3bf6899e58a5f403037958fd41e4c9d9d123b15127154e26eed19fec02f9d374

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bf6899e58a5f403037958fd41e4c9d9d123b15127154e26eed19fec02f9d374.exe
Size

120KB
MD5

11f72917b5ebca12137f714f0940a587
SHA1

32226fd7e22d808f93a0fd929aa6de0bf9dc0e5a
SHA256

3bf6899e58a5f403037958fd41e4c9d9d123b15127154e26eed19fec02f9d374
SHA512

432f8bd524d5b11176b5deacc76422bd5386e4fce3cf15e9cd6a50f69a310b708822c666e5c4fe019b6d3dd9f414318a420c6f84d10b3a31608ac454f3d8fa2e
SSDEEP

3072:ufWM7IinFdZC4imrXiXm7kfeVarSPQi/mjRrz3C:ufWMsiFdZC4imrXiWAfe0rmQi/GC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfngap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fafkecel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gohhpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eabbjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icifbang.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkalchij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdialn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdialn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkhbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckajehi.exe

UPX dump on OEP (original entry point) 36 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023203-6.dat	UPX
behavioral2/files/0x000700000002320c-14.dat	UPX
behavioral2/files/0x000700000002320e-22.dat	UPX
behavioral2/files/0x000700000002320f-31.dat	UPX
behavioral2/files/0x0007000000023211-38.dat	UPX
behavioral2/files/0x0007000000023213-46.dat	UPX
behavioral2/files/0x0007000000023216-54.dat	UPX
behavioral2/files/0x0007000000023218-62.dat	UPX
behavioral2/files/0x000700000002321a-70.dat	UPX
behavioral2/files/0x000700000002321c-78.dat	UPX
behavioral2/files/0x000700000002321e-86.dat	UPX
behavioral2/files/0x0007000000023220-94.dat	UPX
behavioral2/files/0x0007000000023222-103.dat	UPX
behavioral2/files/0x0007000000023224-110.dat	UPX
behavioral2/files/0x0007000000023226-118.dat	UPX
behavioral2/files/0x0007000000023228-126.dat	UPX
behavioral2/files/0x000700000002322a-134.dat	UPX
behavioral2/files/0x00030000000228c0-142.dat	UPX
behavioral2/files/0x000700000002322d-151.dat	UPX
behavioral2/files/0x0007000000023230-167.dat	UPX
behavioral2/files/0x0007000000023232-175.dat	UPX
behavioral2/files/0x00020000000228bf-159.dat	UPX
behavioral2/files/0x0007000000023234-182.dat	UPX
behavioral2/files/0x0007000000023236-190.dat	UPX
behavioral2/files/0x0007000000023238-198.dat	UPX
behavioral2/files/0x000700000002323a-206.dat	UPX
behavioral2/files/0x000700000002323c-215.dat	UPX
behavioral2/files/0x000d000000023125-222.dat	UPX
behavioral2/files/0x000700000002323f-230.dat	UPX
behavioral2/files/0x0007000000023241-238.dat	UPX
behavioral2/files/0x0007000000023243-246.dat	UPX
behavioral2/files/0x0007000000023245-254.dat	UPX
behavioral2/files/0x0007000000023299-509.dat	UPX
behavioral2/files/0x00070000000232a1-521.dat	UPX
behavioral2/files/0x00070000000232d5-697.dat	UPX
behavioral2/files/0x00070000000232e1-739.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
5008	Ekacmjgl.exe
2196	Ehedfo32.exe
1036	Ekcpbj32.exe
5112	Elbmlmml.exe
4812	Eekaebcm.exe
2476	Eabbjc32.exe
3320	Ekjfcipa.exe
4784	Fljcmlfd.exe
688	Fafkecel.exe
3820	Fkopnh32.exe
480	Faihkbci.exe
5116	Fkalchij.exe
3028	Fdialn32.exe
1992	Fckajehi.exe
4324	Ffimfqgm.exe
4248	Fdnjgmle.exe
1656	Gkhbdg32.exe
1176	Gfngap32.exe
1064	Glhonj32.exe
3544	Gbdgfa32.exe
2212	Gdcdbl32.exe
64	Gohhpe32.exe
2124	Gbgdlq32.exe
4392	Gmoeoidl.exe
4232	Gfgjgo32.exe
2372	Hijooifk.exe
1368	Hodgkc32.exe
3312	Heapdjlp.exe
956	Hkkhqd32.exe
864	Hbeqmoji.exe
4820	Icgjmapi.exe
1996	Iehfdi32.exe
5000	Icifbang.exe
1888	Iifokh32.exe
3024	Iemppiab.exe
2024	Imdgqfbd.exe
4292	Ibqpimpl.exe
5104	Ieolehop.exe
3264	Ipdqba32.exe
1040	Jmhale32.exe
3672	Jcbihpel.exe
3444	Jedeph32.exe
2100	Jpijnqkp.exe
3912	Jmmjgejj.exe
2284	Jbjcolha.exe
1384	Jidklf32.exe
1476	Jblpek32.exe
1172	Kfjhkjle.exe
1276	Kmdqgd32.exe
2532	Klgqcqkl.exe
4776	Kbaipkbi.exe
3380	Kmfmmcbo.exe
2288	Kdcbom32.exe
2816	Kfankifm.exe
2608	Kmkfhc32.exe
4368	Kbhoqj32.exe
3848	Kibgmdcn.exe
2368	Kdgljmcd.exe
652	Leihbeib.exe
484	Lmppcbjd.exe
2644	Lbmhlihl.exe
3596	Ligqhc32.exe
2900	Ldleel32.exe
3924	Lenamdem.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fkalchij.exe	Faihkbci.exe
File created	C:\Windows\SysWOW64\Icfpbq32.dll	Fdialn32.exe
File created	C:\Windows\SysWOW64\Icifbang.exe	Iehfdi32.exe
File created	C:\Windows\SysWOW64\Ibqpimpl.exe	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Jpijnqkp.exe	Jedeph32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Qddina32.dll	Hkkhqd32.exe
File created	C:\Windows\SysWOW64\Dmamoe32.dll	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Gbdgfa32.exe	Glhonj32.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	Kmdqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcbom32.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Fdialn32.exe	Fkalchij.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mifnjj32.dll	Eekaebcm.exe
File opened for modification	C:\Windows\SysWOW64\Ekjfcipa.exe	Eabbjc32.exe
File created	C:\Windows\SysWOW64\Fdnjgmle.exe	Ffimfqgm.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Kdgljmcd.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Kfjhkjle.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Imdgqfbd.exe	Iemppiab.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Lmppcbjd.exe	Leihbeib.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Elbmlmml.exe	Ekcpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Glhonj32.exe	Gfngap32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkhqd32.exe	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Phaedfje.dll	Jmhale32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Fljcmlfd.exe	Ekjfcipa.exe
File created	C:\Windows\SysWOW64\Hhhbcf32.dll	Ffimfqgm.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Bhaomhld.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Mjhmqf32.dll	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Jiopcppf.dll	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ekacmjgl.exe	3bf6899e58a5f403037958fd41e4c9d9d123b15127154e26eed19fec02f9d374.exe
File created	C:\Windows\SysWOW64\Eekaebcm.exe	Elbmlmml.exe
File opened for modification	C:\Windows\SysWOW64\Heapdjlp.exe	Hodgkc32.exe
File created	C:\Windows\SysWOW64\Ieolehop.exe	Ibqpimpl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6720	6324	WerFault.exe	266

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkhbdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faihkbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoeoidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iehfdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldggoeb.dll"	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehedfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejjde32.dll"	Ehedfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hijooifk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 5008	2676	3bf6899e58a5f403037958fd41e4c9d9d123b15127154e26eed19fec02f9d374.exe	90
PID 2676 wrote to memory of 5008	2676	3bf6899e58a5f403037958fd41e4c9d9d123b15127154e26eed19fec02f9d374.exe	90
PID 2676 wrote to memory of 5008	2676	3bf6899e58a5f403037958fd41e4c9d9d123b15127154e26eed19fec02f9d374.exe	90
PID 5008 wrote to memory of 2196	5008	Ekacmjgl.exe	91
PID 5008 wrote to memory of 2196	5008	Ekacmjgl.exe	91
PID 5008 wrote to memory of 2196	5008	Ekacmjgl.exe	91
PID 2196 wrote to memory of 1036	2196	Ehedfo32.exe	92
PID 2196 wrote to memory of 1036	2196	Ehedfo32.exe	92
PID 2196 wrote to memory of 1036	2196	Ehedfo32.exe	92
PID 1036 wrote to memory of 5112	1036	Ekcpbj32.exe	94
PID 1036 wrote to memory of 5112	1036	Ekcpbj32.exe	94
PID 1036 wrote to memory of 5112	1036	Ekcpbj32.exe	94
PID 5112 wrote to memory of 4812	5112	Elbmlmml.exe	95
PID 5112 wrote to memory of 4812	5112	Elbmlmml.exe	95
PID 5112 wrote to memory of 4812	5112	Elbmlmml.exe	95
PID 4812 wrote to memory of 2476	4812	Eekaebcm.exe	96
PID 4812 wrote to memory of 2476	4812	Eekaebcm.exe	96
PID 4812 wrote to memory of 2476	4812	Eekaebcm.exe	96
PID 2476 wrote to memory of 3320	2476	Eabbjc32.exe	97
PID 2476 wrote to memory of 3320	2476	Eabbjc32.exe	97
PID 2476 wrote to memory of 3320	2476	Eabbjc32.exe	97
PID 3320 wrote to memory of 4784	3320	Ekjfcipa.exe	98
PID 3320 wrote to memory of 4784	3320	Ekjfcipa.exe	98
PID 3320 wrote to memory of 4784	3320	Ekjfcipa.exe	98
PID 4784 wrote to memory of 688	4784	Fljcmlfd.exe	99
PID 4784 wrote to memory of 688	4784	Fljcmlfd.exe	99
PID 4784 wrote to memory of 688	4784	Fljcmlfd.exe	99
PID 688 wrote to memory of 3820	688	Fafkecel.exe	100
PID 688 wrote to memory of 3820	688	Fafkecel.exe	100
PID 688 wrote to memory of 3820	688	Fafkecel.exe	100
PID 3820 wrote to memory of 480	3820	Fkopnh32.exe	101
PID 3820 wrote to memory of 480	3820	Fkopnh32.exe	101
PID 3820 wrote to memory of 480	3820	Fkopnh32.exe	101
PID 480 wrote to memory of 5116	480	Faihkbci.exe	102
PID 480 wrote to memory of 5116	480	Faihkbci.exe	102
PID 480 wrote to memory of 5116	480	Faihkbci.exe	102
PID 5116 wrote to memory of 3028	5116	Fkalchij.exe	103
PID 5116 wrote to memory of 3028	5116	Fkalchij.exe	103
PID 5116 wrote to memory of 3028	5116	Fkalchij.exe	103
PID 3028 wrote to memory of 1992	3028	Fdialn32.exe	104
PID 3028 wrote to memory of 1992	3028	Fdialn32.exe	104
PID 3028 wrote to memory of 1992	3028	Fdialn32.exe	104
PID 1992 wrote to memory of 4324	1992	Fckajehi.exe	105
PID 1992 wrote to memory of 4324	1992	Fckajehi.exe	105
PID 1992 wrote to memory of 4324	1992	Fckajehi.exe	105
PID 4324 wrote to memory of 4248	4324	Ffimfqgm.exe	106
PID 4324 wrote to memory of 4248	4324	Ffimfqgm.exe	106
PID 4324 wrote to memory of 4248	4324	Ffimfqgm.exe	106
PID 4248 wrote to memory of 1656	4248	Fdnjgmle.exe	107
PID 4248 wrote to memory of 1656	4248	Fdnjgmle.exe	107
PID 4248 wrote to memory of 1656	4248	Fdnjgmle.exe	107
PID 1656 wrote to memory of 1176	1656	Gkhbdg32.exe	108
PID 1656 wrote to memory of 1176	1656	Gkhbdg32.exe	108
PID 1656 wrote to memory of 1176	1656	Gkhbdg32.exe	108
PID 1176 wrote to memory of 1064	1176	Gfngap32.exe	109
PID 1176 wrote to memory of 1064	1176	Gfngap32.exe	109
PID 1176 wrote to memory of 1064	1176	Gfngap32.exe	109
PID 1064 wrote to memory of 3544	1064	Glhonj32.exe	110
PID 1064 wrote to memory of 3544	1064	Glhonj32.exe	110
PID 1064 wrote to memory of 3544	1064	Glhonj32.exe	110
PID 3544 wrote to memory of 2212	3544	Gbdgfa32.exe	111
PID 3544 wrote to memory of 2212	3544	Gbdgfa32.exe	111
PID 3544 wrote to memory of 2212	3544	Gbdgfa32.exe	111
PID 2212 wrote to memory of 64	2212	Gdcdbl32.exe	112

C:\Users\Admin\AppData\Local\Temp\3bf6899e58a5f403037958fd41e4c9d9d123b15127154e26eed19fec02f9d374.exe
"C:\Users\Admin\AppData\Local\Temp\3bf6899e58a5f403037958fd41e4c9d9d123b15127154e26eed19fec02f9d374.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\Ekacmjgl.exe
  C:\Windows\system32\Ekacmjgl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\Ehedfo32.exe
    C:\Windows\system32\Ehedfo32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\Ekcpbj32.exe
      C:\Windows\system32\Ekcpbj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        24⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        35⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        46⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        47⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        49⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        58⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:652
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        61⤵
        Executes dropped EXE
        
        PID:484
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        63⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        64⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        65⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        67⤵
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5044
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        69⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        70⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        71⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        72⤵
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        75⤵
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        76⤵
        Modifies registry class
        
        PID:424
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        77⤵
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        78⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        79⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        81⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        82⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        83⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        84⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        86⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        87⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        88⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        89⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        92⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        93⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        95⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        97⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        98⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        102⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        103⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        105⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        107⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        109⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        113⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        114⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        117⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        118⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        119⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        120⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        121⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        127⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        129⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        131⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        132⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        135⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        136⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        137⤵
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        138⤵
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        141⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        142⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        143⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        144⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        145⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        146⤵
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        147⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        148⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        153⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        154⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6812
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        159⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        160⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        161⤵
        Drops file in System32 directory
        
        PID:7008
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        162⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        164⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        166⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        168⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        169⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        170⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        172⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        173⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 416
        174⤵
        Program crash
        
        PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6324 -ip 6324
1⤵
PID:6588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eabbjc32.exe

Filesize
120KB

MD5
73b4fbe93537373045b8ba94339ade3f

SHA1
a880ca4fef6a49fb72b32d0538ec4bf37327e9b9

SHA256
799bfc4d59d8727f62fd0debdbc76f45307a20e6c4cdb1aad027c2459dfec8b7

SHA512
05a5c41ec64bd956316649f67845bfad9baa8632a0c918f8850118cfa36cbe43edc18c103f68473b525df44300ee3de85e908579c4259801a2440bfed3686fb1

Download Submit
C:\Windows\SysWOW64\Eekaebcm.exe

Filesize
120KB

MD5
8902751452b4f4db77def34830cd2a32

SHA1
4426ea1a762d69554768aa84f496d0c37705d68c

SHA256
49f899111ca76cdec9f92dd390ee66c527e64e6edbcb27fd1dc827d92e70855d

SHA512
e898e5ca9108a047ad98c57117ec76094e0e8705767583777abf57756ca9bd098976b6a2e63e7899ea337e9d46a2412f91b35d6eb9bc6244ba9eb6865b0aa1c8

Download Submit
C:\Windows\SysWOW64\Ehedfo32.exe

Filesize
120KB

MD5
361f1aac2c423eff33accf7c5e86c2d7

SHA1
a22b76fb2c0cd422e7ab8f769a054b862afa7460

SHA256
6083a428df58f19aade349fe754f551a764574d8cf98489836a578636490ca9c

SHA512
f6585e04390cb5f6102b78f3c10dd82c6809e41530b049960831c0ff48f691dea4ecdb4e0a2d01276f0d665c06a13bedf84a11ac03ea11b9542a61370e32176f

Download Submit
C:\Windows\SysWOW64\Ekacmjgl.exe

Filesize
120KB

MD5
c7dd7f13194b6ce1199ce74c454b6774

SHA1
82573d927758535106a537df1b6c16ed48e1a0f5

SHA256
bde836793becf131f3bed70fb8519fb946450e44a9b08f0e21ee1b4b9229ee76

SHA512
2b84223c0a4ffc508adbfc6ead5005852b4c9c55bd8d3ffbbc6a2395bed3ebf87c568e6d01f1ae949a6f35a69478bab8459de80ad00bfc002025a720c4101426

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
120KB

MD5
232e6e1b260775df31f49b54084567c1

SHA1
4f861440ecacdc10b04acc2a7feede28c6c0cb64

SHA256
279abf49d9ad3f938a469f8f94d0efed7bc150381fbdcb209b02e3e40aa46b5e

SHA512
9c834a81a27f2635edbb129b67d2edc7386d2e309d56d4f73c0f51672888d276aa7b5510830a4a5b08d995c83f5b7882db02783dce583381118be4155a536856

Download Submit
C:\Windows\SysWOW64\Ekjfcipa.exe

Filesize
120KB

MD5
0eb89140e2d24e76a439881b012dcd62

SHA1
234562a61b11b4edb4ad93b1e9ed739c69f69f9c

SHA256
0326265d3771b2f42f56d36d4ad4a6f7ade97088a508f0e3c58df014d89c203a

SHA512
99dc051a2664c67e33e94f25e5f944689d4c9c901aaa51c195d00c09b05592dd774d5aa4a81bc0a21fd0d472a4641b60c27666f9f922817f3f974e9ba8a61c02

Download Submit
C:\Windows\SysWOW64\Elbmlmml.exe

Filesize
120KB

MD5
1502f82b8daaaee2e51d368f70c85415

SHA1
214f91fce1c9ca5ae9c3024afc696b3d02fddcca

SHA256
229d00122e4dd7145454f3f17a559dfe11b165a33ede6784b951432af69c9149

SHA512
cb9c460abd556da63f80df5b1e0a520626a40e97c3d121b39054f7f82ce35a8d2de1c28590fc0b4cfb6b79cef3516b0657b5350154a0a5c795724f806531af5b

Download Submit
C:\Windows\SysWOW64\Fafkecel.exe

Filesize
120KB

MD5
0a847f527dd024e2e82b17adbd3c50b3

SHA1
a0ac3daff4299fc65ded77975f6488652106d105

SHA256
77152e665604b106bc66ace94b228805f6d0c2c011548315be3ca9a2c1b42916

SHA512
6dec6a584980bdf0cd1aff25f6cda983a8c445feac17f42f4b6a4ee3a975574db3b199f3c8168a69415b64b756121e0ebc2063943f1761e07ebdf0182fc3ccb9

Download Submit
C:\Windows\SysWOW64\Faihkbci.exe

Filesize
120KB

MD5
bc19978d5a98e7678566964f7078eef2

SHA1
ab0ab88a21e8f5cf91b2b3d990fbc6f7b25bad94

SHA256
48104e6ef4db1049eb6100607291a2c8b9bc0e967439b1ffd809b6f0d3ad0dd2

SHA512
5e45d17ed63a35a2716224037b86b4eebc2c43ad187ac29916732fa0911b8abfa81e3b8db3fab45b7fa87ab82ddfe24926fd972b2417e02f3f8aea26fae4b69e

Download Submit
C:\Windows\SysWOW64\Fckajehi.exe

Filesize
120KB

MD5
56beeaccc2a7aef5f26b6e01a64c223f

SHA1
73b3addde9be4c9fac822ebd8508a2bc7a65bd11

SHA256
bb338868c7209910f3c4761f2d08af5bcdfe4eefa2356483a57a4c91ef3b15a5

SHA512
675184ba3b1cd147f90199b8944d609dc861826a5c693dda41f5b18fcbaeec5235d5abd20d01d74cb6c23467178f045c4b3f8398fa082f3afcf1ea4281c40298

Download Submit
C:\Windows\SysWOW64\Fdialn32.exe

Filesize
120KB

MD5
3875801f3eb9d55c14d829a7c88fb156

SHA1
ccb67bfeeef6ad84122fdaf201839d6376ec85c9

SHA256
fc3c02a7a3d02a87b6fbc90f0a9c753d0d60855943cb2d02f37318dfec888f07

SHA512
2b4680bb41ae42aa000b4778bd5dd1279b1c24d0e81a46c5e33e980f182f1cca52ec78ce84676c4487df1bf6f8b4961022afd9607def8a6bf2c2b565f11761d2

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
120KB

MD5
7b92a30afbcca55729320a3d4e99f4e5

SHA1
d89490268977fcbd98b75a17eeeaee20978406d0

SHA256
6a2586bca13ec81e8ffb7df7f7ce879f8e0cf6671b98fda029703c72a9f08333

SHA512
fbb964c7a411f3bfa55b37582fe54d9a6004dfb186b2c92e29720ea0b639d82c58b3e17fefc1d8b0c210b323d3d9956a2ded9a3ee6b0e9bf92a8e845a492ee36

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
120KB

MD5
f7a1eb29670308c6a16eaacd86c6e46d

SHA1
832ff7d94d6ebce5296e701bf864f995fbfff7f0

SHA256
6263406851c3c7a482a3615a8bf8deddc029838f9724a621b09ca6276d1b3c60

SHA512
04f932baf41a16e2feaaf955181327e82008841488150d4e5594cbfa1275b58454370c9c9802f837a4de025aa3b14018fa139d916d1edf3fb4487a770b5c8db3

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
120KB

MD5
8b375ed4109d1a3e5cf31b07b8956c13

SHA1
c3442e27d0cabb854ce05feb4c7aa788d6a8b51f

SHA256
125e7b7e9768ffa4c2d57a33b421f8511f4d2b258899f40dda8ceb0e1203694d

SHA512
369aba74f734f048186c1a4f1162985a24f85b73136e30521f689235ed8b275e6ff3bf2cb9bfdc62e5c4240c94cc0d697f6bb1d76858850931750de5e772e1c0

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
120KB

MD5
0bfc972574393eb91ee07095ae92612b

SHA1
cedf45083f889261e684da5f0fe4eed36e0e4767

SHA256
32b345446f8b05f0c82060fea827298e1a0fb5034c84ba590ef953727acdf104

SHA512
d616a38c8daa1b245d63a5d46cd1d43c4d7bb6171771ca707dbf21c2df25dfceb20df6003f18d9a6bf41660a08b8813e134f6c9d60213c5ab278054ecc83b8a9

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
120KB

MD5
e6a6d61649cddd97b7ec0bb9c745485b

SHA1
a68a1cb73757e253def465daa76570e65553703b

SHA256
7df654d843d66171ee09ca785f5f3fe5950a6fbc73b44d6725a28e62b2633d01

SHA512
c923d56937e5e63880d640e8caf3a8097a9f38600f85e8285421a762d50a2c431dbf2486c2d2340ebb8bfd3debe947dbbfea9178bc8076783974b04c30efff81

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
120KB

MD5
9e6932dddabc23a16829d86cc4a23aae

SHA1
21b26d6fc1c99677e11cfcb57e51701bb2ad2af5

SHA256
3219181a39a50eab4aa2110e16fc56b9bd9508ec3a2b81b1ae2f3169833c9a40

SHA512
0bb8bcc24a4f45a32fa666fd6277f7446c68a8e5dce2b6d131ef66b2fb53842919ced42292b293dc6b1a3d8f8577ac93f60032b0678d3f3a7c8fe61ffb16ceda

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
120KB

MD5
2429da4b2a7ed4a1ab356e7982f3f36b

SHA1
410db9cc808f9ff3d89ca463078646628a0a849e

SHA256
43da25817bc77d3333300ad7ab81881f630f737dda64e08f719da5decec8df0e

SHA512
fad0922f547749af92cadf9d5369f91a42c7c55d699413fdf4d6723e12f342a6cf754fb3c0bebd3184dd21e95c0316f2753093a6d23e0f39a42dea8c732c74a7

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
120KB

MD5
2b6841de316e40d3b9568c00d097b35a

SHA1
b9d3abaea7d68bb037b27bf7a996c3997f0b1475

SHA256
8961784963950d5f0a84e5ff0d40693637e6e75aecb91e9acec79b902c4bfcc8

SHA512
5ee2f8eafd2e03700cd44728a87e0ba0a12116020e0c2610c1311bc93ffd5e9cd7102979d85631acd0d85a67d82b2f4db495ced5d49ae4988ef9c9a3d01ed143

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
120KB

MD5
7c3bc5f41354b1e5a2342ebff3965b98

SHA1
812764b8ced2c5c909cdee9fd3853747bce95b81

SHA256
4c4d9eee60c1f47ae25f6f4ee6d504b626c5d2bd5e3d7e4ab08e6353345c005d

SHA512
9b5d73878c70dc3166d2c19d4a2551d07132c98e25d37bbcd50b58e28d74f07bf934fd94045a000b2d7add4f793a506ddcb232b92a0e712e3bb5f925f356a3bb

Download Submit
C:\Windows\SysWOW64\Gfngap32.exe

Filesize
120KB

MD5
9de7f89f0f0eeebcec500a35e0c50bdf

SHA1
79846652f64c9ca39f2b0edc4461eb0e3efb77d4

SHA256
6e977266d718b89acfdd27d2d351642ec3438ad7b5e789a7acfb9db1dfa85bb9

SHA512
35983d75fb2d7b6ffb9535cb24e1c493c67388137551648b5a94bd167542f1a8ab7937d8ad77ae53c02012e85b0d1ee69da00fc7fd0c82ec1d7b26809f7898f8

Download Submit
C:\Windows\SysWOW64\Gkhbdg32.exe

Filesize
120KB

MD5
0ab71267f49df0ef55961801706194c9

SHA1
3ab33fe0df72310c602b28ebb5f49094f715ddad

SHA256
57abd1f3031cc40cdd431e3909842cee41fffb8864691d715a6709d98186a667

SHA512
c601b0b64d6444365a3da60a57660690a011077d76cb28fdd155138caada9a6f9620fe5e9d32c9fa53d7ecc32404bd9b621ce60b02cf81c8271edbcbe38d30db

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
120KB

MD5
5f24b93ede2215aef6df5b155c8a6eea

SHA1
a5d6277f617097aec479641c16e7c0568b011397

SHA256
d3639c9c2c70c35d491fe461b312037e4cafdc2305c131d77b576a0b918f2ae0

SHA512
27f0c8e7d5b6bc5972659b338dc3b0da2022dace2322ba8157399e9609ba90ea38da2825f12daebbd79a4d566c5fc5bcd96b5e9847595f23e0f7b13b12ad4a24

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
120KB

MD5
1ef70b5198e3e6adf1ba118bfda5bbf4

SHA1
b1c9eac413362d28b145213ba77be4473f588c0d

SHA256
79bcbd37f34bc153a8ba649d9c423109cf4fda2837919e99ffbc3f2b9b3e1da3

SHA512
b5f015dab0717401ddbfdc3e4e838a46713c3809923e37d76837a6c68e29762d2872c3ac671c9f82372295949efbc0f285e904326de9885b267b939690dfa465

Download Submit
C:\Windows\SysWOW64\Gohhpe32.exe

Filesize
120KB

MD5
9f1816f5c00537634510b1fa0b9ae52c

SHA1
371703964d6083ae632684b02c7e45243211df63

SHA256
3989af6673d73165bc23ac236acbd46532f7004ed64fd35e4022a05d96509647

SHA512
2a00fc38a0c063eae15fd97e502848bb8757f4a804598c0a9120e43b081f90206621f75ca489a10b31b147c3427e67cf8d27a48149d9d6dff72ad8747eab3b8a

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
120KB

MD5
a61d65dc995514ad5dd1fa5965793c0b

SHA1
44f7f817111d1eddeb000b962c03d926edb952fe

SHA256
3d91422da901dedd803fc5f1903ffb81472774efa9d35f78890c5ab3f2de954d

SHA512
b0cc9c99c6e42c614a7336ab4bf2effac60d14aa0439a943f6d5d436096bc41fc15745aa4f33148c44e9314eae0d719369b4674574cf636167caa16683c34eab

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
120KB

MD5
b32bcc6692aa77e469b557469556ecae

SHA1
bb4d0d2a71b947cddbac758894af43e6893447cf

SHA256
0430af42f6140aab3ccd924f3d671d1624fba6f8825a3f183bcab7d4e1b02f39

SHA512
aa7d645b8eddbaadfd2fdfb8f5856c21d95efb3185292b50e1712a0b43edc0928cfc03cc61a0268b8928ad86467c0b94fbe09433ff8d2d8646718666f021456b

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
120KB

MD5
b0091590bc7e74301f9c5f4b7d915f7d

SHA1
fe07fce953824ab0a90229d5935798451aa314db

SHA256
5585a4f6714cc6740a58781b63e06fb3ed28752a2014d0e04fe37111e5c10187

SHA512
25f5799789a64644cd6b2fbbe532b5fb840df557e701cfdc4f9cc9482685844ad17d913c6ad5f824c1de00e4d6015e5956d0e361bcdc827198c6dd00ea22b1a5

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
120KB

MD5
58b67c6d3ab2e259825c3537edbd1abe

SHA1
5f699af6604498e9f21af1a79229b305c2470d9e

SHA256
4a563fbfc9e0e587c17c6d45d0530db71aabe6b162d7a25809cb992729e4909e

SHA512
4bd01c36de934aa0636ccd8255fe36eae629bd4fee93e03840c1ede993b63b3a6866ffcf2d61d44e3cf8e5aead132bfcae50fd8094d69ff828e3c5feb71bc546

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
120KB

MD5
73d545173693d8b77c6e0f630ce4e4a4

SHA1
4098b437b077a3c06c398a15de7c77d628c284de

SHA256
889dc56626c2135bced369c9a60f318ca2ccb45b0c458351ea5376b83fcfd898

SHA512
7e8a57e7f3d19076d46960ddd0148df38d5d481f4fad102443076e5f42dc8a6304d1c08b7a3d038e76aa7894f971834cc110000f319508417beb1028a79a5bd2

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
120KB

MD5
049d9e915c2281f4b2d2f6b7c3b86643

SHA1
cb92fdc6549d8882755970e49565b16340f54c5a

SHA256
dd0dc8407b7bf284ca169dbe2bff33e35ee6e2e0ab4c2a2252af70fcedb6d1b9

SHA512
4135bcd0ef654adb3c4047a093ce8b28cf0bbdb462122e1f3a84d1987a89d3ae15341a3736de9a52cff5c6513b3af542ebcba4486c162fb6a3601304745c363e

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
120KB

MD5
52e87e63ce0e880f39c8a06f339707b9

SHA1
2396a6c075839fb7c926bb65cb1ce1dfca2e1f64

SHA256
ef1fb9dff72149fc828c5e1c7a9d06c1c060e803a00da82b8041deb61c7a1b4b

SHA512
f05b51aab9d48b3d4b34cc9760ced4bbf2681d97c649c44b3237dc697d36deaaeaa653fffc12c4f40baee962fa050b72d28d98d8e4f2419b5f5c5e68244c8b8c

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
120KB

MD5
1f7c3c2fe5c5952678703e2a9c7d8e46

SHA1
fde508563e533a4707e858cdbbf82646bfea0aac

SHA256
ca6eb916a8039128b092740843163abf8eda93d2bbdddfc5412f9d558ea5285c

SHA512
b2e876346c6ccfa757565ecb87fdddd02bd637437284d845e466657449252fabd97411d8d531ef5246b2c7c9420633ff830829417b3ce76efda5fd95b79b35e8

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
120KB

MD5
3dc76ca28e1372da4ca1e2ea4c3bad8b

SHA1
b0f9896c7621f8aeb03accf98a24cbf6123f6008

SHA256
3240187985ae0edc37867e1591aea6119369e5f3c40bc93d883fd1c532f8ffa4

SHA512
d7eeb87ee77dbb9133408331c1721eb0b70721766d3fc859ab0981c8cea92ac322206bf3b8eb8b576010bc08780939ba8ceed3e67b8606af9dde107f3f39a9a8

Download Submit
C:\Windows\SysWOW64\Njkdbljm.dll

Filesize
7KB

MD5
e019223b296b32d6ba5013c142a125b9

SHA1
a6af74f74c890d975e1fa703f766a5872d52224f

SHA256
7e0e73f4ad28d8fccefc13cf458ee7aa4a304faa5cb5b7af37f5c3e9a8854278

SHA512
18d4986a9080bc6196c96fca46057eb5bab946cf9b3216c0af49f95e6e73e07776c1f8eb9f32c474fbcc5f9c425a4db29a20e79c7390b74b2391dd51c15d2249

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
120KB

MD5
89fec6121259ee401290a0e10f56497c

SHA1
21b16d832070816a7a42b24541990ef5794e45a7

SHA256
9cafea4ab3a5c78a8c34a82535516e7df2d33e3f7751235610b3547bf9ec92b0

SHA512
5e1cc93d7a5aa0293fc24bb949055d184f45126cc025f2576afd9e519fd38a1a33ad9f05e0a8f7d688e16f23296eca6f93bd9ce65394dbcee156846607764f73

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
120KB

MD5
bdb92d1031972d7eda0f489f9de7af17

SHA1
6479199d6564f6f566937daaa9ad0a4e2dbcb3f4

SHA256
c5b7d94486d820f83ae0da837256b82e16ced9e605060e3039ed697ebec1737b

SHA512
1c609142b22a724d19e5aada7ccaab21de92e0cca06b92ac80f17ca082c5b48df2b40e1bae61836041cc863a34f478e391c20672d834d589d3ccc334ebe0f4fa

Download Submit
memory/64-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/480-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/484-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5960-1199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6188-1228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6236-1213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6256-1227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6316-1226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6352-1212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6468-1210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6828-1236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7024-1232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7060-1201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7104-1216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7156-1229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads