b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e.exe
Size

123KB
MD5

c8ac7c8522ba625e7e186feb18c6ac16
SHA1

d5ed25c2476eb40419ddf9f00dac298e07fe319d
SHA256

b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e
SHA512

47eb2d0cfb9f0dd77cf8ce5300ca96a754025329377410eb240114d1ba967c8c94e61e658b3f479e822bebf5c0b08b94c4bf11e1b13014cb3f5c532cfb4eb535
SSDEEP

3072:YnLFhrDAFZ7u2tVY9rV27L4PCIRYSa9rR85DEn5k7r8:YLDgDBLR4D4rQD85k/8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dccbbhld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhjfhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcefno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecjhcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomhdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fomhdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elppfmoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikbnacmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe

Executes dropped EXE 64 IoCs

pid	Process
3380	Dbaemi32.exe
3084	Dlijfneg.exe
3032	Dccbbhld.exe
4180	Dddojq32.exe
2948	Dojcgi32.exe
4964	Dhbgqohi.exe
3696	Eefhjc32.exe
2000	Elppfmoo.exe
1464	Ecjhcg32.exe
3508	Ekemhj32.exe
1552	Ecmeig32.exe
2832	Ednaqo32.exe
2204	Ecoangbg.exe
4904	Edpnfo32.exe
1384	Edbklofb.exe
4160	Fcckif32.exe
1836	Fhqcam32.exe
760	Fomhdg32.exe
4224	Ffgqqaip.exe
4328	Flqimk32.exe
4692	Fkffog32.exe
4240	Fhjfhl32.exe
908	Gfpcgpae.exe
3168	Gkmlofol.exe
5084	Gfbploob.exe
1724	Gmlhii32.exe
4108	Gcfqfc32.exe
4104	Gmoeoidl.exe
4832	Hiefcj32.exe
3628	Helfik32.exe
2188	Heocnk32.exe
4316	Himldi32.exe
392	Hkkhqd32.exe
3700	Hecmijim.exe
3348	Hkmefd32.exe
3384	Hfcicmqp.exe
3776	Ibjjhn32.exe
2316	Iicbehnq.exe
756	Ikbnacmd.exe
5008	Ifgbnlmj.exe
4016	Imakkfdg.exe
2620	Ifjodl32.exe
5048	Icnpmp32.exe
4608	Ieolehop.exe
2180	Imfdff32.exe
3964	Ibcmom32.exe
2560	Jmhale32.exe
4268	Jcefno32.exe
4004	Jianff32.exe
1652	Jcgbco32.exe
4620	Jfeopj32.exe
1868	Jlbgha32.exe
4412	Jcioiood.exe
2800	Jfhlejnh.exe
4916	Jmbdbd32.exe
4976	Kboljk32.exe
4884	Kmdqgd32.exe
4148	Kpbmco32.exe
2688	Kbaipkbi.exe
2836	Kikame32.exe
2280	Kpeiioac.exe
4908	Kfoafi32.exe
2516	Kmijbcpl.exe
3972	Kfankifm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gfbploob.exe	Gkmlofol.exe
File opened for modification	C:\Windows\SysWOW64\Imfdff32.exe	Ieolehop.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Himldi32.exe	Heocnk32.exe
File created	C:\Windows\SysWOW64\Kfckahdj.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Lbdolh32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Jcinbcgc.dll	Ibjjhn32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Oggacefk.dll	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Gfpcgpae.exe	Fhjfhl32.exe
File created	C:\Windows\SysWOW64\Ifjodl32.exe	Imakkfdg.exe
File opened for modification	C:\Windows\SysWOW64\Jmhale32.exe	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dbaemi32.exe	b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e.exe
File opened for modification	C:\Windows\SysWOW64\Heocnk32.exe	Helfik32.exe
File created	C:\Windows\SysWOW64\Laapnj32.dll	Imakkfdg.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Igoedk32.dll	Elppfmoo.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Klqcioba.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Edpnfo32.exe	Ecoangbg.exe
File opened for modification	C:\Windows\SysWOW64\Fhjfhl32.exe	Fkffog32.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Gcmdhh32.dll	Fcckif32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hjqaij32.dll	Dddojq32.exe
File opened for modification	C:\Windows\SysWOW64\Helfik32.exe	Hiefcj32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7708	7572	WerFault.exe	281

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flqimk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3380	5004	b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e.exe	88
PID 5004 wrote to memory of 3380	5004	b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e.exe	88
PID 5004 wrote to memory of 3380	5004	b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e.exe	88
PID 3380 wrote to memory of 3084	3380	Dbaemi32.exe	89
PID 3380 wrote to memory of 3084	3380	Dbaemi32.exe	89
PID 3380 wrote to memory of 3084	3380	Dbaemi32.exe	89
PID 3084 wrote to memory of 3032	3084	Dlijfneg.exe	90
PID 3084 wrote to memory of 3032	3084	Dlijfneg.exe	90
PID 3084 wrote to memory of 3032	3084	Dlijfneg.exe	90
PID 3032 wrote to memory of 4180	3032	Dccbbhld.exe	91
PID 3032 wrote to memory of 4180	3032	Dccbbhld.exe	91
PID 3032 wrote to memory of 4180	3032	Dccbbhld.exe	91
PID 4180 wrote to memory of 2948	4180	Dddojq32.exe	92
PID 4180 wrote to memory of 2948	4180	Dddojq32.exe	92
PID 4180 wrote to memory of 2948	4180	Dddojq32.exe	92
PID 2948 wrote to memory of 4964	2948	Dojcgi32.exe	93
PID 2948 wrote to memory of 4964	2948	Dojcgi32.exe	93
PID 2948 wrote to memory of 4964	2948	Dojcgi32.exe	93
PID 4964 wrote to memory of 3696	4964	Dhbgqohi.exe	94
PID 4964 wrote to memory of 3696	4964	Dhbgqohi.exe	94
PID 4964 wrote to memory of 3696	4964	Dhbgqohi.exe	94
PID 3696 wrote to memory of 2000	3696	Eefhjc32.exe	95
PID 3696 wrote to memory of 2000	3696	Eefhjc32.exe	95
PID 3696 wrote to memory of 2000	3696	Eefhjc32.exe	95
PID 2000 wrote to memory of 1464	2000	Elppfmoo.exe	96
PID 2000 wrote to memory of 1464	2000	Elppfmoo.exe	96
PID 2000 wrote to memory of 1464	2000	Elppfmoo.exe	96
PID 1464 wrote to memory of 3508	1464	Ecjhcg32.exe	97
PID 1464 wrote to memory of 3508	1464	Ecjhcg32.exe	97
PID 1464 wrote to memory of 3508	1464	Ecjhcg32.exe	97
PID 3508 wrote to memory of 1552	3508	Ekemhj32.exe	98
PID 3508 wrote to memory of 1552	3508	Ekemhj32.exe	98
PID 3508 wrote to memory of 1552	3508	Ekemhj32.exe	98
PID 1552 wrote to memory of 2832	1552	Ecmeig32.exe	99
PID 1552 wrote to memory of 2832	1552	Ecmeig32.exe	99
PID 1552 wrote to memory of 2832	1552	Ecmeig32.exe	99
PID 2832 wrote to memory of 2204	2832	Ednaqo32.exe	100
PID 2832 wrote to memory of 2204	2832	Ednaqo32.exe	100
PID 2832 wrote to memory of 2204	2832	Ednaqo32.exe	100
PID 2204 wrote to memory of 4904	2204	Ecoangbg.exe	101
PID 2204 wrote to memory of 4904	2204	Ecoangbg.exe	101
PID 2204 wrote to memory of 4904	2204	Ecoangbg.exe	101
PID 4904 wrote to memory of 1384	4904	Edpnfo32.exe	102
PID 4904 wrote to memory of 1384	4904	Edpnfo32.exe	102
PID 4904 wrote to memory of 1384	4904	Edpnfo32.exe	102
PID 1384 wrote to memory of 4160	1384	Edbklofb.exe	103
PID 1384 wrote to memory of 4160	1384	Edbklofb.exe	103
PID 1384 wrote to memory of 4160	1384	Edbklofb.exe	103
PID 4160 wrote to memory of 1836	4160	Fcckif32.exe	104
PID 4160 wrote to memory of 1836	4160	Fcckif32.exe	104
PID 4160 wrote to memory of 1836	4160	Fcckif32.exe	104
PID 1836 wrote to memory of 760	1836	Fhqcam32.exe	105
PID 1836 wrote to memory of 760	1836	Fhqcam32.exe	105
PID 1836 wrote to memory of 760	1836	Fhqcam32.exe	105
PID 760 wrote to memory of 4224	760	Fomhdg32.exe	106
PID 760 wrote to memory of 4224	760	Fomhdg32.exe	106
PID 760 wrote to memory of 4224	760	Fomhdg32.exe	106
PID 4224 wrote to memory of 4328	4224	Ffgqqaip.exe	107
PID 4224 wrote to memory of 4328	4224	Ffgqqaip.exe	107
PID 4224 wrote to memory of 4328	4224	Ffgqqaip.exe	107
PID 4328 wrote to memory of 4692	4328	Flqimk32.exe	109
PID 4328 wrote to memory of 4692	4328	Flqimk32.exe	109
PID 4328 wrote to memory of 4692	4328	Flqimk32.exe	109
PID 4692 wrote to memory of 4240	4692	Fkffog32.exe	110

C:\Users\Admin\AppData\Local\Temp\b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e.exe
"C:\Users\Admin\AppData\Local\Temp\b70a25029597e6022aec6d9d6b25cced6ace4788872bfc7a53fdab8849d63e6e.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\Dbaemi32.exe
  C:\Windows\system32\Dbaemi32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\SysWOW64\Dlijfneg.exe
    C:\Windows\system32\Dlijfneg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\Dccbbhld.exe
      C:\Windows\system32\Dccbbhld.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
      - C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        27⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        28⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        29⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        33⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        34⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        36⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        37⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        41⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        43⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        44⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        48⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        52⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        55⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        58⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        60⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        61⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        66⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        68⤵
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        69⤵
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        70⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        71⤵
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        72⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4220
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        74⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3896
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3888
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        78⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        79⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        81⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        82⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        84⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        86⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        87⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        91⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        92⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        94⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        95⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        98⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        99⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        100⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        102⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        104⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        105⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        107⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        112⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        115⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        116⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        117⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        118⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        119⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        120⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        122⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        125⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        132⤵
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        133⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        135⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        137⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        140⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        141⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        144⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        146⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        147⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        149⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        151⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        152⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        153⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        154⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        157⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        159⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        163⤵
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        165⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        167⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        168⤵
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        169⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        170⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        172⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        173⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        174⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        176⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        177⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        179⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        181⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7404
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7440
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        186⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7528
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        188⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 420
        189⤵
        Program crash
        
        PID:7708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7572 -ip 7572
1⤵
PID:7636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
123KB

MD5
6a9497f122fb7335d6a46d0a1cccc4ce

SHA1
1dfbdd0b9cad570174ab318c41cf2c4942fa7ada

SHA256
b77f9fdff4684d030bf4d58d474c36d280b5ba74d2a7259881de76230a1eacfe

SHA512
7e45c7087c15250573f7231358a2e2289f144c99ed7e0affcb0ed08037ce0b47ed09169844dc7443fd6629fad107a68d29defe5c5abdd9bb6c05905aa2a958be

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
123KB

MD5
64f20cf86990a38542e02b8ac9c229e4

SHA1
db6d261a66577dc393be8a51b5909da9fb2a002f

SHA256
c4984f83246410749a0330e7e75610623410f98647eb4f85a2ac585e07b587f5

SHA512
2259a94cfd4e2f8658ab66ed266aa50f58f1570ec1176df22f894abea3d20a9954b407fd50b2ccd6589b734dc0cfc881cafa5ec00728f524f624d28e6344422a

Download Submit
C:\Windows\SysWOW64\Dbaemi32.exe

Filesize
123KB

MD5
f324f66af49c0906e5f49cee215e6838

SHA1
67e8455f4e42e18567c46d50f728e07eb3c7e2e9

SHA256
26924598fd9d9c938e0b90108e43176ac9ea8d9b8b1cbc9dc3492f18503f0a80

SHA512
55a05e707649f7e98a68ba38a039d0d132c9b99f9662c0247c9bd077d77f61db83d2fc0d4f71ac0800dd5beaebb0ce4ea965d4d16f1274e24a3d81bae718fbe6

Download Submit
C:\Windows\SysWOW64\Dccbbhld.exe

Filesize
123KB

MD5
523ab9b32f980ba18afefeb54f6b8291

SHA1
13154d62a1f457aab77b6b141c5fc136ef863095

SHA256
b64dac2b39386036b2f6d5b6413674e06bdc8cbedcc07a875832f5939aac9d49

SHA512
44cabfc273138c25b474c8d0e656a6190c174e3c46f4210c53af24ce4f294e87b8c7b001ddbc49a1a314d0d8efbeeb3a4a8b38406dafb8c4fc14d95f5e4ec61d

Download Submit
C:\Windows\SysWOW64\Dddojq32.exe

Filesize
123KB

MD5
00db2b17ff5d16472bf8f600e66a7e61

SHA1
0b34b40854e9c8bd3b950ab54ef0aed82cd57f49

SHA256
aa9566176f59822063999e1815da9603f2e0892654bc69f987e87aba0cca7562

SHA512
80da4a26d605aa3266e368fc66a053a579fa313c4622abec027f8620cee814013264fa89f5bf62a2c1a51ec27e3f853ce64b3a9c0df617365bf127986f891d3e

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
123KB

MD5
caeb8a51a98c3c9a828fb5ea0d5d228b

SHA1
0224fa021ca21267b03168d313a87fb27f307114

SHA256
12d1d0a5afcc63e546ce319c53498164ef139e7ff3e6ba938265fd70d0ec36f8

SHA512
02175ee5fd199e9c829c2941ac8a3c236927521a86624d3dff845038acd29a66f186d3c8ba2e42c2ecd06caa34e23976ed5ea0e0e40ede42dca1da801432992a

Download Submit
C:\Windows\SysWOW64\Dlijfneg.exe

Filesize
123KB

MD5
b0dba329a5f60212322f3c265c3d11c9

SHA1
aebeb87b7583e4a96a5b97f5ebf8a9f0bf362b9d

SHA256
f0de57482f5bb5546711fa902447c0dcb0bdbf96a3cd95c3572ca1f76a70d631

SHA512
5bbdf443b0b5001327a8ab88e887862d96ed48203d13c4ffb0b5bd80a8073f0c10d89939cee4a432a5151bc8e0236247157eb3389c1b24d2f081158969ba29a8

Download Submit
C:\Windows\SysWOW64\Dojcgi32.exe

Filesize
123KB

MD5
a92809b81b069deac8bb822aa04be728

SHA1
667dea41c557f7eeed262e0fad4461a66b5a3501

SHA256
c113050468846d53f86ef941715d4fd262a7a8ab6ff22450b71b4071ea8d46b0

SHA512
fc0457a1deb46c0ead884fff81361a21abb446ccbf243b33ebca7a3e2d17b650493f451d57e9ea3fc23b7002a3b0bd2640e2d679652309070f795615ab6a813f

Download Submit
C:\Windows\SysWOW64\Ecjhcg32.exe

Filesize
123KB

MD5
22873d27c0392e8b9c9b967e54f81c62

SHA1
e496410cb7da887e4fb41f3b2a6d731da1fee6d6

SHA256
e421973588ab4fe23d6b18b14e17bb35a83265b06f96ac824f10566da4372b41

SHA512
a6dc53ea69bd0e7bad5df288d1ee6bbc280ee5dfaf7ddf606729f0ac4f6233fa88a9e57e9024a034d8928a17cc1e64bc4743636872adcac62398ab85d367d706

Download Submit
C:\Windows\SysWOW64\Ecmeig32.exe

Filesize
123KB

MD5
085820d1b7b6f79abd85c8224338ea91

SHA1
85942f12ee407a3e98311447cccef773c8512198

SHA256
e179120b4acce3f193fdde704ce6dec2acd80df43a86d04c241ae767a231402e

SHA512
60fcebec42fec11de02caa71721a03635b2a4bc03edda7ce1bc4eb79f85a5d7c55b1fbb3bf6438987d222417016b3c73a0a19f082bae061aae3082a7ebf68b83

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
123KB

MD5
38d425c995eeda6ce5dc5131b51f1adb

SHA1
e187f5ef71926f01fc2bca1b81a5262f37320c39

SHA256
8807a4c6c2b1e990dccc0557670661513962a4e8d5153ffd3c9984978a314a43

SHA512
8ac96163ef917cda789a10dd2d26cce3d50de7a8ffe00db10f061894836f6398ad1c7f607fcea9f1d9d3e10acc7b0595c4d9a0d7d3719c137e28175c42d485d5

Download Submit
C:\Windows\SysWOW64\Edbklofb.exe

Filesize
123KB

MD5
cd0384b127935b1254e2ecb89e4a775f

SHA1
1b9c087fc85dda1413908227960066d36c7eec41

SHA256
306eb317084525c1535fe4a6c85335ee835984aa12596ff8b6a4b2e22e130869

SHA512
21325d9308941da0b260f6a3730da34e4b46d82463a4e9eb8976625877e6cc660c93e8d77287406b2e37b4ef13c64297a813c9d36447187211899160e428171c

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
123KB

MD5
6431203ed825ec78090a8a29da5b61b4

SHA1
74d190226d1b8c68562968c3cdb626dff923b0fd

SHA256
4fe8da61be517c09a3bf2ee6c7ec1ed2a843abf483499a17ec491a8d8db3f3cd

SHA512
1f1579b349db8a457c9263bdcc8f52cf781e12d6baa4b7b13247a320d2dd5ef0d37ccf6b2b7542b52f28d95eb77c03d50045765e7ab8d619271bd338f25a9015

Download Submit
C:\Windows\SysWOW64\Edpnfo32.exe

Filesize
123KB

MD5
a8acde76f6aca088290f832b9d76ace8

SHA1
f0a0a484979b5f1f8ee1e7aae58f0ab1265f49b4

SHA256
20e88015284253aa9efdf34b3f786b322435e1526096d274a06088694bd26266

SHA512
174e03b667c3bd9e167e5a8b4978034600f3e7b7b6ad58c27135126eff7ed4ccf7b008dc2a1343c49a85bad67fdea16e8bc877ee6a887d2a3dedb02b1189b2b4

Download Submit
C:\Windows\SysWOW64\Eefhjc32.exe

Filesize
123KB

MD5
1f11cf066d6b366a02557a40282a2d07

SHA1
495fd09f48ab354ca67c229ba775fca0ed735883

SHA256
400221e68b8974c19fd661452ed3fc89d170d18f47413f365ef7c838ae00f37e

SHA512
6faa37aec4cd61f4845c7b4d5a12f5c8174b41fda279494fb450f950bef61461a262db9ff30e20d7817a6ac8cf727518b939231bc5e17e453f94005024705657

Download Submit
C:\Windows\SysWOW64\Ekemhj32.exe

Filesize
123KB

MD5
d08a1c6972a74ace9925a2626b38e47a

SHA1
f3ac616026f2538b2e750bded183d68f13570642

SHA256
9407fc686f51ef38ec9cb19e4fe7ccd4a4882a673ff1a5bdafb011847557dd97

SHA512
7f6a5c5401b8f3a8f1105df41b73430327893063cce4968f3f98e970c1c360ba584f8b5244b9796b3e15d03e98e4f94ad68bcd0baad6890a275b822d03837537

Download Submit
C:\Windows\SysWOW64\Elppfmoo.exe

Filesize
123KB

MD5
bdadd073675501a34def6879dd5d531a

SHA1
c808da76b5fec38f1a0506b3ec18b9f1fc3081fd

SHA256
1dda6cd0b78a1c220f1fac792b1245565c3ad2aa261edabfcfbbadee0449877f

SHA512
3b31740332cd790b27ad6415a60ca1d716fdd9c888709f8d1f8e31ba124c503b180890aa6d2a24f662dbc29dd83b3c1d54e58f92a34f12880b5befc0b54db448

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
123KB

MD5
9bb5d28c80a477cd7ddfa3f3827325c5

SHA1
dbf465c26f71d9409a29431a921fcee3e1e0183e

SHA256
83c37efe3dd7d2fc830f170e265e8ec7fef3e203ea004eae0e270842970ac279

SHA512
a66cdb00a394b1606233f3d00d179418c2cc6d0ef836d28ef3e82f5f830584ed02a398817a9fcfbcf84990c730aa4717fa11bd28c332cfde5060d2a9b2c8abab

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
123KB

MD5
3f3862bcce2f77f673aa92b32ca8c653

SHA1
1a3f2de6cf0bfb792bb94ff43820edecc7ecf1b7

SHA256
f81f5e21dc1f0de82c07c18bbf1dfe8c1804cb9b0babb144fd898885b4c436d9

SHA512
cbfa5659df1493d9bd5617973b734938b6be2cc4112d25c717d4050accc3f3b5d2935886bb44f5a12c9cedfc0dbccd3fe453e9cd5d0015c81ed0e6675cf85c49

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
123KB

MD5
4e71bd12efca68d17c2dbb2c53e422d7

SHA1
e47089bec4c962635ac3c38f486cd93ea84c4061

SHA256
4964f5606b0e07cf470c3893f4bf49fc460d420645b99e1674193008d4921d8c

SHA512
844caa607e1bf7c916263693ca8e0c64c5d20947b1d73ef5f3d3ac53f56f1899f0b5e10180a12f5b19afd3b05722b161428cb4792371c06b3300bd4a584d0e96

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
123KB

MD5
5c4aefb5f79b7638dc6233e3c88130eb

SHA1
1125fb2945c10e0576293eb3964af0ecd5e9acc6

SHA256
51ff46c004ab479e17ead021f8f9056f4f9b1cb8007dcc64fcf09c9595f96a2c

SHA512
6b232958c4bd5e748e2482bb334550bca2a99f528b4ff97d02dccb0f297f383ac7fed70edb1b25dc8290ab280c840d0c95f4160e9f841bc9e42bc7786971ec77

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
123KB

MD5
9c50213c05a4a6df83d98d0a7e8b395f

SHA1
4bcaec01edf9e962269e7b5027710f6b598da1ef

SHA256
5028489b8d7db3fa913065492527ad2090bbbfc816aff6ec27646244a230973d

SHA512
e81f357499231ceb086db717dadba3b728a8e0d6c2b46ff1ad983fca0bbf920977b1299ff6a12c997b63e30183029d90bd84a5a8ea6579ffa230cd735ead809f

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
123KB

MD5
d18d200e8c4d0467c476e304250d64e4

SHA1
9d86925fb882fa80af84cf0eb9ad17316f873a78

SHA256
8656b870d08d2df0581c7f653f54bdcfcd96c1bedd3a73adc6a0ab61641d97ed

SHA512
0a99be1fe6faf5a53153beff0b8afbc1486e84a395e3c86afc313bb702f5018601324b82fed2f2fde31263036e3644c135448c8300dbfb46d06f76dd146247ae

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
123KB

MD5
cbab092a0c5e383fff13ee6d5fdf3509

SHA1
f3ec06d571bdc32cb58b7d334eac3a1434f96764

SHA256
341b7e451ed0ab28fa3d17d50777ced92327b5f1f4bc3e76e9c11672ac3e2ac6

SHA512
64c462df22911ce850259520c1c90d92b78aebcc17fb7aa6e4b60921d0eb28ffe5dadd706b612f49fd218af7c8b97f4c8dd9abef2b6a16ecc6bf7e7edff4960c

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
123KB

MD5
0b584cd2ecf642b0c634257ae0f5e561

SHA1
9ac8c6f99a542ec473b72e711207d3f0d9b8becb

SHA256
09e50233a71b651ec93c7055602538a21800fecdd9439c35ffd4397465f55716

SHA512
aa9c9c51ce512cd950c89fbeee1794b7afaefe43090da6719d0ad2abf11a30b6ba47995bfbc13e6a81501d5d4479983f8f8f8997bf529545d6a035089dd23dc3

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
123KB

MD5
51a5c46bd8139daff87346dc97b04933

SHA1
16efefa19371eeb55cbf9adeca32910c39e1f795

SHA256
e0a8faa8ebb8e288ee9e52d5ce167597dcce8a9c2173a953475ee17b05718e32

SHA512
39dd646f002b34c2865d9b42f1d0cdd8e8c21127d311d14514beb9395aa8c0a0d6031fef74bd8c9fdb5feb9a9e659ceae0fa42523d708cebdf7f836361898ebb

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
123KB

MD5
1f4b288718e4868e9422316248fe5757

SHA1
86d9d7a9c38038ce3f6afed1758e3f9a8b8bfbc4

SHA256
15e9d3878666ff0baeaca96ecabca62b2174bb4f424426a5d8de123626162437

SHA512
7b9ba51061a0b0ebb007bfa69a867cb4add72ddd52b4ee96074bf502bdac605c80002c3c082f07c627a8e92005df56cfb90d4d5f35bf7962bdc581f9f5dda410

Download Submit
C:\Windows\SysWOW64\Gfpcgpae.exe

Filesize
123KB

MD5
88d004c972a879477df9aa169af42aa0

SHA1
81c0b137cb169f6200788b924471781db8dd2e97

SHA256
33b48a8f19dd7c3fe2bad7181c116f633d0768597cf23aba96e44c39ab951e72

SHA512
fbb56442ca793afbc7aac3bd20eb0a228f82dd1afe3ff25a89d1dededc1ff95cc8f910f609b01490bb3a5c2d7e0889a6e7ff3046c115d146d3bd3c46cf0ca49b

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
123KB

MD5
1a7702bc42b1f3102c96f60292abc807

SHA1
69a24ebce985cd119ec7d9f6da06edd13cf92b4f

SHA256
c1cf20e4cfdc99c89b18fd6d94f3a100ae9d894a7ff73f8004e151fec4355d5a

SHA512
0562cf1d2958b9acca01cfe0cff379aaa37ae4aa571d42af560f3be880f6602388a47a23d6154d7b24af8359b4f76e108376103f4bac5f7b3a9422ff36a0b183

Download Submit
C:\Windows\SysWOW64\Gmlhii32.exe

Filesize
123KB

MD5
0dbd0c45a131d0602218b7ef36ddc61b

SHA1
4893f97ec7db38dcb2cbeafae64c94e1c8124246

SHA256
d70be4fe19ec584a4a9ed667c552de86acf6edb04eb15f6373ca8772269dc07f

SHA512
a1609d2e6a00fd4c0990bc3f960e8dbd397001377b0b25e35da33493f02d8925247f4dda262cfe47a1da416f1a1c452ee29d9f50c29e84f86a77114807d2bd73

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
123KB

MD5
a21882ce5f125672212747200a40e790

SHA1
2c8e612628e2a3b22a874c1d8dbe6f1ddfe217d7

SHA256
e20f2aa48ef2e3f99c35a690a7fe452962532921885f40847dcd44c47bb517a3

SHA512
5083246e6a7e8d146c35523b57b9da9b45ca0ab672b8d1beadd60212851153bdffbf260b32df5d8af182d02c1586210d371d42cbd19318c96bde8f8b60c1b61c

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
123KB

MD5
598cca181a7f6397e5416d2bb25e1cab

SHA1
a09708384c70a423bfd4ae5c5d647eeb2e941d92

SHA256
d42bf10aa1ad85fab0af211029b1cfe34ff5ff1db79440b72778ca72cff97ea7

SHA512
49d7ff644c3cbafbc5e62538ea482c362069a2f1c2ca7d61ef129e6e1083301c59e9d2a9c807f720e1658cee5dfb33897682ab381bd6d1291364b0b7447b0f79

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
123KB

MD5
3ee34933bc2bcf7c69fdfdbbe461b6b3

SHA1
6b4b572b93d42a1520a2f6cdd834e68c292c3ae2

SHA256
8d4f3629fbd7cd346d1c386e58ac9eb26e7443a4e89b3d7afa1d991dfd014182

SHA512
fa1b4bed518da647ecd380b5e9a400b18f226b33a922e16d1401501d00bd87554a70215157e4c458f45b9ede2dbd8785a97514ea20dca0f0e82aa0a74e61ef9c

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
123KB

MD5
ee44e41de5ea701432461785203bfe45

SHA1
22a9d31c4dc37ede605cf1027808323a8febc392

SHA256
8c65a3f055740733fc570a2a3184a2f7d45b3c93d9c8d91f46df883c0e7280d1

SHA512
739fb89ae9a3102b08f1f22ab4e16e00327a222fdb128ca9fd464263ad94d759ae04715615e73ca92e1e04116e1dd18e38480305ac352d1fe9af75d103da14e3

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
123KB

MD5
f00954b5e796e9fe48178d19cc51141a

SHA1
1594b826b4e01412b3d14f9aaee3bbbcd1471238

SHA256
739f3a8cc28fe9e7b5b36f7f92b68e2b05d365d4ca02018d104989baa4f82e25

SHA512
2b21ecf679b7e1d7bd633c58f3dae92db20921c626a64e4f058f49ba501e35182764dca117e9f923055ac1c7101749137ecfe9c0c0d3f0dd9433c5f9450d2a3d

Download Submit
C:\Windows\SysWOW64\Hjqaij32.dll

Filesize
7KB

MD5
a94ace2cc32015f0a18e12967690a842

SHA1
44ae9311bc7d0e2a626d16f29e612560981f5e4f

SHA256
780af61f614b20981b999481fddc30f7da7fbd94217122ed61e97d489f232d90

SHA512
6bec1808176fed99b93694bfd6c2d43c75f8d2a0fa3a426d82df568e250df1f6a20c14ef09a126bd6974c6c2fe3bed34946f66489be46792cee1b145b8e48e29

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
123KB

MD5
93a9a86ecad3cfe87229778620de5f26

SHA1
dc0e0813bdddacb4fe34cd608d79922507338b3f

SHA256
013b15cfb537e942bb46f6fc4240298e3d4c7751236ec11b1e84245bb2aba1a6

SHA512
92cc39c2da4c109af52e8514fd473b90a4e951d97cc2f9cc8433a8177e59ab26edfa417b3e010abda9f9b1cb92db2c2f4756cade61decfde2b2394a696f9881d

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
123KB

MD5
a47ea737b269266fdb083b65bc00e809

SHA1
80320667e65039c21507b41cd482eb2dbbd7a3a3

SHA256
bc3e26c144a9e8298d4738e4d3df0df977019d1389074d41d73adeb65752279d

SHA512
b0fa1c3c11e7ab3d54439c32bfeed8e662eca226dab878e7ccb8ec755de022fd88468c3f52ebc4dcff6cdd33054098baee82e131519ff7dc17564ca166713c1b

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
123KB

MD5
ad8b2916cd4051d8356e05e9d998f186

SHA1
4225cb355617c0640f96deb3308ddf548916bb5d

SHA256
a06d541f9883576215d3105bc3b49992b3840118661f3a61c719f26777ce4e2d

SHA512
96e8cafa105d1bf26ddaa9bd53c6d42b67e5ff93b3990cceb02c3ab1f73164280a0f88e6022b2732d2915bca7d4a490afcf3fd0a964db97c4f87eaf8b11129c7

Download Submit
memory/392-280-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/756-317-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/760-156-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/908-199-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1384-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1384-224-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1464-71-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1464-164-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1552-94-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1724-232-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1836-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1836-243-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2000-150-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2000-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2188-263-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2188-330-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2204-194-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2204-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2316-310-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2620-337-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2832-176-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2832-99-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2948-123-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2948-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3032-28-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3084-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3084-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3168-211-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3348-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3380-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3380-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3384-298-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3508-85-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3628-323-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3628-254-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3696-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3696-141-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3700-286-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3776-304-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4016-331-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4104-242-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4108-236-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4160-237-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4160-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4180-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4180-114-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4224-165-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4240-279-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4240-185-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4316-278-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4328-262-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4328-169-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4692-272-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4692-178-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4832-316-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4832-247-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4904-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4904-203-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4964-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4964-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5004-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5004-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5008-328-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5084-216-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads