.exe
2756	Fimhjl32.exe
524	Fnipbc32.exe
3300	Fiodpl32.exe
2908	Fbgihaji.exe
2128	Fmmmfj32.exe
4000	Fbjena32.exe
4640	Gnqfcbnj.exe
4648	Gflhoo32.exe
4992	Aphnnafb.exe
4056	Amlogfel.exe
2192	Akpoaj32.exe
3320	Aonhghjl.exe
3756	Agimkk32.exe
1356	Bgnffj32.exe
3040	Bpfkpp32.exe
4940	Bgpcliao.exe
3324	Bhpofl32.exe
3796	Boihcf32.exe
1752	Cpbjkn32.exe
4756	Ckgohf32.exe
4632	Caageq32.exe
1664	Coegoe32.exe
2864	Cklhcfle.exe
4656	Dpiplm32.exe
2904	Dojqjdbl.exe
2688	Mfenglqf.exe
2660	Mhckcgpj.exe
4736	Nhegig32.exe
1864	Nhhdnf32.exe
1528	Nfldgk32.exe
1936	Nqcejcha.exe
4692	Niojoeel.exe
3768	Obgohklm.exe
4476	Ookoaokf.exe
5056	Ofegni32.exe
1040	Omopjcjp.exe
980	Ocihgnam.exe
3360	Ojcpdg32.exe
4472	Obnehj32.exe
4088	Oihmedma.exe
4904	Ocnabm32.exe
3188	Ojhiogdd.exe
1332	Omfekbdh.exe
2888	Pcpnhl32.exe
4008	Pbcncibp.exe
2900	Pmhbqbae.exe
3720	Pcbkml32.exe
3376	Pjlcjf32.exe
4724	Pmkofa32.exe
864	Pbhgoh32.exe
3624	Piapkbeg.exe
1880	Paihlpfi.exe
2840	Qfjjpf32.exe
2996	Qiiflaoo.exe
3604	Qbajeg32.exe
4920	Qjhbfd32.exe
2560	Apeknk32.exe
3800	Afockelf.exe
4588	Amikgpcc.exe
4140	Abfdpfaj.exe
332	Ajmladbl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eoeoqoni.dll	Gclimi32.exe
File created	C:\Windows\SysWOW64\Kjponk32.exe	Giaaoa32.exe
File created	C:\Windows\SysWOW64\Pjlcjf32.exe	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Glfcmf32.dll	Idbalhho.exe
File created	C:\Windows\SysWOW64\Cijdpjle.dll	Kjcccm32.exe
File opened for modification	C:\Windows\SysWOW64\Qjhbfd32.exe	Qbajeg32.exe
File created	C:\Windows\SysWOW64\Cnokhonp.exe	Jjjpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Fnipbc32.exe	Fimhjl32.exe
File opened for modification	C:\Windows\SysWOW64\Omopjcjp.exe	Ofegni32.exe
File opened for modification	C:\Windows\SysWOW64\Jjjpgb32.exe	Elienf32.exe
File created	C:\Windows\SysWOW64\Ecpfpo32.dll	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Eciilj32.exe	Emoaopnf.exe
File created	C:\Windows\SysWOW64\Dilnnbjn.dll	Opmaaodc.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Cpfoehnm.dll	Ikbfbdgf.exe
File created	C:\Windows\SysWOW64\Ffbmfk32.dll	Djjobedk.exe
File created	C:\Windows\SysWOW64\Cgdlfk32.exe	Cpjdiadb.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Qbajeg32.exe	Qiiflaoo.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File opened for modification	C:\Windows\SysWOW64\Mnhdae32.exe	Kjponk32.exe
File opened for modification	C:\Windows\SysWOW64\Deqqek32.exe	Odcfdc32.exe
File created	C:\Windows\SysWOW64\Jkgmmjgh.dll	Iemdkl32.exe
File opened for modification	C:\Windows\SysWOW64\Biiobo32.exe	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Iogangnn.dll	Dfqogfjo.exe
File created	C:\Windows\SysWOW64\Lgkhec32.exe	Godehbed.exe
File created	C:\Windows\SysWOW64\Gcgplk32.dll	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Pcbkml32.exe	Pmhbqbae.exe
File opened for modification	C:\Windows\SysWOW64\Gadqepkn.exe	Acnlqe32.exe
File created	C:\Windows\SysWOW64\Eciilj32.exe	Emoaopnf.exe
File created	C:\Windows\SysWOW64\Hdgmga32.exe	Lgkhec32.exe
File created	C:\Windows\SysWOW64\Aafjpc32.dll	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Faecedlb.dll	Kceoppmo.exe
File created	C:\Windows\SysWOW64\Efgehe32.exe	Eciilj32.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Mdcajc32.dll	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Ojcpdg32.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Kajefoog.dll	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Amoppdld.dll	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Eodolnaf.dll	Eifaim32.exe
File opened for modification	C:\Windows\SysWOW64\Gnqfcbnj.exe	Fbjena32.exe
File created	C:\Windows\SysWOW64\Lcckiibj.dll	Afcmfe32.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Cmnciegc.dll	Nibbklke.exe
File created	C:\Windows\SysWOW64\Idkkki32.exe	Iamoon32.exe
File opened for modification	C:\Windows\SysWOW64\Fijkdmhn.exe	Eifaim32.exe
File created	C:\Windows\SysWOW64\Ibingd32.dll	Fnipbc32.exe
File opened for modification	C:\Windows\SysWOW64\Piapkbeg.exe	Pbhgoh32.exe
File opened for modification	C:\Windows\SysWOW64\Odcfdc32.exe	Odaiodbp.exe
File opened for modification	C:\Windows\SysWOW64\Qfjjpf32.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Fhcbhh32.dll	Qbajeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bpedeiff.exe	Bmggingc.exe
File opened for modification	C:\Windows\SysWOW64\Gclimi32.exe	Deqqek32.exe
File created	C:\Windows\SysWOW64\Ejhanj32.exe	Ecoiapdj.exe
File opened for modification	C:\Windows\SysWOW64\Mfenglqf.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File opened for modification	C:\Windows\SysWOW64\Amkhmoap.exe	Ajmladbl.exe
File created	C:\Windows\SysWOW64\Aoknen32.dll	Djnhne32.exe
File created	C:\Windows\SysWOW64\Eifaim32.exe	65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e.exe
File created	C:\Windows\SysWOW64\Qjhbfd32.exe	Qbajeg32.exe
File created	C:\Windows\SysWOW64\Higplnpb.dll	Apjdikqd.exe
File created	C:\Windows\SysWOW64\Fdpnbald.dll	Oacmchcl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oileakbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkahmp32.dll"	Ioeicajh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faempoce.dll"	Eqmjen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkcbcna.dll"	Qfjjpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Debfpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjndaj32.dll"	Ecoiapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfqogfjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efjbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeco32.dll"	Fbjena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoejj32.dll"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnqdkljp.dll"	Eobffk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hdgmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djeegf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Emgnje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opmaaodc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecoiapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Debfpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iemdkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oileakbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djjobedk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Homcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejhanj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoknen32.dll"	Djnhne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmohhoj.dll"	Ejhkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eciilj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eobffk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Delhpnop.dll"	Homcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijfpm32.dll"	Oileakbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejhanj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnjoi32.dll"	Fimhjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djnhne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmbbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfciej.dll"	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfcmf32.dll"	Idbalhho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idbalhho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejhkdc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1552	5048	65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e.exe	93
PID 5048 wrote to memory of 1552	5048	65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e.exe	93
PID 5048 wrote to memory of 1552	5048	65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e.exe	93
PID 1552 wrote to memory of 3328	1552	Eifaim32.exe	94
PID 1552 wrote to memory of 3328	1552	Eifaim32.exe	94
PID 1552 wrote to memory of 3328	1552	Eifaim32.exe	94
PID 3328 wrote to memory of 1624	3328	Fijkdmhn.exe	95
PID 3328 wrote to memory of 1624	3328	Fijkdmhn.exe	95
PID 3328 wrote to memory of 1624	3328	Fijkdmhn.exe	95
PID 1624 wrote to memory of 2756	1624	Fpdcag32.exe	96
PID 1624 wrote to memory of 2756	1624	Fpdcag32.exe	96
PID 1624 wrote to memory of 2756	1624	Fpdcag32.exe	96
PID 2756 wrote to memory of 524	2756	Fimhjl32.exe	97
PID 2756 wrote to memory of 524	2756	Fimhjl32.exe	97
PID 2756 wrote to memory of 524	2756	Fimhjl32.exe	97
PID 524 wrote to memory of 3300	524	Fnipbc32.exe	98
PID 524 wrote to memory of 3300	524	Fnipbc32.exe	98
PID 524 wrote to memory of 3300	524	Fnipbc32.exe	98
PID 3300 wrote to memory of 2908	3300	Fiodpl32.exe	99
PID 3300 wrote to memory of 2908	3300	Fiodpl32.exe	99
PID 3300 wrote to memory of 2908	3300	Fiodpl32.exe	99
PID 2908 wrote to memory of 2128	2908	Fbgihaji.exe	100
PID 2908 wrote to memory of 2128	2908	Fbgihaji.exe	100
PID 2908 wrote to memory of 2128	2908	Fbgihaji.exe	100
PID 2128 wrote to memory of 4000	2128	Fmmmfj32.exe	101
PID 2128 wrote to memory of 4000	2128	Fmmmfj32.exe	101
PID 2128 wrote to memory of 4000	2128	Fmmmfj32.exe	101
PID 4000 wrote to memory of 4640	4000	Fbjena32.exe	102
PID 4000 wrote to memory of 4640	4000	Fbjena32.exe	102
PID 4000 wrote to memory of 4640	4000	Fbjena32.exe	102
PID 4640 wrote to memory of 4648	4640	Gnqfcbnj.exe	103
PID 4640 wrote to memory of 4648	4640	Gnqfcbnj.exe	103
PID 4640 wrote to memory of 4648	4640	Gnqfcbnj.exe	103
PID 4648 wrote to memory of 4992	4648	Gflhoo32.exe	104
PID 4648 wrote to memory of 4992	4648	Gflhoo32.exe	104
PID 4648 wrote to memory of 4992	4648	Gflhoo32.exe	104
PID 4992 wrote to memory of 4056	4992	Aphnnafb.exe	105
PID 4992 wrote to memory of 4056	4992	Aphnnafb.exe	105
PID 4992 wrote to memory of 4056	4992	Aphnnafb.exe	105
PID 4056 wrote to memory of 2192	4056	Amlogfel.exe	106
PID 4056 wrote to memory of 2192	4056	Amlogfel.exe	106
PID 4056 wrote to memory of 2192	4056	Amlogfel.exe	106
PID 2192 wrote to memory of 3320	2192	Akpoaj32.exe	107
PID 2192 wrote to memory of 3320	2192	Akpoaj32.exe	107
PID 2192 wrote to memory of 3320	2192	Akpoaj32.exe	107
PID 3320 wrote to memory of 3756	3320	Aonhghjl.exe	108
PID 3320 wrote to memory of 3756	3320	Aonhghjl.exe	108
PID 3320 wrote to memory of 3756	3320	Aonhghjl.exe	108
PID 3756 wrote to memory of 1356	3756	Agimkk32.exe	109
PID 3756 wrote to memory of 1356	3756	Agimkk32.exe	109
PID 3756 wrote to memory of 1356	3756	Agimkk32.exe	109
PID 1356 wrote to memory of 3040	1356	Bgnffj32.exe	110
PID 1356 wrote to memory of 3040	1356	Bgnffj32.exe	110
PID 1356 wrote to memory of 3040	1356	Bgnffj32.exe	110
PID 3040 wrote to memory of 4940	3040	Bpfkpp32.exe	111
PID 3040 wrote to memory of 4940	3040	Bpfkpp32.exe	111
PID 3040 wrote to memory of 4940	3040	Bpfkpp32.exe	111
PID 4940 wrote to memory of 3324	4940	Bgpcliao.exe	112
PID 4940 wrote to memory of 3324	4940	Bgpcliao.exe	112
PID 4940 wrote to memory of 3324	4940	Bgpcliao.exe	112
PID 3324 wrote to memory of 3796	3324	Bhpofl32.exe	113
PID 3324 wrote to memory of 3796	3324	Bhpofl32.exe	113
PID 3324 wrote to memory of 3796	3324	Bhpofl32.exe	113
PID 3796 wrote to memory of 1752	3796	Boihcf32.exe	114

C:\Users\Admin\AppData\Local\Temp\65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e.exe
"C:\Users\Admin\AppData\Local\Temp\65cf411bcb12ee8f7db571d265feb036d2414a7a3de72fa13046209396f36a0e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\Eifaim32.exe
  C:\Windows\system32\Eifaim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\Fijkdmhn.exe
    C:\Windows\system32\Fijkdmhn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\SysWOW64\Fpdcag32.exe
      C:\Windows\system32\Fpdcag32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        24⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        25⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        30⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        34⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        37⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        38⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        42⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        44⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        49⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        53⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        60⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        61⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        62⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        64⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        66⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        70⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        71⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        72⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        74⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        75⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        76⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        77⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        78⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        79⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        82⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Kceoppmo.exe
        
        C:\Windows\system32\Kceoppmo.exe
        84⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Homcbo32.exe
        
        C:\Windows\system32\Homcbo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Jqklnp32.exe
        
        C:\Windows\system32\Jqklnp32.exe
        86⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Nhafcd32.exe
        
        C:\Windows\system32\Nhafcd32.exe
        87⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Nibbklke.exe
        
        C:\Windows\system32\Nibbklke.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Oileakbj.exe
        
        C:\Windows\system32\Oileakbj.exe
        89⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Oacmchcl.exe
        
        C:\Windows\system32\Oacmchcl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        91⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Odcfdc32.exe
        
        C:\Windows\system32\Odcfdc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Deqqek32.exe
        
        C:\Windows\system32\Deqqek32.exe
        93⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Gclimi32.exe
        
        C:\Windows\system32\Gclimi32.exe
        94⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Kjcccm32.exe
        
        C:\Windows\system32\Kjcccm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Debfpd32.exe
        
        C:\Windows\system32\Debfpd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ecoiapdj.exe
        
        C:\Windows\system32\Ecoiapdj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Ejhanj32.exe
        
        C:\Windows\system32\Ejhanj32.exe
        98⤵
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Emgnje32.exe
        
        C:\Windows\system32\Emgnje32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Ikbfbdgf.exe
        
        C:\Windows\system32\Ikbfbdgf.exe
        100⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Iamoon32.exe
        
        C:\Windows\system32\Iamoon32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Idkkki32.exe
        
        C:\Windows\system32\Idkkki32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3128
        
        C:\Windows\SysWOW64\Ikechced.exe
        
        C:\Windows\system32\Ikechced.exe
        103⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\Iaokdn32.exe
        
        C:\Windows\system32\Iaokdn32.exe
        104⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Idmhqi32.exe
        
        C:\Windows\system32\Idmhqi32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3960
        
        C:\Windows\SysWOW64\Ikgpmc32.exe
        
        C:\Windows\system32\Ikgpmc32.exe
        106⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Iemdkl32.exe
        
        C:\Windows\system32\Iemdkl32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Ihkpgg32.exe
        
        C:\Windows\system32\Ihkpgg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Ioeicajh.exe
        
        C:\Windows\system32\Ioeicajh.exe
        109⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Idbalhho.exe
        
        C:\Windows\system32\Idbalhho.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Jliimf32.exe
        
        C:\Windows\system32\Jliimf32.exe
        111⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Cpjdiadb.exe
        
        C:\Windows\system32\Cpjdiadb.exe
        112⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Cgdlfk32.exe
        
        C:\Windows\system32\Cgdlfk32.exe
        113⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Cnndbecl.exe
        
        C:\Windows\system32\Cnndbecl.exe
        114⤵
        
        PID:692
        
        C:\Windows\SysWOW64\Cckmklac.exe
        
        C:\Windows\system32\Cckmklac.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4420
        
        C:\Windows\SysWOW64\Djeegf32.exe
        
        C:\Windows\system32\Djeegf32.exe
        116⤵
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Djjobedk.exe
        
        C:\Windows\system32\Djjobedk.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Dmhkoaco.exe
        
        C:\Windows\system32\Dmhkoaco.exe
        118⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Dfqogfjo.exe
        
        C:\Windows\system32\Dfqogfjo.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Dmjgdq32.exe
        
        C:\Windows\system32\Dmjgdq32.exe
        120⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Dgplai32.exe
        
        C:\Windows\system32\Dgplai32.exe
        121⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Djnhne32.exe
        
        C:\Windows\system32\Djnhne32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Dokqfl32.exe
        
        C:\Windows\system32\Dokqfl32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3244
        
        C:\Windows\SysWOW64\Dfeibf32.exe
        
        C:\Windows\system32\Dfeibf32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Emoaopnf.exe
        
        C:\Windows\system32\Emoaopnf.exe
        125⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Eciilj32.exe
        
        C:\Windows\system32\Eciilj32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Efgehe32.exe
        
        C:\Windows\system32\Efgehe32.exe
        127⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Eqmjen32.exe
        
        C:\Windows\system32\Eqmjen32.exe
        128⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Efjbne32.exe
        
        C:\Windows\system32\Efjbne32.exe
        129⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Enajobbf.exe
        
        C:\Windows\system32\Enajobbf.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Eqpfknbj.exe
        
        C:\Windows\system32\Eqpfknbj.exe
        131⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Eobffk32.exe
        
        C:\Windows\system32\Eobffk32.exe
        132⤵
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Ejhkdc32.exe
        
        C:\Windows\system32\Ejhkdc32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Godehbed.exe
        
        C:\Windows\system32\Godehbed.exe
        134⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Lgkhec32.exe
        
        C:\Windows\system32\Lgkhec32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Hdgmga32.exe
        
        C:\Windows\system32\Hdgmga32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Jpkfmfok.exe
        
        C:\Windows\system32\Jpkfmfok.exe
        137⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Opmaaodc.exe
        
        C:\Windows\system32\Opmaaodc.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Acnlqe32.exe
        
        C:\Windows\system32\Acnlqe32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Gadqepkn.exe
        
        C:\Windows\system32\Gadqepkn.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1528
        
        C:\Windows\SysWOW64\Agpoqoaf.exe
        
        C:\Windows\system32\Agpoqoaf.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Dmbbaq32.exe
        
        C:\Windows\system32\Dmbbaq32.exe
        142⤵
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Elienf32.exe
        
        C:\Windows\system32\Elienf32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Jjjpgb32.exe
        
        C:\Windows\system32\Jjjpgb32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Cnokhonp.exe
        
        C:\Windows\system32\Cnokhonp.exe
        145⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Giaaoa32.exe
        
        C:\Windows\system32\Giaaoa32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Kjponk32.exe
        
        C:\Windows\system32\Kjponk32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Mnhdae32.exe
        
        C:\Windows\system32\Mnhdae32.exe
        148⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Dhdaao32.exe
        
        C:\Windows\system32\Dhdaao32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agimkk32.exe

Filesize
99KB

MD5
8ff0c531a63ee94b6b0c78fa66dc731a

SHA1
529684d7a58afaafae2efb1e9ec359719112cc6c

SHA256
a96691174369dd3b9ba1a80ec29bb2cc8fe15957ae03659c61073180c6228653

SHA512
e25b44b7597af1e3b4b1e513839118753e0ae5c9bf7c5443004f65548f5f3996eaf70e212f1286e12fa3136a4429c285c16470f1c284b63c981a43280338dc05

Download Submit
C:\Windows\SysWOW64\Akpoaj32.exe

Filesize
99KB

MD5
da79d03406fc2a28a914f7419d67eed9

SHA1
5ef7202b270f5a3c1cb496a6083bb0bc86505246

SHA256
f29be4273109e337c9e1b13c147e7e872fbb792d9b3a4e3f8dea25a833b50238

SHA512
c9a388f3d4b36073d8406f115e76646fd822c0f24757fc6d007a8f4a49c15f2b3b36861b6231a286ff6d6fa704815d6769d8c8e6d0a772de5f97deb7606f2836

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
99KB

MD5
f9b5f4fa90b95988bbe94769f5bfcbf4

SHA1
b6b2ee2d327379a6c65e5d2482e9ad1804047f54

SHA256
05aa83a85e0a6590ecef491dc28cad0e55691b7a4dde76fa03d9989f413b9833

SHA512
e47d8e309ba555d27b0b79319af5de9ef84a95fbe9f9c86c87ae81cd34b11213c279743e35b0328406092c9c71ad4ddb0dd816f592d5c46f6e22d7a6b1397eef

Download Submit
C:\Windows\SysWOW64\Aonhghjl.exe

Filesize
99KB

MD5
08a7aa509ea08646feee1f63fa3fcb0d

SHA1
26a4a95e61f3b6d015d5d54c3349b16e1c7e6e99

SHA256
027b72bf22ebf1a084db9a3714e980832a9fa8e67138b29f6126e5e210ea80ff

SHA512
66ba35581afe5f69eea8d781a75edcb84d28c177c16322666e0ba38d5bbdce4b4b8429f2c8dd0451694274bfdba2cc33f45adf563d0f873d7fb334bc1ca9043a

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
99KB

MD5
f598619f07a12e64781b0f11bd1e4126

SHA1
f10598db2862278386229f0bf57b95a57d69c8a6

SHA256
1058cf7f0501e02209ed4cb97151a4c791ee61f2e9bb71a1f3a356a7968ddd5e

SHA512
023bbc1ed72e182f7cba3b29a83da29f7bd6f667cec4ec3910f2933356ce5153ce681d665ffb7ac74376612280a28f756456e4a5f38a3f663707787f390553a4

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
99KB

MD5
5bf3fb2c84f2b374c8fc4ead4b4cf62e

SHA1
6f27a95e17611cba05770a09afa1420e65113d90

SHA256
965a624c59a84786519ad4ea0c8d2d3b61788d8ac6e3f7df81ccde153eab3cd3

SHA512
acf6222551e2ac8650fe57d2b6e3cb839c18d4bde6a37d10a350273ca96ce671eb36363216d0cb91c1b118891cb30a15744a4c613f2353f9dc264f9b5aa561bb

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
99KB

MD5
967bd2a0b44dcf40385f1d22be640b1d

SHA1
425b8ab0a45af8804bc3f09d84b8ce2ccf12bd25

SHA256
cb85f6a6b029f7b311417fd75424ecf2dd7186152e01a2f361248fc5cd969b2f

SHA512
5774ba7a91e2b1bcdc893390e20b63a279697e7cef469eb75dd3453e4f1371cfd5981c003e7ba6258cbad1dbf1dd0a022f1730c858c538941c207a9869832d31

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
99KB

MD5
3bef347fda6d141ee99b8e15f43ab3b5

SHA1
c3de067794fed630d72835d405087d314ed6c0c3

SHA256
6df469a52d31125e1aecd862519320bca721970dfbf6c09adad16ff8ae59c152

SHA512
0cfcff47dea40de437429d75ae9cac6808e0262ad956cfdfd9205ec77ec9ec7feb8766fe262c17a4dcd55b9a88c870d0218dda2574b1583088e647e852567980

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
99KB

MD5
909461a5c77178faa1e6782eedb18a3b

SHA1
5abe3fbc8f8bf65f6036f8e3bc922c0a6eb876df

SHA256
2cd1afdc6adef4839936c8c025e3311488981bec2f893dec506b86f4e926d89c

SHA512
19985329e46af5a09aeee8915d8484c9c235d540cbc15603c6c65dbff83a9a4bc92b14d9ef144cb6cc5386faa417b91fe24ec59b74ed600ec397c0ee57bdba04

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
99KB

MD5
2492123231a6e7802047ea58916af718

SHA1
a1d76d029eb09cb899679729feef739053098588

SHA256
f4983ff9eeef46ca4b75cafa5f92d9e813eb157ef643f6a03520ec85be885fb2

SHA512
97d2f90d63019164bde9f815fc9a36a3c2be709cf2003b0632888a61168b519b9d4a83bbe89a0f593e32d2335751f7370992c4aa4455bf0cd79be5e9f5a40016

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
99KB

MD5
933b65cb7b02f07057ca53768932c766

SHA1
45d4ae2c4ea2915019587395be366307f8ec4ed5

SHA256
5b6ee912cd18a55394f69fe165ce825faf7ebf6184b6d830d2857b3d2fb895b5

SHA512
2b82ce19241d18473415fee1e32bd3060610234205b146504f6401f761d121e540ddff5582285af33507a6a271d1cebe051607033c2749d0c4cb9c6bd21dbaa1

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
99KB

MD5
11a3bcdaf2d9df0ea94fbe63be58f6ef

SHA1
4bac31425583db2ca7bc19ee75813cd91c39df89

SHA256
6aff5a7ffe28180ce5de1d6bd8348ca641e26a648c85dec4782eca3f20abb064

SHA512
9ed5b95eac8b3460c9a4faa5f86d1dd11ad7952ab028dc26e50dd235c56fadb0733fdaed8a94ca42ada0ec40accbfe6269f0dd0b75d44e2af55ed422908451b5

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
99KB

MD5
e6f6c070e75d0b9a7e1fb8b7c1e207b9

SHA1
d8ccb974646c804336af550c0f540e26318a8439

SHA256
1c8d3414b8c37a9a0c50e09a0e7274db3253bd37a5950839e6b2c72ee13c8034

SHA512
4b5c8537b3071af15cfd77f47ce759d84eebd767f83954f6831bd9bf5efb082b46b82c6b5ba294ee407f6f46bf2e5f0d195d39aaa8326b2209e188751b279d1c

Download Submit
C:\Windows\SysWOW64\Coegoe32.exe

Filesize
99KB

MD5
7ebf880a6158531502e52b579445c393

SHA1
dae98811fbe3fe7b57c347fbc6802ffc8477fee8

SHA256
3ab60568e06fc1c910876de2c8da8c0148f2034131ad36b4c528fb5606109d71

SHA512
3acd10cd0ee646d2adb11513a212123672abb1564d1c1636c58d0b14a172cf9b5672ff2d5311b9a6ae83e148c1b7f554adbe9fcfe1be286ac8c41a2c9eb11c7e

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
99KB

MD5
51029dd8b3b1c3348e21a4865352eb63

SHA1
f94d3536485bdd74df9158673f7e80a5e10e539c

SHA256
4ea1cc7983e9e675c51d5a649d0ce6fcb07f32dd4f5b7b540a8d49b3e100f2ff

SHA512
0cd56a0eda8c0f74f85003d48f33544f9dfd1bb2e7d614629f163fba8387ca74b65a713c1a5dd607f5944e438b449f2a13e43d39410043cadbb89fdee3b0e696

Download Submit
C:\Windows\SysWOW64\Dmbbaq32.exe

Filesize
99KB

MD5
1e8bdd77ed9366007bc5d5db7fcf6efc

SHA1
82747074e58794e097942924e4d2fd59d654ac2c

SHA256
46c90e045953f89c185b73733e18317ee3f3533bd9b6a1d5d9ea762e237e0afc

SHA512
5331af297a6fb01bff2c5f0658b3d69c4a70a4b4fc87cd66e8b088a6a9a167467baefd518b70569de93c34fcbb3e698caa0cbdfc8ba1a5f688d38daa66ba0957

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
99KB

MD5
8f4025cd1cf021026e74e612bdcca4e9

SHA1
d3b568c3809dff986234affb311b42b56bdf3235

SHA256
96d236fa98ec3d4411628ddd62293b8a2a9aad9687a7f90b5c90039629f97edc

SHA512
9bc39c67656669dd199bd403b680bb4de3c98c60ffe4a3d0e3f145be9d9b2d8cfc180ad82a21374f48f5ad17b1f7a8b1be6eecbe9708252dc16cc9689b685bc2

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
99KB

MD5
a5d2ed1fbbc9c4eaef3401adc6e91f7b

SHA1
85cc491a7d035a3fd2103420560d831a01ded510

SHA256
46054d5f207bade633d0f86c3eed01fbe9ac444b3444a7616c27d5b5d7b5794c

SHA512
c13f743172506d9e84a8979d95a0ed63d1b03cd8a4c627cb9fcdf4b9750c9ae030167269602486952dac2c4350bbb3e646ca59df456d822c3ad8e8edebcd9f1f

Download Submit
C:\Windows\SysWOW64\Eifaim32.exe

Filesize
99KB

MD5
554554af027c93db3ea3ed7dc2ce7954

SHA1
fface66b9f18e9671c315e4a4f1dc7ccf711614c

SHA256
9491115a36c8a5b80737d2b935cdc8c1eddef738ac3cf9fe195f997a2f4237cd

SHA512
3c4cbda526516e893dd6805c698d897b993125bee22ab2c6d942eb97bb5fbd0b1bab444e5ab92f5cbd6b865e08126922571c590c3405b991fbaa883160c0ae18

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
99KB

MD5
67f4107425feb288c04a5acdc0e583fb

SHA1
5b813e526ebd6e49a75440868ebad5406ecdebb5

SHA256
d7cdce45c9a576c2576d7ad4e1891a511617c72e30225e35b53dcb42d3ed765c

SHA512
4e7d838d3830639348e29c2db5281367b67475614be084f29885e9e1868ceb588adbac6d3427d22bce4e4a07813aa1b05e5a8fde38269e47fab9f43d28330895

Download Submit
C:\Windows\SysWOW64\Fbjena32.exe

Filesize
99KB

MD5
dd937c8a4222c0bddbdf4dcaacf8e120

SHA1
9a41286e82db44f4f654caf481549f7b147f425a

SHA256
0a09224218ce54af5d382a66ff13c2e79bd3fdfe9cff0a19677246d3803d9c2b

SHA512
01e11c90f2f6f3fc0b421f632e7ba502ab3efcd7e6c4c9581ea734204574cd0f1b02b5244c81f1c8496def78c31d9763d73a498d17170fa876679a7967a31c64

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
99KB

MD5
ef5b58d9dc441bcf2ef537bdcc946c39

SHA1
961ca319d815cce6943262bbd8010ffce68183ca

SHA256
24123abcdbbead8e11af485a86a35ad52356666878ddbe96a1157a51476a820a

SHA512
8924ff8e30125636d8199ca1a5d1a265c2a09ea2d76d629bd45fcb30eb10252b6fd7b37162cdc55dc3888f2bf83c7502fa495bd5bebd0772bc4d5ad8198dc58b

Download Submit
C:\Windows\SysWOW64\Fimhjl32.exe

Filesize
99KB

MD5
f62dd70590eebfae126f87d7ebfaf732

SHA1
a530d2a0d5fb5ab6a2cfcd20e40daa2b5b58459a

SHA256
8cdc8d7180bdcae679f0dd781c7318e1d5447999b59d9e9d6d7c2972574fd4a8

SHA512
254baad13134d31e45f5c6e4e4c7f7621a91805b4602b99dcc6241f5f7aedf5a95fda7befaf27dba93d2e6c4f24a24c10cfe8ea49aaf82053717b48dc5dcfc21

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
99KB

MD5
ba14bdf14cdf87c462790c0bc0789b8a

SHA1
e6903e6c1cceb4d0be669bfefa6a8fb4185971f7

SHA256
0315ce0b6cd26aba50b9c0074eef413c51acba1ee463804e4fd0afe1795b9089

SHA512
14914fa1d1767cf4f97ec0bb2206652f82d9aefa8fde2b45fe390327a4bbb6eafa2ce0b337507513dc34e23c3edd45b8f79c40c4a29fdfa9858c4c3556cf7bb1

Download Submit
C:\Windows\SysWOW64\Fmmmfj32.exe

Filesize
99KB

MD5
1271f800ec0048c22f395b32b9127f4c

SHA1
90826e21c81addae6d0619ee312737db63272074

SHA256
410e0e295d4abe83ebef932b10ed2bdd56bd86461a6e8a677ddc87e8c155de2a

SHA512
ba00370bd14785621f01f9e8ac19513508d64df7cb31befa5ee4d1aa39ed1cc05c0246935437066be639d4f3f588f7440def81371808fe81540e46518e1d7471

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
99KB

MD5
439a23d1d014acfdf11213fed8044b83

SHA1
a9e2d3c2744760b361c2c8b4e3ae3b2e8dbe7cb6

SHA256
2fd958797a3c6f6b3bfe8c29301231338ace4902f18d6727fd21153d685ea062

SHA512
0b7993f051631549145521bc034b1eb09cea125f8d1d13823fccd9949740d7e9eaa06801877c652447fd850795ffbde32b8287f3c3f163cc422b4e10d4da315a

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
99KB

MD5
4a8c89eadfb32e86f4909c755c013aba

SHA1
bef74b9af059e7f7f6162f64ba540e33522802f0

SHA256
7b0883d21eef1fd17d204734b0eb6052cd2bd1d7e0cd48062c71ffe5f1c4ff0d

SHA512
0d2d72668dd68b2d7a61ee3821be7623467801abe32d4d3cf5849532d774a660f4141831c4435c0728795885b17708586501fda4a3cfe84fc8da137bfc9715b9

Download Submit
C:\Windows\SysWOW64\Gadqepkn.exe

Filesize
99KB

MD5
dcabdf98f3b91fc79babd8a6e3bbf9f5

SHA1
7b295e55829d09e8ff90f40a319285e42a4d5957

SHA256
b0a293ec48d97300eee5827531c6bf043ce905b3b0642c44048257d14f94874b

SHA512
83c073175ecd36b5faf0b977cb0b329fb209c68f6cc93458a3500a1fe2994db5384b06e8c9705403d346e3249629453d0dcec038cbfd337e87c42a6876807095

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
99KB

MD5
2a29df42f996ce2187679dd526c2a7c0

SHA1
095fbceb4e4c8856dc20e364e0717e47aab85dd7

SHA256
93c74b5cc2d767fa7271176baee512b885ff4d48c277d819c7313e1cf37f2f7b

SHA512
361248aea73ced1920e2630bc93824d527decfd87ea85e087878fdcc1f684e457f1c48cd7e8544d3865cbee046314312c19be7e9220883de024a96e84f8041aa

Download Submit
C:\Windows\SysWOW64\Giaaoa32.exe

Filesize
99KB

MD5
b981dc2330ae798a3b40017a452e921a

SHA1
ebb97cbdd38111576408b03b323800295c19a342

SHA256
435e4c3ef95bdfd69714abaaf91935419f63bf68cf1548082fbe3c4f05fed1a9

SHA512
13e26763691694d12da8fd7b4aa6adc8d71da9606dd2e677c87416a6aea89115f11dab187e36ba9a8a4a1408571dd2c34f2f1fb714df61a366c33d66d19f9df5

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
99KB

MD5
e55a5d70aea2ce63e6fc6f23e0ae5bf0

SHA1
1871705d5b363c7e6567d5becd0f9d8a4e887628

SHA256
3e2cb9a4f7a7900e62040c1543edb1f9e67ad492831adeb8bf22070628539bea

SHA512
fbd143e8505522310bd2bfcd04ec5dd6d761b4cbcae626bdf406ef172585ad262be0c39f8d3b0f93e2fb75701280430213a028d3d2a6679023ba5d52d322c31c

Download Submit
C:\Windows\SysWOW64\Kceoppmo.exe

Filesize
99KB

MD5
80ae865f02f5f5f455f7e8a0f29411ca

SHA1
2216e12105f3575551c63cc414fe68f3a3a14acf

SHA256
c3621f5dcf7fa7a8d5172125a48197d6b300b0de455a3018a6b1bd5392775eb1

SHA512
39a2091b4fb39eed6b1ddbd75ef168d7fa3cc583d1898719edd17c479b78b2911327de587ae982109f7e7aee802d75fd59c13884cc4f37bddf837ab63f195df9

Download Submit
C:\Windows\SysWOW64\Lhnjoi32.dll

Filesize
7KB

MD5
de9b43b5daaa34232f4f628e5945f8ad

SHA1
51cda75266761897d8ae2bb7a13bac80d5aafd95

SHA256
13d6d81b7b0e29a93f02f57aacf5a65134d80fac44a3ea6343db718d65ae5e1c

SHA512
87b46c63c8f1f02fadbb7ef7971a6720016d8e3d36f26cb83cc5550b30ff856b67e89c843362e7cb1cb3f57993c8ac77daa7211621e2deefbc3cf49dbcddbf22

Download Submit
C:\Windows\SysWOW64\Mfenglqf.exe

Filesize
99KB

MD5
d441bfe87f749c7e648f9ba85f26f842

SHA1
aaf0aeaecd89ebc3ecc3bad48c9e8c005ce489e2

SHA256
f01b61bb623a7f7ca3ce61b7b5bbb3b22a31131ec749db5b331b032851de29cd

SHA512
43d6e00ef7e48566763801950678df85fbe20ae96b8b01621e9a38627e4f44084d732b9997a3eb52f92ec9e7706da1d5067229a2b988566af76245be01fe4ca3

Download Submit
C:\Windows\SysWOW64\Mhckcgpj.exe

Filesize
99KB

MD5
7434961d83076ec4d67b37083c34d671

SHA1
2d5341275d85f22d9fc435f3a7bc223996bc95f4

SHA256
fcdad1aeda7ad00c6a600aee73e69f0264f16fbd5efdce8ffc85df23b7ef958f

SHA512
df424db96dc60b2eb763b85f2b1bdc59613b38b3985c0c1add5b79e710331df83a23143c29a06d0e28bc6f354413d5e38a7a3f39c408503066e57484d7c67244

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
99KB

MD5
3926ab1ff3bc35c3e150308d1c8a1e2b

SHA1
a9433fae9ae668688e50aa74c842e8bc4f597c89

SHA256
ce515adf89d5f8ee1395a78d66f5c7bc4f27994057c3a2c527b536886d07c1c0

SHA512
4de8ed4fc1dbe67da0f6c577aba1582bc95225a911fc13fc9c1bb66f5b1d83592468be5ca7f6751adc51c7f6292ece60b967325b02eb1d90f658ba24e03b87ad

Download Submit
C:\Windows\SysWOW64\Nhhdnf32.exe

Filesize
99KB

MD5
3f8b13e74c1877ab6b274dd9ee6ce71b

SHA1
4ce8a59181c99bfcf8d938e38ea4fab8dd592c25

SHA256
71950f804e7346c8c2435df59cd0a7d8f97e25535a3d907bcf1c0c25207c0589

SHA512
8f18fc77eac9aecc5ba81dcbbd4463373e5169fb87e0a7e630b37ec5c8da2f0fd82add1dced3635468cc8d93acafd28dc85a8826f0dfb7b2b407dab10e67ec70

Download Submit
memory/524-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/524-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/980-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1040-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1552-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1552-86-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-91-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1664-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1664-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1752-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1752-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-69-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-123-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3300-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3300-118-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3756-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3756-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3768-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4000-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4000-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4632-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4632-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4640-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4648-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4736-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4736-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4992-106-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads