79a5404759b058dbfed55d4ec443180df62c5e65700b670ae9da548bfe08db45

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 21:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

79a5404759b058dbfed55d4ec443180df62c5e65700b670ae9da548bfe08db45.exe
Size

59KB
MD5

a08523b46dd0fa04e24c3011201a4a8e
SHA1

64c3158899ccbd90fe02b52cc4ae0610293dc5c7
SHA256

79a5404759b058dbfed55d4ec443180df62c5e65700b670ae9da548bfe08db45
SHA512

569dde42e16b119e1b4d15782fa36c4e8c5d571c4ddb32e6d1d4aeadc610bcdc50cb400d24fabd4be0da2e8e6c813baf898a3410cee060ee4f26bc41f18d54c3
SSDEEP

1536:QaPimMxqulViwuY9aUpAWqGjeK+ykm2LfO:QfqulViI0phWT+ykLfO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoeieolb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbpedjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidinqpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hldiinke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lafmjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdlmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gngeik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eifaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfaajnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkhpfbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndgfpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmpcbhji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdlmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbepme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgicgca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geanfelc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhenai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipgbdbqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfoann32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geanfelc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnpphljo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdcmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdehlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnobj32.exe

Executes dropped EXE 64 IoCs

pid	Process
1152	Eifaim32.exe
4204	Fijkdmhn.exe
3904	Fbbpmb32.exe
2252	Flkdfh32.exe
752	Fiodpl32.exe
1004	Fbgihaji.exe
936	Gfeaopqo.exe
3316	Gpnfge32.exe
1480	Gmafajfi.exe
1680	Gemkelcd.exe
2444	Gmfplibd.exe
2644	Gmimai32.exe
3572	Hfaajnfb.exe
2856	Hmpcbhji.exe
1772	Hifcgion.exe
396	Hmdlmg32.exe
756	Hoeieolb.exe
5100	Imgicgca.exe
4324	Ibcaknbi.exe
3696	Ipgbdbqb.exe
452	Ilnbicff.exe
3620	Igdgglfl.exe
2788	Iplkpa32.exe
3900	Modgdicm.exe
3676	Mnhdgpii.exe
5044	Mfchlbfd.exe
2228	Mnmmboed.exe
5016	Nnojho32.exe
4980	Nfjola32.exe
4792	Ngjkfd32.exe
1336	Npepkf32.exe
1612	Nnfpinmi.exe
4496	Npiiffqe.exe
2792	Oplfkeob.exe
1812	Onmfimga.exe
408	Ogekbb32.exe
2716	Opqofe32.exe
4832	Omdppiif.exe
512	Ogjdmbil.exe
1624	Omgmeigd.exe
3180	Pfoann32.exe
2752	Paeelgnj.exe
224	Phonha32.exe
732	Pmlfqh32.exe
1464	Pmpolgoi.exe
4388	Phfcipoo.exe
924	Ppahmb32.exe
1988	Qfkqjmdg.exe
1508	Qaqegecm.exe
1676	Qjiipk32.exe
2500	Qdaniq32.exe
1124	Adcjop32.exe
1424	Aknbkjfh.exe
4892	Adfgdpmi.exe
1652	Apmhiq32.exe
3052	Amqhbe32.exe
4052	Akdilipp.exe
5140	Bdmmeo32.exe
5180	Bdojjo32.exe
5220	Bpfkpp32.exe
5260	Bklomh32.exe
5300	Bphgeo32.exe
5340	Bknlbhhe.exe
5376	Bpkdjofm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ekcgkb32.exe	Eqncnj32.exe
File created	C:\Windows\SysWOW64\Gbpedjnb.exe	Geldkfpi.exe
File created	C:\Windows\SysWOW64\Aadafn32.dll	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Fijkdmhn.exe	Eifaim32.exe
File created	C:\Windows\SysWOW64\Mlkpophj.dll	Hmdlmg32.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Coegoe32.exe
File created	C:\Windows\SysWOW64\Omdppiif.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Nqgnfcmm.dll	Egcaod32.exe
File created	C:\Windows\SysWOW64\Pmmlla32.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Pjmnkgfc.dll	Ilibdmgp.exe
File created	C:\Windows\SysWOW64\Mjnnbk32.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Pcgdhkem.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Coffgmig.dll	Geldkfpi.exe
File created	C:\Windows\SysWOW64\Hfibjl32.dll	Geanfelc.exe
File created	C:\Windows\SysWOW64\Dgfpihkg.dll	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Ppahmb32.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Oqklkbbi.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Pcbkml32.exe	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Nhhlki32.dll	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Hnlodjpa.exe	Hecjke32.exe
File created	C:\Windows\SysWOW64\Fmamhbhe.dll	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Dpifjj32.dll	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Ieicjl32.dll	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Oplfkeob.exe	Npiiffqe.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Odlkfe32.dll	Hhdcmp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Akfiji32.dll	Nnojho32.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Hpaoan32.dll	Fkmjaa32.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Jcdihk32.dll	Fndpmndl.exe
File created	C:\Windows\SysWOW64\Ocoick32.dll	Gpolbo32.exe
File created	C:\Windows\SysWOW64\Ieojgc32.exe	Inebjihf.exe
File created	C:\Windows\SysWOW64\Fdllgpbm.dll	Iplkpa32.exe
File created	C:\Windows\SysWOW64\Oiikeffm.dll	Dkcndeen.exe
File opened for modification	C:\Windows\SysWOW64\Lafmjp32.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Ilnbicff.exe	Ipgbdbqb.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	Omdppiif.exe
File created	C:\Windows\SysWOW64\Glllagck.dll	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Omalpc32.exe	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Pmikmcgp.dll	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Figgdg32.exe	Ekcgkb32.exe
File created	C:\Windows\SysWOW64\Benibond.dll	Johggfha.exe
File opened for modification	C:\Windows\SysWOW64\Ilibdmgp.exe	Ieojgc32.exe
File created	C:\Windows\SysWOW64\Ibegfglj.exe	Ieagmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Mcfbkpab.exe	Mjnnbk32.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Ibdlakbf.dll	Hfaajnfb.exe
File created	C:\Windows\SysWOW64\Enfqikef.dll	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Fpmfmgnc.dll	Ebifmm32.exe
File created	C:\Windows\SysWOW64\Hbihjifh.exe	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Egcpgp32.dll	Mcfbkpab.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbpb32.exe	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Flkdfh32.exe	Fbbpmb32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgihaji.exe	Fiodpl32.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Pcgdhkem.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Dhlbgmif.dll	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Ogekbb32.exe	Onmfimga.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6688	6252	WerFault.exe	264

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll"	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbdpnaj.dll"	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgihaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll"	Igdgglfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll"	Omdppiif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccphn32.dll"	Hecjke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgihaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhgag32.dll"	Hifcgion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll"	Hemmac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll"	Imgicgca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll"	Inebjihf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hifcgion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbpedjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll"	Geanfelc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blknem32.dll"	Gbpedjnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fndpmndl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gijmad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glllagck.dll"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpgp32.dll"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcncmnn.dll"	Ipgbdbqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjim32.dll"	Gmafajfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onmfimga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjijid32.dll"	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgmeigd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1152	1960	79a5404759b058dbfed55d4ec443180df62c5e65700b670ae9da548bfe08db45.exe	93
PID 1960 wrote to memory of 1152	1960	79a5404759b058dbfed55d4ec443180df62c5e65700b670ae9da548bfe08db45.exe	93
PID 1960 wrote to memory of 1152	1960	79a5404759b058dbfed55d4ec443180df62c5e65700b670ae9da548bfe08db45.exe	93
PID 1152 wrote to memory of 4204	1152	Eifaim32.exe	94
PID 1152 wrote to memory of 4204	1152	Eifaim32.exe	94
PID 1152 wrote to memory of 4204	1152	Eifaim32.exe	94
PID 4204 wrote to memory of 3904	4204	Fijkdmhn.exe	95
PID 4204 wrote to memory of 3904	4204	Fijkdmhn.exe	95
PID 4204 wrote to memory of 3904	4204	Fijkdmhn.exe	95
PID 3904 wrote to memory of 2252	3904	Fbbpmb32.exe	96
PID 3904 wrote to memory of 2252	3904	Fbbpmb32.exe	96
PID 3904 wrote to memory of 2252	3904	Fbbpmb32.exe	96
PID 2252 wrote to memory of 752	2252	Flkdfh32.exe	97
PID 2252 wrote to memory of 752	2252	Flkdfh32.exe	97
PID 2252 wrote to memory of 752	2252	Flkdfh32.exe	97
PID 752 wrote to memory of 1004	752	Fiodpl32.exe	98
PID 752 wrote to memory of 1004	752	Fiodpl32.exe	98
PID 752 wrote to memory of 1004	752	Fiodpl32.exe	98
PID 1004 wrote to memory of 936	1004	Fbgihaji.exe	99
PID 1004 wrote to memory of 936	1004	Fbgihaji.exe	99
PID 1004 wrote to memory of 936	1004	Fbgihaji.exe	99
PID 936 wrote to memory of 3316	936	Gfeaopqo.exe	100
PID 936 wrote to memory of 3316	936	Gfeaopqo.exe	100
PID 936 wrote to memory of 3316	936	Gfeaopqo.exe	100
PID 3316 wrote to memory of 1480	3316	Gpnfge32.exe	102
PID 3316 wrote to memory of 1480	3316	Gpnfge32.exe	102
PID 3316 wrote to memory of 1480	3316	Gpnfge32.exe	102
PID 1480 wrote to memory of 1680	1480	Gmafajfi.exe	103
PID 1480 wrote to memory of 1680	1480	Gmafajfi.exe	103
PID 1480 wrote to memory of 1680	1480	Gmafajfi.exe	103
PID 1680 wrote to memory of 2444	1680	Gemkelcd.exe	104
PID 1680 wrote to memory of 2444	1680	Gemkelcd.exe	104
PID 1680 wrote to memory of 2444	1680	Gemkelcd.exe	104
PID 2444 wrote to memory of 2644	2444	Gmfplibd.exe	105
PID 2444 wrote to memory of 2644	2444	Gmfplibd.exe	105
PID 2444 wrote to memory of 2644	2444	Gmfplibd.exe	105
PID 2644 wrote to memory of 3572	2644	Gmimai32.exe	106
PID 2644 wrote to memory of 3572	2644	Gmimai32.exe	106
PID 2644 wrote to memory of 3572	2644	Gmimai32.exe	106
PID 3572 wrote to memory of 2856	3572	Hfaajnfb.exe	107
PID 3572 wrote to memory of 2856	3572	Hfaajnfb.exe	107
PID 3572 wrote to memory of 2856	3572	Hfaajnfb.exe	107
PID 2856 wrote to memory of 1772	2856	Hmpcbhji.exe	108
PID 2856 wrote to memory of 1772	2856	Hmpcbhji.exe	108
PID 2856 wrote to memory of 1772	2856	Hmpcbhji.exe	108
PID 1772 wrote to memory of 396	1772	Hifcgion.exe	109
PID 1772 wrote to memory of 396	1772	Hifcgion.exe	109
PID 1772 wrote to memory of 396	1772	Hifcgion.exe	109
PID 396 wrote to memory of 756	396	Hmdlmg32.exe	110
PID 396 wrote to memory of 756	396	Hmdlmg32.exe	110
PID 396 wrote to memory of 756	396	Hmdlmg32.exe	110
PID 756 wrote to memory of 5100	756	Hoeieolb.exe	112
PID 756 wrote to memory of 5100	756	Hoeieolb.exe	112
PID 756 wrote to memory of 5100	756	Hoeieolb.exe	112
PID 5100 wrote to memory of 4324	5100	Imgicgca.exe	113
PID 5100 wrote to memory of 4324	5100	Imgicgca.exe	113
PID 5100 wrote to memory of 4324	5100	Imgicgca.exe	113
PID 4324 wrote to memory of 3696	4324	Ibcaknbi.exe	114
PID 4324 wrote to memory of 3696	4324	Ibcaknbi.exe	114
PID 4324 wrote to memory of 3696	4324	Ibcaknbi.exe	114
PID 3696 wrote to memory of 452	3696	Ipgbdbqb.exe	115
PID 3696 wrote to memory of 452	3696	Ipgbdbqb.exe	115
PID 3696 wrote to memory of 452	3696	Ipgbdbqb.exe	115
PID 452 wrote to memory of 3620	452	Ilnbicff.exe	116

C:\Users\Admin\AppData\Local\Temp\79a5404759b058dbfed55d4ec443180df62c5e65700b670ae9da548bfe08db45.exe
"C:\Users\Admin\AppData\Local\Temp\79a5404759b058dbfed55d4ec443180df62c5e65700b670ae9da548bfe08db45.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\Eifaim32.exe
  C:\Windows\system32\Eifaim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\Fijkdmhn.exe
    C:\Windows\system32\Fijkdmhn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\SysWOW64\Fbbpmb32.exe
      C:\Windows\system32\Fbbpmb32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3904
    - - C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        27⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        32⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        40⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        45⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        46⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        53⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        54⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        55⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        57⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        61⤵
        Executes dropped EXE
        
        PID:5220
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        62⤵
        Executes dropped EXE
        
        PID:5260
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5300
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        65⤵
        Executes dropped EXE
        
        PID:5376
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        66⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        69⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        70⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        71⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        73⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        74⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        75⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        76⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        77⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        78⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        79⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        80⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        81⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        84⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        89⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        92⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        95⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        96⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        98⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        100⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        102⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        107⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        110⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        111⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        113⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        118⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4100
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        120⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        121⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        123⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        125⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        128⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        130⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        135⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        137⤵
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        141⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        142⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        143⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        145⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        146⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        147⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        152⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        155⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        156⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6996
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        158⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        160⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        162⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        164⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7052
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        169⤵
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        170⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 400
        171⤵
        Program crash
        
        PID:6688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6252 -ip 6252
1⤵
PID:6520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:6216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
59KB

MD5
184c51649134ae2ebd2f98bec9fd498f

SHA1
dc15b455e78c48c2bc1ee26e9b060fe0db6399a5

SHA256
541fe3ca220ec2f4f46aff467240af05dd7df2b4f0b891d05ded8471488621ad

SHA512
65f5ad4b88010a450e75000af856ea12080c0eddff16ec2617f21f2c1d41161afe6db221b4f22976b6312ef49a439f4da83ad69d795e61c024f749a886c1d50a

Download Submit
C:\Windows\SysWOW64\Eifaim32.exe

Filesize
59KB

MD5
da08072569acbba2ec42bded8a8afa61

SHA1
c1052f48cf7e1268ca0ada512f5071b369108a03

SHA256
853ce8bb302ea4ab3f3b4502a6b75afe5cd9505046e93fb30a1efd2a7206bdcc

SHA512
9ed991a2fc3dabd77e85f4c62b627c6e7f56614f7da9f1034d2df4e2bd83babdead80bb4fb4f0f5abeade22aca9f20aac0c9417128a18a5c6473bfddb6ce8dbd

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
59KB

MD5
366909975998a1b3577798d67c277a3d

SHA1
611dff40a4be793bdf6d78702cbcaaec1d82a84f

SHA256
138c665de25a51d8c6e924856f8ca0ef09209d7aa255e9caccf5253abfea93d4

SHA512
3b8c5a228a538e9d828037d7f4821285e1e2486bd079858080d70c2fe0464d506aef829d663ac12bd0bfca4c70afc885b87a6bcbcb1b570b21155764e58e2491

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
59KB

MD5
71d65add7fd0f2a80c74967795cd7a2e

SHA1
d081dd14fde60912a818f45104e5b0d59c9ca0fe

SHA256
b25de0d2ca73efa8ed266c44e0535b2e3b16d1b11e52c58bd279e94807c9606b

SHA512
bb5df5338b8ab8afd4ceab733a85deeb7f46883e959e8784ec47229b58acc1c90ed3b2f70b10c2e02c86321d26ad6d3aaf893c6149f08f733eba98ddb77200ac

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
59KB

MD5
2ff2221cb64bb7b0b510e4054e045250

SHA1
f14a161742e6a90a4e84d1ca520130bf75802fa1

SHA256
15e2b95281f15d0e68e51360b1ce44b614b9372078537a03055f70bc4f891f53

SHA512
515eecdfd2c46bb5fbddbc466941b850698af4d72dadae6d0e1efcde75edab8a7fd5c94c3a3521f530c08213c802a7fb94caf7b2f87b618ec75e4aa82e895da3

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
59KB

MD5
66f521ea0160f37f0b70e0b4e60c6ab7

SHA1
733d9e6a3c592ca19e593a26d0b206ab33b96800

SHA256
d90ab56aac8f5e2390a1e64d9ee5fd4c6078a54af57bc5042be6d116cdd471bf

SHA512
c9627e9d2216a11f4331d39b5c8a1354ae2b07e1a05b6a945753dbdb4a523e06aba13e0325565db6865b023f22097b1979c65d241763be35c8153e41db0ff7cc

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
59KB

MD5
30772ae89c40ea8453fd601f654b43f8

SHA1
0a7f72e4100a6422cdf44009aee27cad2a8a5847

SHA256
56bd8ad640613f7adba1c4f9a9aa428f6921ddbefd5dfada4ae4d1fdc3e8887a

SHA512
0e83153202ea7e0656a1e1071b3857ed5974f3b7b622a38cbaddfb601866bb2bf6a37ffd03df1744fc4ed248d8d6505b90918ff5f3feb375413e00a53c866d96

Download Submit
C:\Windows\SysWOW64\Gemkelcd.exe

Filesize
59KB

MD5
4c6fccfce15a743cfe5a425e334974ab

SHA1
f8e6a584fc5828ceba2dc708358c08e11db9fd9f

SHA256
dc7f9a4f336b4cccb13bfb9122c0e33d84079bb4c23bf3f8cb473e693c042f4d

SHA512
1961dd66256464d34c79c765e3061291d60f6c96aefa27e6e83db8d1d367fb56e64192d1b30cee155dba0d2480eb057b8794fd367dfbf09d2434e032ba3573ec

Download Submit
C:\Windows\SysWOW64\Gfeaopqo.exe

Filesize
59KB

MD5
766bb394a8fb4eaf8f26d0f0ee3a901d

SHA1
7cfb9ba6050bc3b06e949a3a1d678b640962f639

SHA256
0052e9ffb90239e6a7d3a38bf0c735bddde6c5fcd56d4b21d2a8f9dfc6d5054c

SHA512
c8ac7b7e4eb063de0aed8282f9adfaf04d3c95b869e8e0cf6cb5c0e37d047812d3ee48a6d9329e23f93f8862e3333908f39d14730bd80bb8a487f3d31f5ce4af

Download Submit
C:\Windows\SysWOW64\Gmafajfi.exe

Filesize
59KB

MD5
a1f0929bfdb6c9d7de69fd8cd5df58c7

SHA1
69c8766fc3b41a16b03c03e95b015c6c3826a7a2

SHA256
5ef2296b2833ebbfcab9e64e756636a6dd775cd943cc87b5737f44d113752fa6

SHA512
53d22f17610c47e7c3899d65315eb753f28890856c840c9e7649caa3de97bc061a8dba74ed3e243e52c443f5e517f06d90a1fef7a52e61e63355bccbb32f47d7

Download Submit
C:\Windows\SysWOW64\Gmfplibd.exe

Filesize
59KB

MD5
8e4a2f8e0e8b488847333ca0d4b9ac96

SHA1
ccafaca2546d02cb41e44eaf7ecbba0979e902e8

SHA256
2f038f3d7cedb0cefd4de2b32a9db489bce1dfada5d92b77ddb44c7ae93ab3d9

SHA512
d382117fead9a98bf2f24fd752cc9988d66ffe96d8feb292b2ccaa7f02b9dd1a6789ec42c5b9c54acfc382d63a0eedeff1b233e3c251a907b7234a8724651916

Download Submit
C:\Windows\SysWOW64\Gmimai32.exe

Filesize
59KB

MD5
831b9ab3c1c94635c9a4ce3d3ef8fc1a

SHA1
f15beb8bb8333048a5b491c0ac9c8f9a654f12bf

SHA256
c9a437bc7c18e19036af098d00218a7c0fee3ce5255d7faa631d7fda7466e408

SHA512
c2bd2d66e1820ccd5a9370990b8448463184fc51da8e769da170d5ae86a2c5d7179ed9dbd57716867a1769e043e84d9044e9d5c3f516be6da78201c7ab4d2206

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
59KB

MD5
ca7f3fb8ad45c07e32b6166b413acb2c

SHA1
4ef19b61b8de1fb7d7cdf61b9acebfad83f2002d

SHA256
d262c029da3c97c3a8ed36c80cbbcc4ab15cd6863653b3bf59de2372e755e6df

SHA512
5661af10a373835be04aa92ae6d890e8da228c9f028cfc96608244f493447efe689227de291179563c6347c8aaa403c04e35de8d3804a939b0a4787bca2a28f6

Download Submit
C:\Windows\SysWOW64\Hfaajnfb.exe

Filesize
59KB

MD5
ba854449a7d1bb12f85c8eb32dbedeef

SHA1
9d11eb0b532fd4d8910a5b212027745043bc2171

SHA256
11d59c1765b51314613fbc8d16173706d5745769bde79038a24035fe56ce94d6

SHA512
629ed35e1c83f1fd80248c7f3cbd0cc7305eec2be91494ba40dd940a05e68d694c623f64a85eb96ccb162f2c92f7184c23dfeea7ea7c5fa7e394bf477cb4eb78

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
59KB

MD5
9e228ef94ab4f0dad4e5fc06e17eef6d

SHA1
a179eb5bc2291c507d3f1e1d8b819ceb50d7518c

SHA256
92d433e94f2cc43150900946c87f3ca0847d0d1bb6f16ebf8403312f86ac7288

SHA512
bff0b53af920005e2bf855905d6614a91d72cd5bf800e3dabe5e9a137ee8872eedd2edd0a8db22013c79b1e34e861baab086844925b2bbf23785fe14a4f17d7b

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
59KB

MD5
0327fce0d2a6f3e61b13f04b4caefae0

SHA1
8337a356e1265a084d7f7516b82c310ccf137d62

SHA256
c09e63857caa4f0cfdeec7215dc676acbff384b698bd89f718ae13149e1a1469

SHA512
0a70389f3636ced17773ce04bfdddf7f7db7d4c31874e2d584907e0eb6a45c7fe795b606581a41850f37c801a562b91a3ba193fbf5cbbf6ee3893ca0b43539d9

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe

Filesize
59KB

MD5
9967f643743f79c7fd8d7633a3975fa2

SHA1
ae36797be4075344c44cc234a87a35ea89b187a1

SHA256
55d2bb61c4e4b38af6e7e608ab5d6ace3154757414a1dba11e5c67084f60ef84

SHA512
da473d88a57f818c6a4a5494458fa22725df0977130aac77f79618ee611cf16238f8ccec5cb9ab6e3e1e52fcc25395877970c62118435a6525a84f33b5d78761

Download Submit
C:\Windows\SysWOW64\Hoeieolb.exe

Filesize
59KB

MD5
6889d845307599bdd4f163e57544ed92

SHA1
f157f9fde60cd0c4ca0ea7a9ac3e230254b5a88d

SHA256
8151dfe19898196858524c4b98bdeb851ad52420048cd23605b9aede5b28b2eb

SHA512
b1324720cc4e6fb2599745945c25711396433488f0c7f325ad782c3cd883fc9cf7c4d0b6a2fcd587fd1570372f680889efe0b660dde1ed91150561abe82449e3

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
59KB

MD5
3a8b09aee5de77fd4cfc1d73e09ad2d7

SHA1
568447a38daa4b25f3f67dfad03a9ba767cf1858

SHA256
5bd3a300b4d7d31c03aebc96e7d1eade0d66b647924b2c5fb978878785fa2e12

SHA512
619c248bb39bcb89212cfcdf29170d37140c9571a4648a566dc8b294f8265a64c8bc38488f82b373d30469e62af5d2d65204e413f2f5b7cb4f6d96ae3f021f1f

Download Submit
C:\Windows\SysWOW64\Igdgglfl.exe

Filesize
59KB

MD5
b6b72962134ec786599580a8dd913032

SHA1
4acb60307ae1c10b65d8da43eecac575c34277e7

SHA256
8656785d6f8cae1b38846ad361c48fa69d4b0dc110169f20054b32078556cd49

SHA512
194bd358368d2546ea568c979c4a3a566b9f33def50ae787e2620d726aa634ff20ff4694090236f5dfcf030e9ef29ea7d544bc2f565d875e07395b3e4c6b2f22

Download Submit
C:\Windows\SysWOW64\Ilnbicff.exe

Filesize
59KB

MD5
8526d4b93ccc2c438162f0d368148ab2

SHA1
b3d8f1095f7d331cbd558e66881b9bc48807198b

SHA256
0cbafd24ffae461b40e0e320d2229feaf38655d5a9f48f9a5fcd541974740620

SHA512
ce590f528a9d02f07ddfce51210c27b02e734c910aca5bc8ac505f4f129ce1841c374d0cdfdc99d02de2339fc4b66ad9ad0edda43b48ed93be5cfde517e4d1f1

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
59KB

MD5
18f7682e350533aef12485c9085bd8aa

SHA1
2433234e72491d604ce5100f0d72af50f63e99ed

SHA256
4a2d720a8daddda27995aaf9e5dcac6300463af132c5d70eb011c2b80adf6642

SHA512
e969b63af393b3718eea31331f50e6324a1bc170f72d86c8c27e247122a3251c5dcb4e2859db630b66dabe28d80ef933504be4c68259a1b46537a9bcb57c99de

Download Submit
C:\Windows\SysWOW64\Ipgbdbqb.exe

Filesize
59KB

MD5
f1bb036d7d648ef286a899f068b40c6c

SHA1
1f54ac69e0a8c9ee60d49829d3f3da89e1c1bd7c

SHA256
2b639b6303b8509a60986a2494a886ccb831d90d5ebba59daecf62fe2cd6f6e4

SHA512
17550ae7bc5da2422cb406c31cac5c22831f750e1b670305ebeb682c445c652cb5403f195c1e624d59842ea82d54604efb37ccff8ec7961beb64dd8c73e28574

Download Submit
C:\Windows\SysWOW64\Iplkpa32.exe

Filesize
59KB

MD5
885e9340ccad89e6eb6409c2932e9212

SHA1
9708650b94efc941d28e04a8cf9f10e94bb737f1

SHA256
0e662f4faf67f692e6b8eca53e7002fa886133940adf3d9973f2c390a7ee0eba

SHA512
0bdc9ab85820284dc5eb410343fb67172c550a6cb3b5841828bd6e377f7f5acca00d1005b9988661058def0ab4d410a1ff69fe253b2c94dc40e97a3522a6591f

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
59KB

MD5
7c3c78217e1a40197b26a52691652846

SHA1
f266335b37bcf6684fd06e05ae387bb32e3ca5fc

SHA256
9bb9d831c107131e2789bcb6e814f29e60e0f11f24317f938a5e6b13ea3e520c

SHA512
24871497335a61f0e585fb3d9034aa2e9d811b184f3944e5fcdee4b9fc11799b84d174059beb11cb8a4b99b56f6cd17b49de33640f4fe5fcf22e4dd0d3ffb655

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
59KB

MD5
a4f231a53073f9f77eccfb9df2fcb6b1

SHA1
415d836b00cad3b0011995c84877010dccd2a527

SHA256
8125251c5b2fcda5314f7a3067f66cb23b4f2d0f99c9a0ded427755a4f96d7f9

SHA512
12f41df8c5a0e5691801b54652a0ac5ef694398ab2634f6342628492b7e9dad4a08dec827ef720fda32e97941fc33cec6d13d7d120cb658d4993f3a4779c5f3a

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
59KB

MD5
222bb97528a33a49f1a6372f20041128

SHA1
1d962f2b3207431f381337e1a472fe7233d0a84c

SHA256
a6159cddf2b0dd2857c7858c091310631ffd0bbba80d68c97613fcc08db8d64f

SHA512
0ce589ada094abe891a822c7c21cd64d62d661736e633f69e7a099580f5bd480eed0f237887471e58e8840509fd274616d88a5320ffb1630a939d62b450e0764

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
59KB

MD5
a16f4ca3f8815c79dd2643fbe0db8597

SHA1
bb5ad3c707aa4e45a801557e40a14cd719ba3c5c

SHA256
f87df3740bacf23037b71f1dd7caa641ce509b32353982c7c8648673a67b06f9

SHA512
3087695248df3eeddef8f15bee9f00401c505b7660ff701c9f29e4e9f9c230b2a85afedcb4dc8d69508e42084c0bd26c525ae3e511607aeed591779f79b46d13

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
59KB

MD5
b66fecfa8da037814a6bee4dcdb5b251

SHA1
9b5467359af05a741818172a31c623261a091211

SHA256
e85e9da15144371df035d5abd1cd87d48cfe85072476b774753d204f815e3f79

SHA512
37bd72458224a5f1c9725c740cfd6c01d7f8228b859a520e1dc1e57d1fb4c7fe70b5bae5904314cdf88317c261875f8d89b767ea1059dba84af5dbc7f46ab3ef

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
59KB

MD5
da398280d0ca95004380c6b6788537a3

SHA1
245b4e972f2d0567878f76bac4078860b76ec2c3

SHA256
9f5eff8811ac50d3b52ff98939c4749875427110a6584394c32811f01401fdc8

SHA512
2378d15d6cebc046442eb12fbf0fbaefd18361b7390403468f831e5aeaf3259a941cf632af4baae6b02d4ef82e4e1166c6e5c2ca094e37f6ecb678ecb85acb2a

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
59KB

MD5
4413c65910512750f1dde46fa0e7184b

SHA1
23c629ca96ee6bd1e579c62fdc6e50a733541fe2

SHA256
094b190f7025ca7d21141558fc90792f643f2f30fc3f80d8dd6b7cc93efafaa2

SHA512
5f7b8701ae475dec5417cb163b99f524ea760f8103387219b970dc99ad76fa69ed19b79531d54e07b4e748c016ba0b48062e1d1b4af99f73476494ab9c7217ef

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
59KB

MD5
ac5112393e58b5437ab41ff84323c5c5

SHA1
3c61719b888098827192a6cf49b5bdd3560ae678

SHA256
a514e0ca1f06c5da71d250c2248757d835dea6940ebbd99be3c70fe0d9ee8009

SHA512
9578dbffb212458a1cb955f8ddeeb734cef6d83135be78a867749c9612aa9e7de044d03d74a270fcc798869e1430c7b43eccddfb1dc955f7d1c84488acaf995b

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
59KB

MD5
103a6debf92422675aad5b37db1a3dd1

SHA1
00fedcb0276c61e7cca41f7f48f2848be030ea23

SHA256
437395eadb71c52a3e3c7e61c23ceb9d3ace08b75f522903190b7cf05f0d3b03

SHA512
e12e848400d98095a8849a4eaa12b1a7508770d7e759566eb672c4bcc97265b85d05519522ddfbb2cc94e6c3831d69d3df098b82daa953aa5a175c498bed5e2c

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
59KB

MD5
818ea842706a4ab090fcea3296e2f041

SHA1
0228ea2835e669223a0d5b57077ac3d3295aa67f

SHA256
83de8e9f007b215437ffc01e74815a7db91e1f500cdd6f553adc3ee3a1c1cebf

SHA512
be2d0a3a893eb7145f14b77af84e3a8af12efbf93b3c837708ea4c18d59520653c79f96f34eede0e4f4d5cdb3c1feef950fe073c1fe1c70811ea9cbfb801c7df

Download Submit
memory/224-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5140-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5180-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5220-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5260-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6252-1214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6824-1218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6932-1217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7052-1216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7108-1215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads