bedeeee0ba7249856789569ce26d515b82ee9365e76cfacdf0baa04f20230288

Analysis

max time kernel
135s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bedeeee0ba7249856789569ce26d515b82ee9365e76cfacdf0baa04f20230288.exe
Size

320KB
MD5

2cd12dc039c75709d0c03317a547a349
SHA1

da2e692f2cfa58f52b4b7a714b3451b5d49c15cc
SHA256

bedeeee0ba7249856789569ce26d515b82ee9365e76cfacdf0baa04f20230288
SHA512

510775247ff25346b92fd603d65dbdaba2586648465f5100d38e054e1822b3fffa990d9cf7581817f0a0619675950c47b782a27a971c23e215788aa6d809dec6
SSDEEP

6144:L9H+y1YvlIY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:ZH+yev9m05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfhgcbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhhldc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohobebig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqbneq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdllffpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igpkok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejglcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hembndee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joobdfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckfofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajodef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjogmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdnpeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffoejkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmifkgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gheodg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glkkop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmijnfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbggkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icakofel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmobii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmijnfgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Defheg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplkhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhbbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icachjbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnebmgjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeeomegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmifkgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkiapn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cghgpgqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omlkmign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbnknpqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djbbhafj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebbmpmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjjbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaioidkh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndkjik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcaibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejjanpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmgmhgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbecljnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joaojf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iggocbke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdllffpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfniikha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijmhkchl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kffhakjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifleji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqnemp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbknhqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enllgbcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailabddb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flpbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljhchc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbhgjoi.exe

Executes dropped EXE 64 IoCs

pid	Process
1660	Egegjn32.exe
2084	Gbkdod32.exe
752	Gcnnllcg.exe
1100	Gjhfif32.exe
636	Gqbneq32.exe
3784	Hccggl32.exe
1480	Hnhkdd32.exe
5044	Hjaioe32.exe
4768	Hejjanpm.exe
1796	Ibnjkbog.exe
2852	Icachjbb.exe
2824	Ijmhkchl.exe
2288	Inkaqb32.exe
1304	Jlanpfkj.exe
1504	Jacpcl32.exe
4396	Kaopoj32.exe
2412	Kbnlim32.exe
1336	Laffpi32.exe
2372	Nlnpio32.exe
4320	Nhjjip32.exe
2268	Oohkai32.exe
3540	Ofbdncaj.exe
3660	Obidcdfo.exe
2168	Okceaikl.exe
2324	Omcbkl32.exe
1076	Pmeoqlpl.exe
1680	Piolkm32.exe
2644	Qejfkmem.exe
1120	Abcppq32.exe
1184	Ammnhilb.exe
3612	Bldgoeog.exe
2656	Blknpdho.exe
2544	Cbjogmlf.exe
828	Cmpcdfll.exe
1548	Ciiaogon.exe
5012	Cpcila32.exe
3196	Cmgjee32.exe
4656	Debnjgcp.exe
1552	Defheg32.exe
5032	Eennefib.exe
4176	Elhfbp32.exe
1424	Enllgbcl.exe
3124	Edfddl32.exe
4740	Flhoinbl.exe
4076	Gphddlfp.exe
1172	Gloejmld.exe
456	Ggdigekj.exe
1492	Gqagkjne.exe
4244	Gglpgd32.exe
2752	Hgbfhc32.exe
3628	Iggocbke.exe
1080	Imknli32.exe
512	Igqbiacj.exe
5096	Jgcooaah.exe
3960	Jegohe32.exe
2004	Jmgmhgig.exe
3648	Jmijnfgd.exe
1860	Kaioidkh.exe
2572	Kffhakjp.exe
2796	Knmpbi32.exe
4604	Lkppchfi.exe
3572	Lajhpbme.exe
2160	Lhdqml32.exe
4240	Necqbo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Odgjdibf.exe	Oojalb32.exe
File created	C:\Windows\SysWOW64\Fhiinbdo.exe	Fblpflfg.exe
File created	C:\Windows\SysWOW64\Kmobii32.exe	Kkmijf32.exe
File created	C:\Windows\SysWOW64\Hejjanpm.exe	Hjaioe32.exe
File created	C:\Windows\SysWOW64\Debalegc.dll	Jmijnfgd.exe
File opened for modification	C:\Windows\SysWOW64\Igkadlcd.exe	Ifleji32.exe
File created	C:\Windows\SysWOW64\Ohobebig.exe	Oinbgk32.exe
File created	C:\Windows\SysWOW64\Clclnfln.dll	Omlkmign.exe
File created	C:\Windows\SysWOW64\Ddmlgm32.dll	Bjcmpepm.exe
File created	C:\Windows\SysWOW64\Bggnijof.exe	Bqnemp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckfofe32.exe	Cbnknpqj.exe
File created	C:\Windows\SysWOW64\Lcgagm32.dll	Gqbneq32.exe
File opened for modification	C:\Windows\SysWOW64\Ailabddb.exe	Qdllffpo.exe
File created	C:\Windows\SysWOW64\Fhflhcfa.exe	Fbjcplhj.exe
File created	C:\Windows\SysWOW64\Dacnkkem.dll	Jgbhdkml.exe
File created	C:\Windows\SysWOW64\Joaojf32.exe	Joobdfei.exe
File created	C:\Windows\SysWOW64\Glkkop32.exe	Gaffbg32.exe
File created	C:\Windows\SysWOW64\Dijdif32.dll	Joaojf32.exe
File created	C:\Windows\SysWOW64\Elmoqj32.dll	Jlanpfkj.exe
File opened for modification	C:\Windows\SysWOW64\Laffpi32.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Biigildg.exe	Bbmbgb32.exe
File opened for modification	C:\Windows\SysWOW64\Nlnpio32.exe	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Nkpbpp32.exe	Npjnbg32.exe
File created	C:\Windows\SysWOW64\Ollhping.dll	Ehofhdli.exe
File created	C:\Windows\SysWOW64\Fgmllpng.exe	Fcmgpbjc.exe
File created	C:\Windows\SysWOW64\Oickbjmb.exe	Omlkmign.exe
File created	C:\Windows\SysWOW64\Nodqpf32.dll	Flpbnh32.exe
File created	C:\Windows\SysWOW64\Iqbjnc32.dll	Ljephmgl.exe
File created	C:\Windows\SysWOW64\Bdnofdgl.dll	Edfddl32.exe
File created	C:\Windows\SysWOW64\Nnigmj32.dll	Necqbo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfokff32.exe	Jfjakgpa.exe
File created	C:\Windows\SysWOW64\Qhnpleki.dll	Glkkop32.exe
File created	C:\Windows\SysWOW64\Gqbneq32.exe	Gjhfif32.exe
File created	C:\Windows\SysWOW64\Hccggl32.exe	Gqbneq32.exe
File created	C:\Windows\SysWOW64\Nkpbpp32.exe	Npjnbg32.exe
File created	C:\Windows\SysWOW64\Bijfpm32.dll	Ogmiepcf.exe
File created	C:\Windows\SysWOW64\Jqfkba32.dll	Gbjlgj32.exe
File created	C:\Windows\SysWOW64\Qghlmbae.exe	Qffoejkg.exe
File created	C:\Windows\SysWOW64\Lelmqm32.dll	Ihheqd32.exe
File opened for modification	C:\Windows\SysWOW64\Kbnlim32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Pfdnkk32.dll	Cmpcdfll.exe
File created	C:\Windows\SysWOW64\Eppobi32.exe	Dhpdkm32.exe
File opened for modification	C:\Windows\SysWOW64\Gpgnjebd.exe	Fgmllpng.exe
File created	C:\Windows\SysWOW64\Kehmcnda.dll	Kgngqico.exe
File created	C:\Windows\SysWOW64\Lhopgg32.exe	Ljhchc32.exe
File created	C:\Windows\SysWOW64\Jhhnfh32.dll	bedeeee0ba7249856789569ce26d515b82ee9365e76cfacdf0baa04f20230288.exe
File created	C:\Windows\SysWOW64\Ijmhkchl.exe	Icachjbb.exe
File created	C:\Windows\SysWOW64\Egnkjb32.dll	Ckfofe32.exe
File created	C:\Windows\SysWOW64\Gbjlgj32.exe	Gbecljnl.exe
File created	C:\Windows\SysWOW64\Mhjpceko.exe	Miipencp.exe
File created	C:\Windows\SysWOW64\Cjbnqa32.dll	Pkinmlnm.exe
File created	C:\Windows\SysWOW64\Llbndn32.dll	Cghgpgqd.exe
File opened for modification	C:\Windows\SysWOW64\Oinbgk32.exe	Oacmchcl.exe
File created	C:\Windows\SysWOW64\Chcbafng.dll	Bilcol32.exe
File created	C:\Windows\SysWOW64\Cdomieml.dll	Deokja32.exe
File created	C:\Windows\SysWOW64\Beaeca32.dll	Cbnknpqj.exe
File created	C:\Windows\SysWOW64\Nopkoobi.dll	Dgmpkg32.exe
File opened for modification	C:\Windows\SysWOW64\Joobdfei.exe	Ikmpcicg.exe
File created	C:\Windows\SysWOW64\Dddmqp32.dll	Lhdqml32.exe
File created	C:\Windows\SysWOW64\Ndkjik32.exe	Nkpijfgf.exe
File created	C:\Windows\SysWOW64\Aeeomegd.exe	Ankgpk32.exe
File created	C:\Windows\SysWOW64\Jhoefbef.dll	Fgmllpng.exe
File created	C:\Windows\SysWOW64\Piolkm32.exe	Pmeoqlpl.exe
File opened for modification	C:\Windows\SysWOW64\Jmijnfgd.exe	Jmgmhgig.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4560	8124	WerFault.exe	300

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahadh32.dll"	Qffoejkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifleji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaffbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccggl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcqpalio.dll"	Hjaioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjmmjng.dll"	Gqagkjne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcaibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phmnfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajodef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigbmkil.dll"	Hgbfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjfpp32.dll"	Cbjogmlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qghlmbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loifpp32.dll"	Oacmchcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bggnijof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liofdigo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnhkdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnkjb32.dll"	Ckfofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjaioe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfokff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmghklif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdbfa32.dll"	Bqnemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cicqja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhpdkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacnkkem.dll"	Jgbhdkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phmnfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okleqm32.dll"	Eaqdpjia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchknl32.dll"	Fhflhcfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijmhkchl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oohkai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplkhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekkgpgdg.dll"	Elfhmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikmpcicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igqbiacj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miipencp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogmiepcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beaeca32.dll"	Cbnknpqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dipffc32.dll"	Ggdbmoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqkefo32.dll"	Hcaibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphddlfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cicqja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eppobi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbmpmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hembndee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joobdfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajqphlf.dll"	Kkmijf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qodhmn32.dll"	Gglpgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okqbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okqbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaqdpjia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elfhmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnigmj32.dll"	Necqbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpcmfchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biigildg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckfofe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1660	4960	bedeeee0ba7249856789569ce26d515b82ee9365e76cfacdf0baa04f20230288.exe	93
PID 4960 wrote to memory of 1660	4960	bedeeee0ba7249856789569ce26d515b82ee9365e76cfacdf0baa04f20230288.exe	93
PID 4960 wrote to memory of 1660	4960	bedeeee0ba7249856789569ce26d515b82ee9365e76cfacdf0baa04f20230288.exe	93
PID 1660 wrote to memory of 2084	1660	Egegjn32.exe	94
PID 1660 wrote to memory of 2084	1660	Egegjn32.exe	94
PID 1660 wrote to memory of 2084	1660	Egegjn32.exe	94
PID 2084 wrote to memory of 752	2084	Gbkdod32.exe	95
PID 2084 wrote to memory of 752	2084	Gbkdod32.exe	95
PID 2084 wrote to memory of 752	2084	Gbkdod32.exe	95
PID 752 wrote to memory of 1100	752	Gcnnllcg.exe	96
PID 752 wrote to memory of 1100	752	Gcnnllcg.exe	96
PID 752 wrote to memory of 1100	752	Gcnnllcg.exe	96
PID 1100 wrote to memory of 636	1100	Gjhfif32.exe	97
PID 1100 wrote to memory of 636	1100	Gjhfif32.exe	97
PID 1100 wrote to memory of 636	1100	Gjhfif32.exe	97
PID 636 wrote to memory of 3784	636	Gqbneq32.exe	98
PID 636 wrote to memory of 3784	636	Gqbneq32.exe	98
PID 636 wrote to memory of 3784	636	Gqbneq32.exe	98
PID 3784 wrote to memory of 1480	3784	Hccggl32.exe	99
PID 3784 wrote to memory of 1480	3784	Hccggl32.exe	99
PID 3784 wrote to memory of 1480	3784	Hccggl32.exe	99
PID 1480 wrote to memory of 5044	1480	Hnhkdd32.exe	100
PID 1480 wrote to memory of 5044	1480	Hnhkdd32.exe	100
PID 1480 wrote to memory of 5044	1480	Hnhkdd32.exe	100
PID 5044 wrote to memory of 4768	5044	Hjaioe32.exe	101
PID 5044 wrote to memory of 4768	5044	Hjaioe32.exe	101
PID 5044 wrote to memory of 4768	5044	Hjaioe32.exe	101
PID 4768 wrote to memory of 1796	4768	Hejjanpm.exe	102
PID 4768 wrote to memory of 1796	4768	Hejjanpm.exe	102
PID 4768 wrote to memory of 1796	4768	Hejjanpm.exe	102
PID 1796 wrote to memory of 2852	1796	Ibnjkbog.exe	103
PID 1796 wrote to memory of 2852	1796	Ibnjkbog.exe	103
PID 1796 wrote to memory of 2852	1796	Ibnjkbog.exe	103
PID 2852 wrote to memory of 2824	2852	Icachjbb.exe	104
PID 2852 wrote to memory of 2824	2852	Icachjbb.exe	104
PID 2852 wrote to memory of 2824	2852	Icachjbb.exe	104
PID 2824 wrote to memory of 2288	2824	Ijmhkchl.exe	105
PID 2824 wrote to memory of 2288	2824	Ijmhkchl.exe	105
PID 2824 wrote to memory of 2288	2824	Ijmhkchl.exe	105
PID 2288 wrote to memory of 1304	2288	Inkaqb32.exe	106
PID 2288 wrote to memory of 1304	2288	Inkaqb32.exe	106
PID 2288 wrote to memory of 1304	2288	Inkaqb32.exe	106
PID 1304 wrote to memory of 1504	1304	Jlanpfkj.exe	107
PID 1304 wrote to memory of 1504	1304	Jlanpfkj.exe	107
PID 1304 wrote to memory of 1504	1304	Jlanpfkj.exe	107
PID 1504 wrote to memory of 4396	1504	Jacpcl32.exe	108
PID 1504 wrote to memory of 4396	1504	Jacpcl32.exe	108
PID 1504 wrote to memory of 4396	1504	Jacpcl32.exe	108
PID 4396 wrote to memory of 2412	4396	Kaopoj32.exe	109
PID 4396 wrote to memory of 2412	4396	Kaopoj32.exe	109
PID 4396 wrote to memory of 2412	4396	Kaopoj32.exe	109
PID 2412 wrote to memory of 1336	2412	Kbnlim32.exe	110
PID 2412 wrote to memory of 1336	2412	Kbnlim32.exe	110
PID 2412 wrote to memory of 1336	2412	Kbnlim32.exe	110
PID 1336 wrote to memory of 2372	1336	Laffpi32.exe	111
PID 1336 wrote to memory of 2372	1336	Laffpi32.exe	111
PID 1336 wrote to memory of 2372	1336	Laffpi32.exe	111
PID 2372 wrote to memory of 4320	2372	Nlnpio32.exe	112
PID 2372 wrote to memory of 4320	2372	Nlnpio32.exe	112
PID 2372 wrote to memory of 4320	2372	Nlnpio32.exe	112
PID 4320 wrote to memory of 2268	4320	Nhjjip32.exe	113
PID 4320 wrote to memory of 2268	4320	Nhjjip32.exe	113
PID 4320 wrote to memory of 2268	4320	Nhjjip32.exe	113
PID 2268 wrote to memory of 3540	2268	Oohkai32.exe	114

C:\Users\Admin\AppData\Local\Temp\bedeeee0ba7249856789569ce26d515b82ee9365e76cfacdf0baa04f20230288.exe
"C:\Users\Admin\AppData\Local\Temp\bedeeee0ba7249856789569ce26d515b82ee9365e76cfacdf0baa04f20230288.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\Egegjn32.exe
  C:\Windows\system32\Egegjn32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\Gbkdod32.exe
    C:\Windows\system32\Gbkdod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\Gcnnllcg.exe
      C:\Windows\system32\Gcnnllcg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Windows\SysWOW64\Gjhfif32.exe
        
        C:\Windows\system32\Gjhfif32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        23⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        26⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        29⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        30⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        33⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        36⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        39⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Eennefib.exe
        
        C:\Windows\system32\Eennefib.exe
        41⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Elhfbp32.exe
        
        C:\Windows\system32\Elhfbp32.exe
        42⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Enllgbcl.exe
        
        C:\Windows\system32\Enllgbcl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Edfddl32.exe
        
        C:\Windows\system32\Edfddl32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Flhoinbl.exe
        
        C:\Windows\system32\Flhoinbl.exe
        45⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Gphddlfp.exe
        
        C:\Windows\system32\Gphddlfp.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Gloejmld.exe
        
        C:\Windows\system32\Gloejmld.exe
        47⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Ggdigekj.exe
        
        C:\Windows\system32\Ggdigekj.exe
        48⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Gqagkjne.exe
        
        C:\Windows\system32\Gqagkjne.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Gglpgd32.exe
        
        C:\Windows\system32\Gglpgd32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Hgbfhc32.exe
        
        C:\Windows\system32\Hgbfhc32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Iggocbke.exe
        
        C:\Windows\system32\Iggocbke.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Imknli32.exe
        
        C:\Windows\system32\Imknli32.exe
        53⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Igqbiacj.exe
        
        C:\Windows\system32\Igqbiacj.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Jgcooaah.exe
        
        C:\Windows\system32\Jgcooaah.exe
        55⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Jegohe32.exe
        
        C:\Windows\system32\Jegohe32.exe
        56⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Jmgmhgig.exe
        
        C:\Windows\system32\Jmgmhgig.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Jmijnfgd.exe
        
        C:\Windows\system32\Jmijnfgd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Kaioidkh.exe
        
        C:\Windows\system32\Kaioidkh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Kffhakjp.exe
        
        C:\Windows\system32\Kffhakjp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Knmpbi32.exe
        
        C:\Windows\system32\Knmpbi32.exe
        61⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Lkppchfi.exe
        
        C:\Windows\system32\Lkppchfi.exe
        62⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Lajhpbme.exe
        
        C:\Windows\system32\Lajhpbme.exe
        63⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Lhdqml32.exe
        
        C:\Windows\system32\Lhdqml32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Necqbo32.exe
        
        C:\Windows\system32\Necqbo32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Nkpijfgf.exe
        
        C:\Windows\system32\Nkpijfgf.exe
        66⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ndkjik32.exe
        
        C:\Windows\system32\Ndkjik32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3932
        
        C:\Windows\SysWOW64\Nkebee32.exe
        
        C:\Windows\system32\Nkebee32.exe
        68⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Oddmoj32.exe
        
        C:\Windows\system32\Oddmoj32.exe
        69⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Oojalb32.exe
        
        C:\Windows\system32\Oojalb32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Odgjdibf.exe
        
        C:\Windows\system32\Odgjdibf.exe
        71⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Okqbac32.exe
        
        C:\Windows\system32\Okqbac32.exe
        72⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Poagma32.exe
        
        C:\Windows\system32\Poagma32.exe
        73⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Pdnpeh32.exe
        
        C:\Windows\system32\Pdnpeh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Pnknim32.exe
        
        C:\Windows\system32\Pnknim32.exe
        75⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Qffoejkg.exe
        
        C:\Windows\system32\Qffoejkg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Qghlmbae.exe
        
        C:\Windows\system32\Qghlmbae.exe
        77⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Qdllffpo.exe
        
        C:\Windows\system32\Qdllffpo.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Ailabddb.exe
        
        C:\Windows\system32\Ailabddb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Ankgpk32.exe
        
        C:\Windows\system32\Ankgpk32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Aeeomegd.exe
        
        C:\Windows\system32\Aeeomegd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Clpppmqn.exe
        
        C:\Windows\system32\Clpppmqn.exe
        82⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Cbihmg32.exe
        
        C:\Windows\system32\Cbihmg32.exe
        83⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Cicqja32.exe
        
        C:\Windows\system32\Cicqja32.exe
        84⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Cpmifkgd.exe
        
        C:\Windows\system32\Cpmifkgd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Cfgace32.exe
        
        C:\Windows\system32\Cfgace32.exe
        86⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Chinkndp.exe
        
        C:\Windows\system32\Chinkndp.exe
        87⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Cbnbhfde.exe
        
        C:\Windows\system32\Cbnbhfde.exe
        88⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Cihjeq32.exe
        
        C:\Windows\system32\Cihjeq32.exe
        89⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Cnebmgjj.exe
        
        C:\Windows\system32\Cnebmgjj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Deokja32.exe
        
        C:\Windows\system32\Deokja32.exe
        91⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Dpdogj32.exe
        
        C:\Windows\system32\Dpdogj32.exe
        92⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Dfngcdhi.exe
        
        C:\Windows\system32\Dfngcdhi.exe
        93⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Dhpdkm32.exe
        
        C:\Windows\system32\Dhpdkm32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Eppobi32.exe
        
        C:\Windows\system32\Eppobi32.exe
        95⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Flpbnh32.exe
        
        C:\Windows\system32\Flpbnh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Fcmgpbjc.exe
        
        C:\Windows\system32\Fcmgpbjc.exe
        97⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Fgmllpng.exe
        
        C:\Windows\system32\Fgmllpng.exe
        98⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Gpgnjebd.exe
        
        C:\Windows\system32\Gpgnjebd.exe
        99⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Ggdbmoho.exe
        
        C:\Windows\system32\Ggdbmoho.exe
        100⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Gheodg32.exe
        
        C:\Windows\system32\Gheodg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Goadfa32.exe
        
        C:\Windows\system32\Goadfa32.exe
        102⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Geklckkd.exe
        
        C:\Windows\system32\Geklckkd.exe
        103⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Hfniikha.exe
        
        C:\Windows\system32\Hfniikha.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Hpcmfchg.exe
        
        C:\Windows\system32\Hpcmfchg.exe
        105⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Hcaibo32.exe
        
        C:\Windows\system32\Hcaibo32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Hladlc32.exe
        
        C:\Windows\system32\Hladlc32.exe
        107⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Ihheqd32.exe
        
        C:\Windows\system32\Ihheqd32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Ifleji32.exe
        
        C:\Windows\system32\Ifleji32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Igkadlcd.exe
        
        C:\Windows\system32\Igkadlcd.exe
        110⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ihmnldib.exe
        
        C:\Windows\system32\Ihmnldib.exe
        111⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Igpkok32.exe
        
        C:\Windows\system32\Igpkok32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Iiaggc32.exe
        
        C:\Windows\system32\Iiaggc32.exe
        113⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Jgbhdkml.exe
        
        C:\Windows\system32\Jgbhdkml.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Jfjakgpa.exe
        
        C:\Windows\system32\Jfjakgpa.exe
        115⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Jfokff32.exe
        
        C:\Windows\system32\Jfokff32.exe
        116⤵
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Kgngqico.exe
        
        C:\Windows\system32\Kgngqico.exe
        117⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Kmkpipaf.exe
        
        C:\Windows\system32\Kmkpipaf.exe
        118⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Kfjjbd32.exe
        
        C:\Windows\system32\Kfjjbd32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Ljhchc32.exe
        
        C:\Windows\system32\Ljhchc32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Lhopgg32.exe
        
        C:\Windows\system32\Lhopgg32.exe
        121⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Mfhgcbfo.exe
        
        C:\Windows\system32\Mfhgcbfo.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Mdlgmgdh.exe
        
        C:\Windows\system32\Mdlgmgdh.exe
        123⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Miipencp.exe
        
        C:\Windows\system32\Miipencp.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Mhjpceko.exe
        
        C:\Windows\system32\Mhjpceko.exe
        125⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Mmghklif.exe
        
        C:\Windows\system32\Mmghklif.exe
        126⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        127⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Maeaajpl.exe
        
        C:\Windows\system32\Maeaajpl.exe
        128⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        129⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Npjnbg32.exe
        
        C:\Windows\system32\Npjnbg32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Nkpbpp32.exe
        
        C:\Windows\system32\Nkpbpp32.exe
        131⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Nplkhf32.exe
        
        C:\Windows\system32\Nplkhf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Nmbhgjoi.exe
        
        C:\Windows\system32\Nmbhgjoi.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Nhhldc32.exe
        
        C:\Windows\system32\Nhhldc32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6816
        
        C:\Windows\SysWOW64\Nmedmj32.exe
        
        C:\Windows\system32\Nmedmj32.exe
        135⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Ogmiepcf.exe
        
        C:\Windows\system32\Ogmiepcf.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Oacmchcl.exe
        
        C:\Windows\system32\Oacmchcl.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Oinbgk32.exe
        
        C:\Windows\system32\Oinbgk32.exe
        138⤵
        Drops file in System32 directory
        
        PID:7008
        
        C:\Windows\SysWOW64\Ohobebig.exe
        
        C:\Windows\system32\Ohobebig.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7052
        
        C:\Windows\SysWOW64\Omlkmign.exe
        
        C:\Windows\system32\Omlkmign.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Oickbjmb.exe
        
        C:\Windows\system32\Oickbjmb.exe
        141⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Phiekaql.exe
        
        C:\Windows\system32\Phiekaql.exe
        142⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Pkinmlnm.exe
        
        C:\Windows\system32\Pkinmlnm.exe
        143⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Phmnfp32.exe
        
        C:\Windows\system32\Phmnfp32.exe
        144⤵
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Qdflaa32.exe
        
        C:\Windows\system32\Qdflaa32.exe
        145⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Ajodef32.exe
        
        C:\Windows\system32\Ajodef32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Agcdnjcl.exe
        
        C:\Windows\system32\Agcdnjcl.exe
        147⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        148⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Bqnemp32.exe
        
        C:\Windows\system32\Bqnemp32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Bggnijof.exe
        
        C:\Windows\system32\Bggnijof.exe
        150⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Bbmbgb32.exe
        
        C:\Windows\system32\Bbmbgb32.exe
        151⤵
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Biigildg.exe
        
        C:\Windows\system32\Biigildg.exe
        152⤵
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Bilcol32.exe
        
        C:\Windows\system32\Bilcol32.exe
        153⤵
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Cbknhqbl.exe
        
        C:\Windows\system32\Cbknhqbl.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7136
        
        C:\Windows\SysWOW64\Cghgpgqd.exe
        
        C:\Windows\system32\Cghgpgqd.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Cbnknpqj.exe
        
        C:\Windows\system32\Cbnknpqj.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Ckfofe32.exe
        
        C:\Windows\system32\Ckfofe32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Dgmpkg32.exe
        
        C:\Windows\system32\Dgmpkg32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Djbbhafj.exe
        
        C:\Windows\system32\Djbbhafj.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Ejglcq32.exe
        
        C:\Windows\system32\Ejglcq32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Eaqdpjia.exe
        
        C:\Windows\system32\Eaqdpjia.exe
        161⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Elfhmc32.exe
        
        C:\Windows\system32\Elfhmc32.exe
        162⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Eijigg32.exe
        
        C:\Windows\system32\Eijigg32.exe
        163⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Ebbmpmnb.exe
        
        C:\Windows\system32\Ebbmpmnb.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ehofhdli.exe
        
        C:\Windows\system32\Ehofhdli.exe
        165⤵
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Eahjqicj.exe
        
        C:\Windows\system32\Eahjqicj.exe
        166⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Fhbbmc32.exe
        
        C:\Windows\system32\Fhbbmc32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6804
        
        C:\Windows\SysWOW64\Fbggkl32.exe
        
        C:\Windows\system32\Fbggkl32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6944
        
        C:\Windows\SysWOW64\Flpkcbqm.exe
        
        C:\Windows\system32\Flpkcbqm.exe
        169⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Fbjcplhj.exe
        
        C:\Windows\system32\Fbjcplhj.exe
        170⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Fhflhcfa.exe
        
        C:\Windows\system32\Fhflhcfa.exe
        171⤵
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Fblpflfg.exe
        
        C:\Windows\system32\Fblpflfg.exe
        172⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Fhiinbdo.exe
        
        C:\Windows\system32\Fhiinbdo.exe
        173⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Fbnmkk32.exe
        
        C:\Windows\system32\Fbnmkk32.exe
        174⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Fkiapn32.exe
        
        C:\Windows\system32\Fkiapn32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Gaffbg32.exe
        
        C:\Windows\system32\Gaffbg32.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Glkkop32.exe
        
        C:\Windows\system32\Glkkop32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Gbecljnl.exe
        
        C:\Windows\system32\Gbecljnl.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7176
        
        C:\Windows\SysWOW64\Gbjlgj32.exe
        
        C:\Windows\system32\Gbjlgj32.exe
        179⤵
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Glbapoqh.exe
        
        C:\Windows\system32\Glbapoqh.exe
        180⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Hkgnalep.exe
        
        C:\Windows\system32\Hkgnalep.exe
        181⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Hembndee.exe
        
        C:\Windows\system32\Hembndee.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7344
        
        C:\Windows\SysWOW64\Hhbdko32.exe
        
        C:\Windows\system32\Hhbdko32.exe
        183⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Ieiajckh.exe
        
        C:\Windows\system32\Ieiajckh.exe
        184⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Ikejbjip.exe
        
        C:\Windows\system32\Ikejbjip.exe
        185⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Ijgjpaao.exe
        
        C:\Windows\system32\Ijgjpaao.exe
        186⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Icakofel.exe
        
        C:\Windows\system32\Icakofel.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7552
        
        C:\Windows\SysWOW64\Ikmpcicg.exe
        
        C:\Windows\system32\Ikmpcicg.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7592
        
        C:\Windows\SysWOW64\Joobdfei.exe
        
        C:\Windows\system32\Joobdfei.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7636
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7688
        
        C:\Windows\SysWOW64\Kkkldg32.exe
        
        C:\Windows\system32\Kkkldg32.exe
        191⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Kkmijf32.exe
        
        C:\Windows\system32\Kkmijf32.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7788
        
        C:\Windows\SysWOW64\Kmobii32.exe
        
        C:\Windows\system32\Kmobii32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7828
        
        C:\Windows\SysWOW64\Kkdoje32.exe
        
        C:\Windows\system32\Kkdoje32.exe
        194⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Ljephmgl.exe
        
        C:\Windows\system32\Ljephmgl.exe
        195⤵
        Drops file in System32 directory
        
        PID:7908
        
        C:\Windows\SysWOW64\Lijlii32.exe
        
        C:\Windows\system32\Lijlii32.exe
        196⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Lfnmcnjn.exe
        
        C:\Windows\system32\Lfnmcnjn.exe
        197⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Liofdigo.exe
        
        C:\Windows\system32\Liofdigo.exe
        198⤵
        Modifies registry class
        
        PID:8040
        
        C:\Windows\SysWOW64\Lfcfnm32.exe
        
        C:\Windows\system32\Lfcfnm32.exe
        199⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        200⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8124 -s 404
        201⤵
        Program crash
        
        PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8124 -ip 8124
1⤵
PID:7036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcppq32.exe

Filesize
320KB

MD5
94a8ddce8b86bb554502d9644729637c

SHA1
f29840b22d5d01941a7a3e3131501a13a4133da0

SHA256
2c4625c758e355d23b9f633145b0d6e63c078b70d3062666e9a052aede57b2a1

SHA512
95cecfcc576dbc3a848bc3d9ed34d1405360a277db011baebceaceb27df960c53226c4b0f595472738dca39929a1f03838849f0a4529e2b7c7abd950fa214037

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
320KB

MD5
560f447b1c20404b7009856d892a9e91

SHA1
afd333324b5d7b0b4ce43af4a2ea65e3462c093a

SHA256
4ef01a2f195941c089d0b3780a29e212db10709551205be104ec8f27b836cf74

SHA512
7d510793c2e67f112c2076a70d4e8a32a36b2adc9e5f458cc7638874ae68d2e27d881ef38544cb94195b21177b5b9163e11b082651982c37c5f1c95be01b1468

Download Submit
C:\Windows\SysWOW64\Ankgpk32.exe

Filesize
320KB

MD5
9c89c0e9390095c5649e58f15af9a4dc

SHA1
952625a21caf68f3988c8339c245a2e74f1140a8

SHA256
1d679a4a6b846c89cc10bff71ced27e1f9e38cfa17956146e50ac2345b5eb784

SHA512
b42a082d0870da0d19b4c095344b95f89fc072434c865d3c13bca20a21ba0ea92acad26f5a40e9b561e2cd1d7fd37cce51501e355152e02361e57e344d7d7997

Download Submit
C:\Windows\SysWOW64\Bldgoeog.exe

Filesize
320KB

MD5
a4ccb0096136c6cded0b5d23eec42319

SHA1
d6474ec8819a84be74e0168f8dbcaee3407b44c7

SHA256
9a22a8f662907bf94c4a16f1f0e533cf6493a1be2d62622ea45cf0c603bc5e3b

SHA512
c1f8afdb3dc86cd35cc22010068d62e430ab2aa63aaa547024d40923aaec52790a5eec332bfba82d4f0654e67700f47386ca1ebc7b56464ecf6e2ca4a164295f

Download Submit
C:\Windows\SysWOW64\Blknpdho.exe

Filesize
320KB

MD5
5f4899fe6d0ce839d549ff0246135c28

SHA1
edf2f6d9d7de32815142f5eafd6dcd621132158c

SHA256
49bf2e4b50297ea60fc47a2f587f53611ef1d7de1e1ff4e4372c627b0806cd8e

SHA512
81254b813687f28eb15f798e48be4dc251bd33042c6f29dd8ea7cef9b37cc1fb3db922b571567086130a95d941ddf97b5dea6c3f5879a38c5ace72efa71a67ef

Download Submit
C:\Windows\SysWOW64\Ciiaogon.exe

Filesize
320KB

MD5
c45a4aea572b3f586696038518ffc803

SHA1
35593f433397fb8064a661c4148cd33fba5e7fce

SHA256
dcf9f2aec00fa044681e4769501df6d9fa67ab8bf6caafdd9e496ac2cc87e253

SHA512
e78c9ee6bea0f3ba4b26641f855ec4c635eb802328b4fad529781e50423dcf482c5aae8f50fe9dd9be172443bbec5a6f1db76908c972bc783ae3ff48a909074c

Download Submit
C:\Windows\SysWOW64\Debnjgcp.exe

Filesize
320KB

MD5
f17e63c1ee103efd29d1f08834fe899e

SHA1
b6b200b074003a410318067c31880e054505b672

SHA256
1edb528d55f202930cfe88f291d6d61fc0b9f6863e3e1c9dd58602fe9e16434c

SHA512
676eb4fc36d1d23fd0d0ef776b70a7c30b6e7e68558bc928d224aa41c0338db39034042c0dfa752350e67ce1530226a7c45c40f5e2713cc6bf734c47f5f31ec8

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
320KB

MD5
30519305c6e081bdbc002f7315faf7e8

SHA1
d8a847124850aed0e959d0865e442476f2433651

SHA256
3d4dac8a241cce823a6ddbf8359ae5873df0c33223f6cc3ffe8376c65217ccf3

SHA512
ccb1887d8391a8ba6edb50926d1899a00001343c97194db1fe74476fb247ac00dc1453e2f37cfbb00129f57f6c0cc51bcdd9c491a45fbbb2f62d6c937c5d25df

Download Submit
C:\Windows\SysWOW64\Flhoinbl.exe

Filesize
320KB

MD5
fa65b2c8c11128e09f736d516ab52ced

SHA1
dd5d85ae53084750af94038a1054b115a9abcd91

SHA256
d759576b966f2bec63aa8a518f73f6f59188c14397923c5508d14153cbf46d13

SHA512
8440dcb784f6d94f2cb9cfbeef1e208f2d0be05d42c738a2f92b108eec9f957d4e2048ce6df3f9e6ac741bfa4929ae4977821015c66942c0480417010078c273

Download Submit
C:\Windows\SysWOW64\Gbkdod32.exe

Filesize
320KB

MD5
18a783dd79ce3052652af8ae577fc7f7

SHA1
3f97a17b8e855945cf12c297e7c917f61a59f3dd

SHA256
970d941d9cd06bc3b90ed907b51a056515d978e9311c1fdb41ce41e5a90c2d33

SHA512
2ac02bfb7b194aa97d07e0181949ab5a92cf938c9b259f9daf890e1de7b9a76a3257488176864ab893c16d0516b8c9fad22b3f167917b01a7a3f21992626b9bf

Download Submit
C:\Windows\SysWOW64\Gcnnllcg.exe

Filesize
320KB

MD5
d965f758b493612609d44c6b75d00116

SHA1
e7a3f96993656a70215647b8c82a475c01835e56

SHA256
32a8a07d51f2debb84076db33dd4d7def8fa25223f631411437c3f5fc9b37c91

SHA512
5cab17de25041d73eab20b92fd050c7795a68ef59114cb29fdebb2902fa5a680957a560c4aef66b36d2713c9c30b4b579b460268a5b9500141f354ecb95cad4d

Download Submit
C:\Windows\SysWOW64\Gglpgd32.exe

Filesize
320KB

MD5
dc4f0d2926b6085a19414c95ce5f2250

SHA1
888ff623c4eb36e38d5d6cfd1d264628134cc4d8

SHA256
277f91ebc642084179e442e02958554006ae50d61ff0d7d140bbd195058bfe01

SHA512
2a63c7e3cc275f26b288297effd6ea15ebf4a1b340cd97f5817088a859cc02660c685dbc1d94f3b53342bdb8e924151c2713c4a2047b2add4290b1afb8cfccf9

Download Submit
C:\Windows\SysWOW64\Gjhfif32.exe

Filesize
320KB

MD5
dbf9091bdaf682f561a9c510c7c9a753

SHA1
548b6fc4960a03daae6748c3a51071995d749b40

SHA256
de7ad5414b835f72abcd62be4602d922bccd508edd695de6e9fb15b80a0051c5

SHA512
a1d19b79ac77c71d7a8cedc02e39c937e589f12d5e6245f5184a5fcdcab8b133320de342d2684ca3b3b3fd322b33f66a789ee031fc19635acc3f60e08cfd31f8

Download Submit
C:\Windows\SysWOW64\Gqbneq32.exe

Filesize
320KB

MD5
ad389fa6d45fe39f15f48f4cffce8255

SHA1
0ede26ee56b4db871988f127dd2b7cf7667b711e

SHA256
ed91ba8f84e98a5903c4ff25a5d5fd37d92898efbd8fe7025fe715149500e15a

SHA512
319df91afb4dafc5ed2e9cf1159004751dca0d847971be719ce9f6a4f2cc86c4ae2a7846f99070544a2ac01e21b81ac5d68f60299507ae12ff4f1f0303decf6b

Download Submit
C:\Windows\SysWOW64\Hccggl32.exe

Filesize
320KB

MD5
720e21faea3a07288d7583f8d39aa377

SHA1
e597ffe0710f25b95b888e8ad56499b5a3bae467

SHA256
97006ba4ac4e7250c53fa2ee0b7fa4d2b9153cfbfea9055fcf9a0aa53708c7ca

SHA512
298e89b8dda13c6337fe2ba3798628e1a1804611f9842b939dd3505b4195f3f56b565c89c841de2e78e483ccfd426145bcacf4541a4ed10d82c575b306840317

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
320KB

MD5
1c073d2289380117f0de1d3c94821515

SHA1
555386738f9033db2e51bad6dd9240afbbc8738b

SHA256
6d0e9df82fd051ace933be1c9a058418b676fc9b67789761907b7d53486b8eb9

SHA512
2a0163622202f4fc966c094d9d2827b1abf2f9b8740dd7bcf5463a8687f4d9b8898f208f7f4a2edfcf529129bf9bb95a18d3430219dd77bdd0348c81e6173c90

Download Submit
C:\Windows\SysWOW64\Hjaioe32.exe

Filesize
320KB

MD5
8193f642a5ff3d6f4627f85b983b0f14

SHA1
7dc5ae92d4d6632aae2d014bdaaf8a7de1cbd85a

SHA256
d502dede34f16ba7d09d48379c3bbafff37a77a9f0ed0ce7f8332479ef196269

SHA512
e9ff7ab3536772d6ee702fe3f2bd01f6121128f522b8449407ea0848cf0903413044aa3f858ebedda3ecf56e0c084939ce2adcc9ae5146a8c58a463dbf802472

Download Submit
C:\Windows\SysWOW64\Hjaioe32.exe

Filesize
320KB

MD5
d5eb61879dccc0091b26d4f72da7984d

SHA1
4a594c0849b8eab5fc708ddd57a14422df573203

SHA256
3b32890db903b8dba3d4e908ea76c08a200cdc62a484443dcee3450b9554ac0d

SHA512
7f725996beba670e687c11a7c3207c97aa90d7899bbfe30fc9f9454ee7293967a4673eb784d61ada51dcbb74ecf7eccb7760fd7c88404ad5e9766f76d2c7ea06

Download Submit
C:\Windows\SysWOW64\Ibnjkbog.exe

Filesize
192KB

MD5
d82cacdecab71a869fd0e68c1698a3e4

SHA1
3167ff76d0101034ccd75b5b480008c6ccf20e73

SHA256
97b0f05027fe5874fd3bf65033a00205dfee3ff9e7bd930154405c08f54ec02b

SHA512
ba5ab30e8b20a5647ce43abceb6705757264e753d301487f0ea4e0a74f123212b0f5a1df2fe599eb54ad6345571b0dff01dc950fb4893016dcc7975f70fd674e

Download Submit
C:\Windows\SysWOW64\Ibnjkbog.exe

Filesize
320KB

MD5
d5a35ebde9c19fae4e6222a132419e3c

SHA1
6cb6e7365d9be5719bfc43f525e448f5becd9567

SHA256
8b5286849f193e2a5d1b45df3f4257728b8897f9cad4d1046b227fa13436a6be

SHA512
a18289656b921fc5a4413c46e274e5b7b870acbd1718211fe674e06c98fe5868f8ee547f72f2895f7852d5849a51f4f40c90dd66334c72cdb8dc47491584f1de

Download Submit
C:\Windows\SysWOW64\Icachjbb.exe

Filesize
320KB

MD5
854b61a20ef604cece200af1a35a9309

SHA1
aebe8c086a6d2574d93730625e4247d53ac4f66c

SHA256
d5bd9acbe8b55ca96ed592965ea1f2d52c11eab6bab436f4994926c1b25482a8

SHA512
d46904da55d0951a8da1cf075c97512cc2d6db87cebe47e810aaf051dec4a3d3e0dbfe883e28a5969e51cfcbdd4c4062adca80b3269e33b4439f3a7e651accf9

Download Submit
C:\Windows\SysWOW64\Igpkok32.exe

Filesize
320KB

MD5
908b01a4ac2db0e1249920cd63824b1f

SHA1
498c8ccc2dbba454608cf0236be30cddfb93514d

SHA256
806d434a5d72bf3ab71ad157faff5427ba6493ac7fae9c3bd98b8dadd217dac8

SHA512
03fc3fa0f2e83c955a1334f5390ce70a538a94728f967968960e3e04370771775b6ebb749d12b53a4cd72abe1411b439970c5de985cf9c7138b3489380d7dda6

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
320KB

MD5
632a8244b681f3e71eba7a2447ce24e2

SHA1
e6ca0cd72f624c5bc0472796aa86177ccbb17631

SHA256
74f10f5b6020e158861ca1f7458c4185696a7010015b4e0c305d0b8cc8cf889a

SHA512
b27c543f99f1e6c7d3b2e54699b771911fd2892dac2ed593f4eb5aa76f96cb0a18fa9b6d4d7292f0e7dd6b52899a21c5783ee23919d0cacb4ba82edd03cfc6a0

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
320KB

MD5
8e15eeb826981bd2066ec278e1c69c51

SHA1
37b5d139240e6af6cd5324cac5d2d7adef7236e1

SHA256
9844923faff830dafd42b58e56c5497b240d2fab955d6d3d6534023eea284b96

SHA512
92c8c946459369d841ee7b99a394554a974181cfecce9752335969bad1d3448b37cbb7e93a803df397daa58bcc9fe8fdb4fcc170ec649c9b01247973bbc64c02

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
320KB

MD5
e63de9999f45f419f86feaacc9f0d911

SHA1
b427fe1a1041289bc18c0cedc947ee999368ca38

SHA256
07770a9e23d2285cd80c628581a959160f09d82fad2c858567cbd1e5bdbf1041

SHA512
1d2b03c1eafc59780962ba744c5c72d24010f9ebc72115a4c5c6f8cbb5bae1d29a7b69c19ba15227b1017e28de2ce980208efc853d11814bd593ab081bde0cb5

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
320KB

MD5
a5117331b980ad7ddbfc4ed10940c714

SHA1
c2c5a214339677ed60ed0cca66693ef2e52a46a4

SHA256
1f49eb4d248ceac4d0c7a38ea4ec6894f89fe9748d6579eefab00226e9a8df4d

SHA512
2427ed01fccdd123a775eec36090756c12f03a90b221201d67de5c8e72db7ce6273c5b38a7b35d2afddc1441ce1ed7d7251af4b0de12aeab25d3fa63cd7b44fa

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
320KB

MD5
b9a0977f5d0bec128b281abcf5c7317e

SHA1
8843502ceaa90d212e90147d098efafae22fdeb3

SHA256
869244ff2d84d1103cb1618a737da0b6835560fd65ab3684cc8b2241d0f24a4d

SHA512
7b502ed7ca478d81c51dd56e966330ba423ae39d5d9193d470622bb66e34c964329751df454ade6f84626735f6dfaf46743014092e37fafe8bb7076ea7ef021c

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
320KB

MD5
393b40d38a8a618e063fccd8cd3e6a78

SHA1
a40e597a8251130dcf8d0ab352ebeabcf3a2e8b6

SHA256
bfea322b54192de0a7c15c806572c3a434433aae204bd596f6f75be7c2ed1a50

SHA512
d3a5d0dafed3cc44e489b05ad9bd9cea01b8164a2d9f6b71164e4bd556a6e9fbdbce3fe993ddc2062f2f95f049378cc102375f5c66c1e0efcd54b7303a3b1976

Download Submit
C:\Windows\SysWOW64\Knmpbi32.exe

Filesize
320KB

MD5
22d9b22f63c114264f94505f078451de

SHA1
8e11ab5fb9f9848842e567aa5091069263614146

SHA256
4b5fdc2c776d1a7bcf7a6e2aa124712fc6b45f012d54f2165b72d5a149cef5ba

SHA512
ee7a6abd8769779d49d3576e90b9c2845ffe19832b72f74864a01160de4bb25e42e5cc79f5c04d83926d5ac4b14579bba8a6443fff5b1d6f5682bd94f664043e

Download Submit
C:\Windows\SysWOW64\Laffpi32.exe

Filesize
320KB

MD5
cd0913ef6996dc3031b0aa75d0a950c3

SHA1
ac56929dfd9f0111445acffeed2a658fbccfd345

SHA256
23ab12871aebbd77648b823299e26ecdfc18f7aeef147024032f70089c8a105b

SHA512
16062f65001572a8ee340c76fb90de90d5aa9171a9991ba4d0fe7ad272628e2cd11758123e07ced7fe5f3a93831002d3451817e8ea7e0bf99e536f65a2680a35

Download Submit
C:\Windows\SysWOW64\Nhjjip32.exe

Filesize
320KB

MD5
743301da9a55ff0c0c6e632a079688e3

SHA1
b2fdbbc0ddc597f1a04ca27c9aa8eef537c03154

SHA256
3585751093802baf98ddf13cb9526f6ce56601e1c01041b5c795881ad9c12de7

SHA512
567c80708c8c0f72c7f20cd5e38e520a048d0d97096c6feef41ff6bbab04ff52622d8a171636a80683221b8e17c52744b0438dea10ea8d9b843d2137eea62f62

Download Submit
C:\Windows\SysWOW64\Nkpijfgf.exe

Filesize
320KB

MD5
6504568db240887e18c80c6208118de9

SHA1
92907944e03dd5f80b6c61c342205e934ce3f283

SHA256
be4e099a6b149d6b70e9ff01d86e76a2d51806ba1cab567776987ad0d5953210

SHA512
c9db6a825f0d67cda0be112640a1d88183d5d38a68fcae902676d10828f3024d959541e926add38d09924332017b9aa6fd09034f84a34d0e75a9680f6986e47f

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
320KB

MD5
ed4a2914397a452b51e4bcaaa331a284

SHA1
138f6c59630f091fa6405d99120004f33477223d

SHA256
47a16d692e9890b8829be3b1f2b966091aba4631fd5677344eebd5bb7a1baab7

SHA512
f091ea0ed22083acac15c9c07e0796d92ed63680f81fd398d363b04eeb2734b2894565f7f5b5f7fc85b6f92eec097f6966908cfc91560c95b1f2e07fc522a3bc

Download Submit
C:\Windows\SysWOW64\Npjnbg32.exe

Filesize
320KB

MD5
e1aee590c15053e631c905203b3371d3

SHA1
e43b5d40b3dcce3563ee0ad577f39bf5f72ddd7f

SHA256
4ce29fe62b7dba25982149829a0b13d78ee836607664110611b9fe1c29e5f505

SHA512
687ec2eb8d046b3c22b439bd6519a885c2537a9a675b67337c71a4c045860a84bbedded9cf2620aa87d76dd1323ced96e590c2bc9ea173324173c3279df15244

Download Submit
C:\Windows\SysWOW64\Obidcdfo.exe

Filesize
320KB

MD5
1ab50f62827402bdd9fecfde8d19dfc1

SHA1
1808a4131f800241dd6cd2b9bf4d8e6653faef43

SHA256
b5d08ef4f73636acc6935641fb81498bc214c8190841b2380a9b6cac8846a304

SHA512
51e9cbc9fea287fc35d1d107020b926b922305e9f78dcbde37421cc0d346eb1b47748805746066964badbe0fabbb3dc18ffa5d5deae865d66eed48d66041b93a

Download Submit
C:\Windows\SysWOW64\Ofbdncaj.exe

Filesize
320KB

MD5
b720bdf4be7a5758244ecd5e234df36e

SHA1
5aa2e3bf70aff6485a3b759d3c43c6bec5ee1a8a

SHA256
1c075b13fb6391148fc6fe98b1d742ab534862b6cbe661dd2137ded9ad2f7990

SHA512
a7c933fa486c4524d33ada88c1855f124ce7092478c549b3c7fb032c87f103507422f45879f9935ddfebf9f864a20a559471d0b46cc8abe80b87d1978b863f91

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
320KB

MD5
a74a28adcdb35553ded521ede3fde7a1

SHA1
dae6858abf5d38e4424ac5c433e8690e5cefbb24

SHA256
352851267c0aaf135a26e24a841349cbf33507c0508b66209bee33f6c7ab714f

SHA512
70e013c9d9d8e0878a6b77083747e5ee372cdd29b54f8ad5f64514f969be40741f66f0f49bd53259c4cf2fc7cac70cd21a2c445c340490b5557e91c51ba9864b

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
320KB

MD5
d517880289d35bc738679cb6062e20b8

SHA1
bf7e08f0f93f753677bd49f77e9d25de81930ac4

SHA256
cdfc980dbfa8be00f4fac0909b241cea2d617fec41bddb1ea7a9fd71bf4324dd

SHA512
d3ebc742f1d2bdc885243de1d31484c583ea0ab7ae47ca53048be88ac9548dcd1191a8e23de70dcda3b46011e4821cb9143e9a4ab1d4d2501c61a43007333080

Download Submit
C:\Windows\SysWOW64\Oohkai32.exe

Filesize
320KB

MD5
43a0a818437ff35d8e62ce6cc4e7765b

SHA1
b726884c6d0d0298879c2659aa94e2889e6a9309

SHA256
52b972c079f9096f454f811710c007fd408eb77cb0a9f62d1cb89f6f5fb97208

SHA512
77806faa857bb95b1db90382a1e96c98bb46a25751d6440dec4b6323229022d27d31f61082e2f5b5ea63969654eb650e50a1145c9813b7b4ab79c1ebf5f4ad5c

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
320KB

MD5
07a16c4846a012d88b935b5a87f692e2

SHA1
15db7a2f71a9f1a3625949507c3861d0abceada2

SHA256
223a7c5ba1cf4142e5e2fc6741489ef469ab0e60aa5db128a3d68142e76d32ea

SHA512
515dab540b901d55818ec343e793735a760ca6d11dc3c668ab8a2eb3282aebfd8a1beccd41d8e61ce2465bb9c523526de5b957964af2a318b01c5cac7ec91a2e

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
320KB

MD5
3441b59ba60971a9f52e84279282954b

SHA1
cc322d35c1b613bb046a168d54936a690c2f3739

SHA256
6fe05076e49176ea6f19d251404e03fcaac0097a464541d41e116a7d8c2ac411

SHA512
689c9a61dfbe735012b3ad041ffd99195ce57e54d1f0a6719f591097d8d63748266179d74ec08c2854fc0e3b4af869cecaf008d906fc1276650b8326ca9034c2

Download Submit
C:\Windows\SysWOW64\Pnknim32.exe

Filesize
320KB

MD5
0e66016b5ce776cb21b8e59347f62a04

SHA1
c56475a77cc21ea264eb89d3d0ed34d5d75c8f0a

SHA256
b22faa841cff235153c55d9891a991ddfc6f2a06819ba6b4121eb4c352b8c1c4

SHA512
06a8e6207d4c8a9183928683417568024ec03cdaa97e537ec8588c0a8c860b1b9699ea6553a3b14061cbbce3bc28b0f9cc5f75b67c95af23b2b5aa3f26aed2ce

Download Submit
C:\Windows\SysWOW64\Qdflaa32.exe

Filesize
320KB

MD5
b7e726a73ebcd3b12f44cc79be6316ca

SHA1
9b48ef790a31c30ab6bf015900081955a5bfd60d

SHA256
ed3e168926965610a9093da1dfc168a908b71c857ee2195686b50f9640eb9591

SHA512
cd2c343c917a53667a85bd179186b629449184ea8bb98f0f2a3cc61a51eded6b307f26a3f76663de956ff5720302a9012c254548feac41082990c2f5e6eb096b

Download Submit
C:\Windows\SysWOW64\Qdllffpo.exe

Filesize
320KB

MD5
6834e318329538a20d2c85325f02bb82

SHA1
c7ddde1aa340d49db5a3ea86d2fa7b66894cde5b

SHA256
8711cce1134c5afdaea00fb356c1b4c80bae5effa3dae83391ac6420ea4d937c

SHA512
f2e9faaf16f10493ee266d80930efa1d79fb64807dd3f9c0c7f6c828d28445d0246010f0146ce0536a6e7e76c165f1b152e71f374fb3b162dd2976341b1e2e55

Download Submit
C:\Windows\SysWOW64\Qejfkmem.exe

Filesize
320KB

MD5
2bbbf1a751a597395ae7f6a985b7dbd2

SHA1
be1a9f58c0cfa0ddd21a42343d13c0333794fcd1

SHA256
7cc0a221cbced5500ddf317fd3656b7cd004439c6182fb0055a0b8595072daab

SHA512
dbd0218c1d5af1b7e964bcf36778b2a5ac1db80215819698a29f81cf21b29e4a8d9930bd9e9282ba88748292d72acff6b75e58414412beb4a304e1294762ce2e

Download Submit
memory/456-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/636-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/752-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/828-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1080-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1120-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1172-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1336-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1504-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2268-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3196-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3628-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3660-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3784-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4076-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4176-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4320-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4396-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4656-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4740-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4768-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5096-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads