61c1fe7c3fc13b536389d49e66d0a51f539d3d5fc05c21eaa4e16e7da6fe1c99

Analysis

max time kernel
110s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45e3d24847c7ff4e73d07d567d840d0c.exe
Size

80KB
MD5

45e3d24847c7ff4e73d07d567d840d0c
SHA1

ec391af79e8cf20c4c1fa8202e84d66e01daf885
SHA256

61c1fe7c3fc13b536389d49e66d0a51f539d3d5fc05c21eaa4e16e7da6fe1c99
SHA512

bf97d50eb6b6dbde74707dfebbd932ba6733590252f4025f4ad049a60f4338924645a587ce3c861ca55265069effbe13a2a90dd39f8dd766e34b9271dcd845f2
SSDEEP

1536:cb+oikYpi8pptu6u7vAB2LAJ9VqDlzVxyh+CbxMa:AgpTntu3vAaAJ9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njpdnedf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fealin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eklajcmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpochfji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmfbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cohkokgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbldphde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pejkmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqppci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbiockdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alkijdci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efeihb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnkaalkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nblolm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaonbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpdhkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfnofpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkekjdck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahokfag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebjdgmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feoodn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljobpiql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmhhefi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlimed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpjlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakikoom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndick32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkkik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geldkfpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnindhpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfmgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	45e3d24847c7ff4e73d07d567d840d0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkjhoq32.exe

Executes dropped EXE 64 IoCs

pid	Process
1968	Fhbimf32.exe
3544	Gaadfkgc.exe
4148	Gkjhoq32.exe
2220	Gepmlimi.exe
3628	Gnkaalkd.exe
2872	Eppqqn32.exe
3612	Hmlpaoaj.exe
4020	Jpdhkf32.exe
1692	Ljobpiql.exe
3428	Njmhhefi.exe
2076	Ndflak32.exe
736	Njpdnedf.exe
2576	Olanmgig.exe
1608	Onpjichj.exe
3400	Peahgl32.exe
2176	Phodcg32.exe
4248	Pehngkcg.exe
2876	Pejkmk32.exe
876	Pocpfphe.exe
1480	Qmhlgmmm.exe
716	Qlimed32.exe
4224	Amjillkj.exe
3028	Alkijdci.exe
752	Anmfbl32.exe
2384	Adfnofpd.exe
3088	Ahippdbe.exe
2232	Bnfihkqm.exe
392	Bhkmec32.exe
3720	Bepmoh32.exe
1060	Bklfgo32.exe
1536	Bebjdgmj.exe
1624	Bnmoijje.exe
2456	Cdpjlb32.exe
3092	Cnindhpg.exe
4756	Chnbbqpn.exe
3004	Cohkokgj.exe
3208	Cdecgbfa.exe
3248	Dnmhpg32.exe
1012	Dmohno32.exe
220	Dnpdegjp.exe
2084	Dheibpje.exe
1228	Eeelnp32.exe
2096	Eokqkh32.exe
2960	Efeihb32.exe
3360	Efgemb32.exe
1864	Emanjldl.exe
1516	Efjbcakl.exe
4228	Flfkkhid.exe
1348	Feoodn32.exe
2032	Fligqhga.exe
2020	Fealin32.exe
5132	Flpmagqi.exe
5192	Fbjena32.exe
5248	Gmojkj32.exe
5296	Gfhndpol.exe
5388	Gmafajfi.exe
5500	Bhmbqm32.exe
5540	Cggimh32.exe
5580	Ckjknfnh.exe
5620	Cgqlcg32.exe
5664	Dpiplm32.exe
5700	Dojqjdbl.exe
5748	Dahmfpap.exe
5788	Dakikoom.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jhkbdmbg.exe	Jihbip32.exe
File opened for modification	C:\Windows\SysWOW64\Mpapnfhg.exe	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Cnindhpg.exe	Cdpjlb32.exe
File opened for modification	C:\Windows\SysWOW64\Eppqqn32.exe	Gnkaalkd.exe
File created	C:\Windows\SysWOW64\Conjbj32.dll	45e3d24847c7ff4e73d07d567d840d0c.exe
File created	C:\Windows\SysWOW64\Kofdhd32.exe	Kiikpnmj.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Bnmoijje.exe	Bebjdgmj.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Gmafajfi.exe
File created	C:\Windows\SysWOW64\Ojehbail.dll	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Mcoljagj.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Mjlalkmd.exe	Mcaipa32.exe
File created	C:\Windows\SysWOW64\Ghcfpl32.dll	Nblolm32.exe
File created	C:\Windows\SysWOW64\Bepmoh32.exe	Bhkmec32.exe
File created	C:\Windows\SysWOW64\Dnjfibml.dll	Bnfihkqm.exe
File created	C:\Windows\SysWOW64\Abklmb32.dll	Chnbbqpn.exe
File created	C:\Windows\SysWOW64\Flfkkhid.exe	Efjbcakl.exe
File opened for modification	C:\Windows\SysWOW64\Mcdeeq32.exe	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Mbibfm32.exe	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Cndepccb.dll	Phodcg32.exe
File created	C:\Windows\SysWOW64\Oblhcj32.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Hlglnp32.dll	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Eokqkh32.exe	Eeelnp32.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Lhpapf32.dll	Fqppci32.exe
File created	C:\Windows\SysWOW64\Lckboblp.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Dnmhpg32.exe	Cdecgbfa.exe
File created	C:\Windows\SysWOW64\Hdbplg32.dll	Fbjena32.exe
File created	C:\Windows\SysWOW64\Bfcklp32.dll	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Ibjqaf32.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Ljgmjm32.dll	Oqoefand.exe
File created	C:\Windows\SysWOW64\Ndflak32.exe	Njmhhefi.exe
File opened for modification	C:\Windows\SysWOW64\Nbbeml32.exe	Njgqhicg.exe
File opened for modification	C:\Windows\SysWOW64\Lcmodajm.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Afnqfkij.dll	Cdecgbfa.exe
File created	C:\Windows\SysWOW64\Gkgmdnki.dll	Dmohno32.exe
File created	C:\Windows\SysWOW64\Nhfjcpfb.dll	Flpmagqi.exe
File opened for modification	C:\Windows\SysWOW64\Ipihpkkd.exe	Ibegfglj.exe
File opened for modification	C:\Windows\SysWOW64\Phodcg32.exe	Peahgl32.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lcfidb32.exe
File opened for modification	C:\Windows\SysWOW64\Pejkmk32.exe	Pehngkcg.exe
File opened for modification	C:\Windows\SysWOW64\Qmhlgmmm.exe	Pocpfphe.exe
File created	C:\Windows\SysWOW64\Mdhbbnba.dll	Gbkkik32.exe
File created	C:\Windows\SysWOW64\Pcgdhkem.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Cggimh32.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Jkdgfllg.dll	Bepmoh32.exe
File created	C:\Windows\SysWOW64\Gmojkj32.exe	Fbjena32.exe
File opened for modification	C:\Windows\SysWOW64\Hifmmb32.exe	Hbldphde.exe
File created	C:\Windows\SysWOW64\Himfiblh.dll	Iijfhbhl.exe
File opened for modification	C:\Windows\SysWOW64\Lfiokmkc.exe	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Gaadfkgc.exe	Fhbimf32.exe
File created	C:\Windows\SysWOW64\Ieppioao.dll	Egohdegl.exe
File created	C:\Windows\SysWOW64\Gepmlimi.exe	Gkjhoq32.exe
File created	C:\Windows\SysWOW64\Bdifpa32.dll	Gfhndpol.exe
File created	C:\Windows\SysWOW64\Lfiokmkc.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Momcpa32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Cdpjlb32.exe	Bnmoijje.exe
File created	C:\Windows\SysWOW64\Kpjbdk32.dll	Ddkbmj32.exe
File created	C:\Windows\SysWOW64\Jocnlg32.exe	Jifecp32.exe
File created	C:\Windows\SysWOW64\Hkpnbd32.dll	Anmfbl32.exe
File opened for modification	C:\Windows\SysWOW64\Njpdnedf.exe	Ndflak32.exe
File created	C:\Windows\SysWOW64\Amjillkj.exe	Qlimed32.exe
File created	C:\Windows\SysWOW64\Fqppci32.exe	Eqncnj32.exe
File opened for modification	C:\Windows\SysWOW64\Kpqggh32.exe	Kifojnol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7412	7312	WerFault.exe	281

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adfnofpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njogfipp.dll"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chnbbqpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfhndpol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glfmgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmafajfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhdcii.dll"	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gepmlimi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndflak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcilohid.dll"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqppci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahamlm32.dll"	Gepmlimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njmhhefi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclknk32.dll"	Fealin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll"	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll"	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niojoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onpjichj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdaklmfn.dll"	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll"	Gfhndpol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojehbail.dll"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gepmlimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efjbcakl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpenlneh.dll"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpped32.dll"	Qlimed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjbdk32.dll"	Ddkbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegbnohh.dll"	Lpochfji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geanfelc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conjbj32.dll"	45e3d24847c7ff4e73d07d567d840d0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecalcl32.dll"	Ahippdbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhjimfo.dll"	Dakikoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkilook.dll"	Doccpcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahippdbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpldbefn.dll"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pciqnk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1968	2240	45e3d24847c7ff4e73d07d567d840d0c.exe	92
PID 2240 wrote to memory of 1968	2240	45e3d24847c7ff4e73d07d567d840d0c.exe	92
PID 2240 wrote to memory of 1968	2240	45e3d24847c7ff4e73d07d567d840d0c.exe	92
PID 1968 wrote to memory of 3544	1968	Fhbimf32.exe	93
PID 1968 wrote to memory of 3544	1968	Fhbimf32.exe	93
PID 1968 wrote to memory of 3544	1968	Fhbimf32.exe	93
PID 3544 wrote to memory of 4148	3544	Gaadfkgc.exe	95
PID 3544 wrote to memory of 4148	3544	Gaadfkgc.exe	95
PID 3544 wrote to memory of 4148	3544	Gaadfkgc.exe	95
PID 4148 wrote to memory of 2220	4148	Gkjhoq32.exe	96
PID 4148 wrote to memory of 2220	4148	Gkjhoq32.exe	96
PID 4148 wrote to memory of 2220	4148	Gkjhoq32.exe	96
PID 2220 wrote to memory of 3628	2220	Gepmlimi.exe	97
PID 2220 wrote to memory of 3628	2220	Gepmlimi.exe	97
PID 2220 wrote to memory of 3628	2220	Gepmlimi.exe	97
PID 3628 wrote to memory of 2872	3628	Gnkaalkd.exe	98
PID 3628 wrote to memory of 2872	3628	Gnkaalkd.exe	98
PID 3628 wrote to memory of 2872	3628	Gnkaalkd.exe	98
PID 2872 wrote to memory of 3612	2872	Eppqqn32.exe	99
PID 2872 wrote to memory of 3612	2872	Eppqqn32.exe	99
PID 2872 wrote to memory of 3612	2872	Eppqqn32.exe	99
PID 3612 wrote to memory of 4020	3612	Hmlpaoaj.exe	100
PID 3612 wrote to memory of 4020	3612	Hmlpaoaj.exe	100
PID 3612 wrote to memory of 4020	3612	Hmlpaoaj.exe	100
PID 4020 wrote to memory of 1692	4020	Jpdhkf32.exe	101
PID 4020 wrote to memory of 1692	4020	Jpdhkf32.exe	101
PID 4020 wrote to memory of 1692	4020	Jpdhkf32.exe	101
PID 1692 wrote to memory of 3428	1692	Ljobpiql.exe	102
PID 1692 wrote to memory of 3428	1692	Ljobpiql.exe	102
PID 1692 wrote to memory of 3428	1692	Ljobpiql.exe	102
PID 3428 wrote to memory of 2076	3428	Njmhhefi.exe	103
PID 3428 wrote to memory of 2076	3428	Njmhhefi.exe	103
PID 3428 wrote to memory of 2076	3428	Njmhhefi.exe	103
PID 2076 wrote to memory of 736	2076	Ndflak32.exe	105
PID 2076 wrote to memory of 736	2076	Ndflak32.exe	105
PID 2076 wrote to memory of 736	2076	Ndflak32.exe	105
PID 736 wrote to memory of 2576	736	Njpdnedf.exe	106
PID 736 wrote to memory of 2576	736	Njpdnedf.exe	106
PID 736 wrote to memory of 2576	736	Njpdnedf.exe	106
PID 2576 wrote to memory of 1608	2576	Olanmgig.exe	107
PID 2576 wrote to memory of 1608	2576	Olanmgig.exe	107
PID 2576 wrote to memory of 1608	2576	Olanmgig.exe	107
PID 1608 wrote to memory of 3400	1608	Onpjichj.exe	108
PID 1608 wrote to memory of 3400	1608	Onpjichj.exe	108
PID 1608 wrote to memory of 3400	1608	Onpjichj.exe	108
PID 3400 wrote to memory of 2176	3400	Peahgl32.exe	109
PID 3400 wrote to memory of 2176	3400	Peahgl32.exe	109
PID 3400 wrote to memory of 2176	3400	Peahgl32.exe	109
PID 2176 wrote to memory of 4248	2176	Phodcg32.exe	110
PID 2176 wrote to memory of 4248	2176	Phodcg32.exe	110
PID 2176 wrote to memory of 4248	2176	Phodcg32.exe	110
PID 4248 wrote to memory of 2876	4248	Pehngkcg.exe	112
PID 4248 wrote to memory of 2876	4248	Pehngkcg.exe	112
PID 4248 wrote to memory of 2876	4248	Pehngkcg.exe	112
PID 2876 wrote to memory of 876	2876	Pejkmk32.exe	113
PID 2876 wrote to memory of 876	2876	Pejkmk32.exe	113
PID 2876 wrote to memory of 876	2876	Pejkmk32.exe	113
PID 876 wrote to memory of 1480	876	Pocpfphe.exe	114
PID 876 wrote to memory of 1480	876	Pocpfphe.exe	114
PID 876 wrote to memory of 1480	876	Pocpfphe.exe	114
PID 1480 wrote to memory of 716	1480	Qmhlgmmm.exe	115
PID 1480 wrote to memory of 716	1480	Qmhlgmmm.exe	115
PID 1480 wrote to memory of 716	1480	Qmhlgmmm.exe	115
PID 716 wrote to memory of 4224	716	Qlimed32.exe	116

C:\Users\Admin\AppData\Local\Temp\45e3d24847c7ff4e73d07d567d840d0c.exe
"C:\Users\Admin\AppData\Local\Temp\45e3d24847c7ff4e73d07d567d840d0c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\Fhbimf32.exe
  C:\Windows\system32\Fhbimf32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\Gaadfkgc.exe
    C:\Windows\system32\Gaadfkgc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\SysWOW64\Gkjhoq32.exe
      C:\Windows\system32\Gkjhoq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Windows\SysWOW64\Gepmlimi.exe
        
        C:\Windows\system32\Gepmlimi.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\SysWOW64\Gnkaalkd.exe
        
        C:\Windows\system32\Gnkaalkd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Eppqqn32.exe
        
        C:\Windows\system32\Eppqqn32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Hmlpaoaj.exe
        
        C:\Windows\system32\Hmlpaoaj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Jpdhkf32.exe
        
        C:\Windows\system32\Jpdhkf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Njmhhefi.exe
        
        C:\Windows\system32\Njmhhefi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Ndflak32.exe
        
        C:\Windows\system32\Ndflak32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Olanmgig.exe
        
        C:\Windows\system32\Olanmgig.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Phodcg32.exe
        
        C:\Windows\system32\Phodcg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Pehngkcg.exe
        
        C:\Windows\system32\Pehngkcg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Pejkmk32.exe
        
        C:\Windows\system32\Pejkmk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Qmhlgmmm.exe
        
        C:\Windows\system32\Qmhlgmmm.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Amjillkj.exe
        
        C:\Windows\system32\Amjillkj.exe
        23⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Alkijdci.exe
        
        C:\Windows\system32\Alkijdci.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Bhkmec32.exe
        
        C:\Windows\system32\Bhkmec32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        31⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        39⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        41⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        42⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        44⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        46⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        47⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        49⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        51⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        55⤵
        Executes dropped EXE
        
        PID:5248
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        59⤵
        Executes dropped EXE
        
        PID:5540
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        60⤵
        Executes dropped EXE
        
        PID:5580
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5748
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        66⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        69⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        70⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        71⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        72⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        76⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        77⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        80⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2596
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        83⤵
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        87⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        88⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        90⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        91⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        92⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        93⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        95⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1140
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        97⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        99⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        100⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        101⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        102⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        103⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        105⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        106⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        112⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        113⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        114⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        115⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        117⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        119⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        120⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        121⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        128⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        130⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        131⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        133⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        134⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        137⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7024
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        139⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        141⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        143⤵
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        145⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        146⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        147⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        148⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        149⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        150⤵
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        151⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        152⤵
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        153⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        154⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        155⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        156⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        157⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        160⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        161⤵
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        163⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        164⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        165⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        167⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        168⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        169⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        170⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        171⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        172⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        174⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        175⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        176⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        177⤵
        Modifies registry class
        
        PID:7220
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        178⤵
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        179⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7312 -s 400
        180⤵
        Program crash
        
        PID:7412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8
1⤵
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7312 -ip 7312
1⤵
PID:7380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adfnofpd.exe

Filesize
80KB

MD5
ed695c24ae4b5070a6814379b7c63f73

SHA1
bf9e939f33b0425d316f7c53ae683fcd9c232ab6

SHA256
1495cf84dd7c95c89db489eda7cf56820644ec6b0d95dfb592a05bfd78abd025

SHA512
51373bd9090942687f68047fe353d0bd8818bf9114fcebcd07b9f7145ca6ff506947eb5bfe185c8e4e1e9e072fec04c45625326ca5379257023c31cf276e10af

Download Submit
C:\Windows\SysWOW64\Ahippdbe.exe

Filesize
80KB

MD5
5d189dddbcaec220313359ba6eaff94b

SHA1
292ff190aea1baf6aa0fdbc4f07c3e43b7729e02

SHA256
0e8615de4f01a16b260f22295c008b14e9e86b09be6af72e0f2ebaef4c281ee9

SHA512
ba6bb636eddd5943fb044c8b7ddca145285e09621bb9067d004bccba0010c9e481e7b78e723955dbe04d6566c439a0747e8a731ca8b082cc604e802d088d3fc2

Download Submit
C:\Windows\SysWOW64\Alkijdci.exe

Filesize
80KB

MD5
87dd5047424460c9877795cb6bd143fc

SHA1
49e9d22764db8d08e00935366090d0d7822f3bae

SHA256
9c5dfb0b9dc56325548e9bfa48e8656dd42271b2db005f9b7bd3b2beb6f4ce68

SHA512
ea88c06d8bb9bb8c67135e368398bdbc210c46e077f5f50220a9b00c4ca92bf2b3ca61171e88ad36b92dd7b27130b79842b65192f107c801f2ad2eb1ddf43a56

Download Submit
C:\Windows\SysWOW64\Amjillkj.exe

Filesize
80KB

MD5
7f2149990562829f5bd17c603f578124

SHA1
0ab1c6d0f31928da5c7fff42545c711fc0956f88

SHA256
0ad963904a407105d4c035c200a650ce83b0f51061520490fdaa34e4a2e9b006

SHA512
a085ddf871116d71a8cfa24ee4ef1e9edd9401fd2953e87a3413d52598062b8c15adcadda8fdd1167773f1820e97a0917b2ea57bb49faee4cc9b056c1196b0ca

Download Submit
C:\Windows\SysWOW64\Anmfbl32.exe

Filesize
80KB

MD5
e9146358f408fa3129eba22ad9b08265

SHA1
d27d78d38f4b2b45a851a0adf3b321fc13a6e0b3

SHA256
922c3a61290815a58d2dd4e12c9e89113b2866f454ebf50386c1e009e3d5697c

SHA512
c704c4778612369e08d59282f8f8d3061b14783ce943b4c29147d83cdb4a23cfc336a2a2d9c906aa165265c0687675f1abc0b4e0850fd1ad212de17f7bdf1f5c

Download Submit
C:\Windows\SysWOW64\Bebjdgmj.exe

Filesize
80KB

MD5
64d82e9436d152c15a4bb1b2e87d22c6

SHA1
a8ea54f9450ed6b552971f5254eeb69a8f623510

SHA256
b9357ab14c6601d023e1aa0343372f8ff896a120c9e74b0f7e6b7fda43476d16

SHA512
b6ead45851abc8e866ace55ccf496873579d2e75d3f4e675243546398c1a0b13ad9c6a1caf730bc4576f0f2e850f5863e2f9846d41d795df35a9e8f7f5fd3815

Download Submit
C:\Windows\SysWOW64\Bepmoh32.exe

Filesize
80KB

MD5
b8273fbc83fda995e7601cae87d41292

SHA1
da3e1b137e859c239c31a6af0f18e19285a7244c

SHA256
f8dda83647718ab54f6e0480e99befe96a9538e2a6440debee31d525950319e2

SHA512
d63a0c0a854e663e3064f8a54b38135346a1722faf5038009c43a3447f5f786637ca9ad192da7b2081f870175bf888ce4c83e2b9082499e70fb93b05118c498a

Download Submit
C:\Windows\SysWOW64\Bhkmec32.exe

Filesize
80KB

MD5
f318c94d466a51e2f708ee2c2953d764

SHA1
46fcefe35df8f3fac7b63bfe103770b7dc244a6a

SHA256
6f3c57249e1d3a625804a9c6e1ad0e59188535b690cba32f6e671abd122c9633

SHA512
7b8a0bc8369dcc4a74d269ce921db8838fef5e6dfd16a4de212e151589f745f242e7f79afa32e270c455a1b92e383798310652786387e8cea960be2b8f470029

Download Submit
C:\Windows\SysWOW64\Bklfgo32.exe

Filesize
80KB

MD5
0042b09f8f42dcef1e28b6cf184d830f

SHA1
ee9fd50499f76ed076cfe4be26e0039a7dd0d1b7

SHA256
2ce6b25d5461d6f006e3047efcf987c952c9af4b64225c02f4b1fb2a44385faa

SHA512
fc9e0ff96ee703a09d2eb6c8a75e82bc0417275005cf4b34e75664518e146eb814fc7d7ab53b8dcaa7856dd29a830de26f1d8847fa87f6c8b91ade838f48547c

Download Submit
C:\Windows\SysWOW64\Bnfihkqm.exe

Filesize
80KB

MD5
ba31f12a19550f2c69d8fde812e30276

SHA1
0d382804e4d3ccb3d76caf6261cf2adcfb4fd811

SHA256
b8a6a77cd8d4683823e66f680c63d81e9bf1a4b6895cf18b835ceab4cc68d271

SHA512
8422bf708c1956107091ad1357bc4810dfe889fae118ab22cf53fb5f396621a863d94ff6c3285d6d3acfe142f4a147fb9d6a248e79642e70b795e1688d814381

Download Submit
C:\Windows\SysWOW64\Bnmoijje.exe

Filesize
80KB

MD5
25c73d40f3db7ae91be6b15940a80c78

SHA1
3fc2474c2aee8e30e873a29d251ac7483187dcee

SHA256
1f7e1b818a844cf3c68e61a9dc82edc39b305b99019522ce9416dd5fa040ddae

SHA512
3a1cc8c86daf1e11d05ddd73acc54a49fd649d6e668fcf51da64d9e4ae96e55968e47c8e7a61bd1e7dfd3b367ec058547e23e8cd13714a30301b3dd728b4529e

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe

Filesize
80KB

MD5
d13c7461c816be7a66453bed19aa9179

SHA1
22e92d24720eceec4505abfa6622add9ec275dee

SHA256
11816cbff7ed236d66634e7e96063f19882d021c03191a94cd14e9dd12b62bcc

SHA512
0c81d51a9dddd272155a4b8255a88001b510f5b394a552de25dd73ad7222a3d6ab5e1d48874bfab23c3004342cff6f2e31cb462be1994cd4f2f8d0c023c88eef

Download Submit
C:\Windows\SysWOW64\Eppqqn32.exe

Filesize
80KB

MD5
0c8de270ef5aae08a48ebfde09b0170c

SHA1
a39248eac6c1fca14acbe4b14670c5cb07cbe52e

SHA256
30181ff0795849575e83a4b127e3f99a702c83737d28d0f39830736d12b47618

SHA512
7000f0ca847c1b01820dd629c867d6c109d2b9cd0e1db6cb5618d70382daf2c0c48c4f0b9273ee7159c8479e1ebde18a43eae8546091c5215a95d901cfb62988

Download Submit
C:\Windows\SysWOW64\Fhbimf32.exe

Filesize
80KB

MD5
13809b3c9cd2cbe6af33463784464a44

SHA1
551ac8b13c50517186e98642fdfcd6c8652e1457

SHA256
90a98be2874e6986e1adc633f4bbaa4fda2bd3d1ff90a86a9dc0c07f20637441

SHA512
88e2b8bdcd2fbcbdaa699cdb98e2b12392ebad32b62206f3a44fface34dc9ab1d544910c6578dcb3ecbeb0ba441a56d2d27e5f4ca91e99e56ed29594cf931272

Download Submit
C:\Windows\SysWOW64\Fqeioiam.exe

Filesize
80KB

MD5
89f09cd8f4618d7a1e0ed265f6176981

SHA1
2f2d1ee0282e7701f48e365f092ec79498b4bbd2

SHA256
44981ed768f7a8869cc8084c0375e006d7fa74dff0d7542ad4003375705c7b5e

SHA512
8918f40c09611792ab692325c00f62349f4bea28a980c2756ebe3b1961696ba980900209e72f5b0a729b78ba6dea51ba19b5ef7e7f5402300770315615914bb2

Download Submit
C:\Windows\SysWOW64\Gaadfkgc.exe

Filesize
80KB

MD5
3f9fc527821a05b91e1b1e6233dcde4c

SHA1
b53c5d8d632a3873d18be07c7a94b62c2a3d6e8e

SHA256
440827e3e3a174bd74e8e98bac8eae8fb3776ac7708d0755bdc8c90c5934529a

SHA512
5dc45f748e88c2db7f1c479111d230d0468ce6a5e64f45f95e8323dd7657f9975da94bc8af70e6781158e8c4bed3c6bf535e13cc0d885c438e5547a1ae3bdebc

Download Submit
C:\Windows\SysWOW64\Gepmlimi.exe

Filesize
80KB

MD5
e385e31bc5b29b7f6eea3ccfb7dc6547

SHA1
a4962e41866771f069a0e447d3e2d4d5e8754bcc

SHA256
ba385f5764dddfbab97e1a8095be1f0b2fba5c6c751c52b3dbae5814a81c2604

SHA512
ab171540be4251b9ff7dcf223876ce01c17f5dcdf2ff436ec6d7b3045c17d00920941ad25fddefcffc5a8f63d9f6e351257f4cbfabe250de8d7992291e768b68

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
80KB

MD5
a060d48cd4d787ffdcf6dc062ae27b0e

SHA1
e73d7afe411092451c783be4a7616128e861b05d

SHA256
af1c0bd5999229456a3fbf2069c64b8a62b6cba922c51713e555e00315c9a0de

SHA512
d776c42c1b46998fdd15cf74b7b8477e1d42c286ae27e8b0bedbeae7d5036934644939c2b5ebfdd8d876eaee24de85bfe548e6a196e00c1b19d5976fd7d4af34

Download Submit
C:\Windows\SysWOW64\Gkjhoq32.exe

Filesize
80KB

MD5
8993ebe33f69fcf2a71d89039a02ab2c

SHA1
7806e4055854adf8b4dad9f8b179eae563e8555e

SHA256
668767ad557afbca8df7a5555086cb5aea6ccf4bea6f207617593d5937319ba9

SHA512
bc77d51e71cad1e0b6a35804bcbf767d7281c4506e23786eaaead12008f1b44b117efdc7e24e5b66ecb1f9d71f35d6b35cf1e1fb26e8274ea180ab5b58eeb5d2

Download Submit
C:\Windows\SysWOW64\Gnkaalkd.exe

Filesize
80KB

MD5
a73db9521dc3253516371590943bf2a6

SHA1
898050a4090baa70d927321c81ed20cd5d37f3ea

SHA256
ca28136533ee98fc62a09d208bad429812e2bc3f3f6715c0f3b1fb74526b6e19

SHA512
eb10823f8e227cff42fd68eb95505ce38d24cc5beb9632db29af8ee048eeaaf1a925404636272356fe74a754461c68a78e0d1e743db8622312082bff4ab26015

Download Submit
C:\Windows\SysWOW64\Hhdcmp32.exe

Filesize
80KB

MD5
a14fdd78713b439dc95550e973392fc6

SHA1
a41ab1a5e03af81ae84ce36ef93e20b3a2159dd4

SHA256
0a14fc925def412599ef62b6a16dbe571a1175587a6cdbd1468b12f08a120762

SHA512
61d7832c758982c20de5e6d5b86c4dea97cdf64ccb18fb79ac5804d350ec0f200d78fb13007cff1b5b4d3d22c8a7ba9629b98a6512e475173b3e2e04604d019d

Download Submit
C:\Windows\SysWOW64\Hmlpaoaj.exe

Filesize
80KB

MD5
09ecefcc200fd2f09b8e327d7c65eadc

SHA1
10326ef3a1cfa1f25fdcad73ee4e49e6a43e02a0

SHA256
1c895e348305edb251846ae2c26e04fa0c816e86cdc36ef6247ebbccedff97f5

SHA512
9a2961088b346f106cdd839d2b8fb935959d0088c65843a5448411eabb704ff9d838cad19b7a95be3be6fbd0808892de9931999783017ca4b3eeb0c401248645

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
80KB

MD5
33ab90f08911a9319bc2b2a9b429374d

SHA1
c9eab28b7666846b3abed2f15d5320fc8f43712d

SHA256
39c610f81b7373c39a29b6122f73829e49c4293cab0e3af1750cfa05652ceb0f

SHA512
7bcd84831e397205558865683ee2331ca0731bc27f22f3d8fef4c915f4ca835b3b7f1120ff566d9125b9f05996a46cf5cf07f049458dc896e7193523f3141561

Download Submit
C:\Windows\SysWOW64\Ipihpkkd.exe

Filesize
80KB

MD5
1968a736f8422969f1ea9b47aa804dda

SHA1
c5a83c6c9745cbaaf8780844d17e25a37bc6fe6a

SHA256
ff01c706d7411e57428c665aaa8eb679d95dc7b36b21364789261cfa9d4b2ee0

SHA512
d30d861143e03fa2506ef80cfa0004eb4b837eaabf743b13d94c86d542598b32381af55617506f932599552e73ce1e0861bf3575c38b0de6e70d8f71be98535b

Download Submit
C:\Windows\SysWOW64\Jpdhkf32.exe

Filesize
80KB

MD5
dbcfa2ec5593972e2c18111275217874

SHA1
c6c66d29dd0e9ce11c6ca2814a53dcb7d465a9ae

SHA256
6d70a297f8f7684f45731587b7425f308469dbbcfa6cfe9e69c7bf57e8f21e7c

SHA512
34d7a18aa87ff4aa84f0d4f0b8d4ea00cfa5f1174b7e9b4dddf39115d77697e55739777cdd67ef7c73b22906a2196450c1fc6e59acb647210f56777c525bb282

Download Submit
C:\Windows\SysWOW64\Ljobpiql.exe

Filesize
80KB

MD5
082d10ffc566e20993963ee596988438

SHA1
ff7a2f6f40858381069fcb596ca66ea1e97659f7

SHA256
176bc32749617c01864d43eb1ce565b2d89b64d7663f6b3c56be335138c0ab05

SHA512
59a2f57e0795e1c4f482f1b6fa84e397812ed121054f270d84bf9f3791bba20f813da444aeaa61b141e60b5ca04799a85e3e1b2c9a14b4134fcf536f0424e428

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
80KB

MD5
c124631e8cf07e881cd17f54865f9136

SHA1
accf708395562e2ca25cc06d96c78bf4e8efce47

SHA256
c2902c8633310c1ad6be0f41b4a9eb1da62bf47ad6052abda0fb5e7995231397

SHA512
951881f1379dad7f119791f7c5689a222103229c0fecd80b720633160c1c423d95752673de796715d2f3a259f8b964052e185b4106ae8cedc83138ec15b00612

Download Submit
C:\Windows\SysWOW64\Ndflak32.exe

Filesize
80KB

MD5
50b61412e35720dc69d42fa296f88e0c

SHA1
00635d24bdecde75990be502761be6a1e68cfa8a

SHA256
916431812201dfca6034d71abb98c638f1e017e9df416d9266d5516812425ff3

SHA512
33545ecf29cdafda8b0648bc958ce32e6e6370f2c761594eedb91e91b12b3e14f0e41604f34197807c8f48334a08cb0b751afa2faf878f400e63d2da8710a796

Download Submit
C:\Windows\SysWOW64\Njmhhefi.exe

Filesize
80KB

MD5
0cbfceca0a15f1704fb1213e61277297

SHA1
e8836990f80771e3e85c2212850a535fef7f369f

SHA256
27f135181926c3c9ab8c241bfd45084b14c34fa5745d976af4622782fcabf590

SHA512
7b82567d72d823d447238bbda4568210643f5cac5b8cd82a9d8371e87f8d62fc1239680eb7b56e8d9a31ab666b5bea798fdfceb7d12e6b28c64ee0f634d4687f

Download Submit
C:\Windows\SysWOW64\Njpdnedf.exe

Filesize
80KB

MD5
4d50454eb6c5c53bd4c8657c5752e9dd

SHA1
d036dc9408d2271bebfa9dfbfb09909fbf049b89

SHA256
25666dd32d647b7f0518fc55421ea24b24e73979603e9832664fb843b445c9f4

SHA512
954e9d960ab7e926913b2954a9c161fab1a2f131c3db9706c8a413d014647bd008f7ab46a0489d0b7a045a87ada166d4205bcd29983433101031a2226a3f4429

Download Submit
C:\Windows\SysWOW64\Olanmgig.exe

Filesize
80KB

MD5
c111f67dc59bcd117a2ce7610327556a

SHA1
5d8f276a2084923ba1aace6d6a84dc942bc126d9

SHA256
37301e94525ab84466a8d22c609c873bde207c61913f3db495dffd3108023a17

SHA512
b18183affac724562b9f8b336ecd2103ca31fd007c23df3e4e4d339045770622cf312536f8c2ebcb2b370914252929ef8d63a64ee33d57ef954fd3806607e3e6

Download Submit
C:\Windows\SysWOW64\Onpjichj.exe

Filesize
80KB

MD5
719d2f508350b8080d226a8326856627

SHA1
627fbaf6e1d05f522384244f10592b20170f8365

SHA256
f5705480fc13ae97daf4c57eefb7c8fe9d3044ca1f4a075f7dc5d84270fd28aa

SHA512
428d9f6f6225065e7985f4f772f89b225e39bd0e531135b662ce4fd82102f2f352c0cbaace29338b9e0061d678f9f7ee7a9d2a2d080a351dc822dfeba9f52c2f

Download Submit
C:\Windows\SysWOW64\Peahgl32.exe

Filesize
80KB

MD5
ed6c74a06ee1627890a09b1e4191600e

SHA1
3489258a339ffbda510f3736ebf13fdf2fc0963b

SHA256
98284ea8a988414a2a7c84e0064073ecbcfb78de63ff8b48f29ce512502aee13

SHA512
5f02a46d89a62d7ee51a779aabdfe494d497bfbf5d94e44503bd851180ad99d1dc7e777070a9dd26389926134ad0bd27c149ba000b6e97cc6a52f6d0e4267577

Download Submit
C:\Windows\SysWOW64\Pehngkcg.exe

Filesize
80KB

MD5
8e77dc4185879134fc6fd300b9ef0928

SHA1
fcf97cfb3ca95bde9fd270db2a410057be5604b2

SHA256
b434b7c5c9257832af694bbc41cb1d6fea01b3ce19ad12564791297fa7c1aa17

SHA512
6ce6ab1b3e27753cb41cf73602eb21e590490f3080b8425ef4c2a3f915328a2bb330a42eb22f1be3e16cc6468dd625c621285263f90c7b8898f145883c683b19

Download Submit
C:\Windows\SysWOW64\Pejkmk32.exe

Filesize
80KB

MD5
1e616660989352bb7ad4c51fb3647b28

SHA1
d5b6c3edd17bd3cf13b8399e6e90dae4d246bee3

SHA256
954e3803a90b155a6ef8552739c82961f738810d2b5051009ecdcc2e396fc572

SHA512
92053c7f4b50cdb8dbb47b4da90f0c91995ec788b3f8a4fc5042e697275cefce4f6c6a5d236853ae8181fdf31f9a6ac54561342165a42ca3ac3ac0c9384e6e79

Download Submit
C:\Windows\SysWOW64\Phodcg32.exe

Filesize
80KB

MD5
9715a70dfbf6e369557afdc15328f71e

SHA1
8cbeff2ec66ef6d8693a24f1634d111b44ff3084

SHA256
e222993714e5e6068d00e616559be183bdc02089a360378ce057f73ddbeca2d1

SHA512
1bb6889f914f82b928c75dca2cdfdc7af2936f5e8616f2e5e8d6742474ca96aebf7c7cb3c584c9ef2fae3c3b46765f79105bfa95ca86d578a34ef3fc7b3b5ad1

Download Submit
C:\Windows\SysWOW64\Pocpfphe.exe

Filesize
80KB

MD5
07ec5486dda0173b75467957f18d1736

SHA1
712a4e43524ec0b1239347f59aa607f9a1b02ab3

SHA256
02c60a113d7537e7dc3f503e9384f904fbaebc5e8dadaadd9cfff94ee648d2c9

SHA512
9f79723c1ec17ebb4786b26400b14dbb635d6147adb478b2dd159386fb5297fba669323e1c6a280886793819b34a491f2cac4fbdce0c972f2d2216f9d0055714

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
80KB

MD5
8f654e5235c88849778ed577347d38f4

SHA1
aaa83cf887b3f392e5128ff52cf098b765e81ec1

SHA256
fa141b394f2cca556b3684cdee9bdb270a21131200230004bc18e334d22571f2

SHA512
8a6a87d234af14089fb912d6d6a17aa1eefc7d9332f4b7a068891d08e39ff146f1b2fcf3f9ef2d2ea29cab32938e8d3110e80ca379930a17c737721a443d8c43

Download Submit
C:\Windows\SysWOW64\Qlimed32.exe

Filesize
80KB

MD5
0927ec3278153b2aea5bf5336f40214f

SHA1
5ca1f2ec94f14303e0ec81c21060db161d6de4e6

SHA256
2c8433cd7ad029304b124b9945648984f039d822e05a16adc74e785fb549d003

SHA512
fe18cd706f24acf2de13adf8ff86cf2ec1b0c5703ee36d449a28aa088238c9ecf2d3a23f5dc38eb0e30b408ed2b787efd707b90343e601cdceb5a068c0195197

Download Submit
C:\Windows\SysWOW64\Qmhlgmmm.exe

Filesize
80KB

MD5
e33aa6a7cba136f9a1909d09c59ff8c4

SHA1
cbc162d57a94c29a6496c320c09560061ec7b734

SHA256
304faff54742b1e0512a33e4c9e5458d7e02735dba0bd1ac59e23c0d8feeed3b

SHA512
f72d81c5004422a02492360fd3afad4cca46c18ed745f643e0a9ed1874a446e1fffbe172b06096ef2130d70cf2b30e8c089f1afd6ea854b101dc930cd606931b

Download Submit
memory/220-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/736-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/752-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/876-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1348-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1480-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-78-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3248-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5132-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5192-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5248-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5296-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5388-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5500-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5540-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads