1e1e33aeeab90e458882666987f19d3c20d9bf57d5be431a31bc8c04c180f67d

Analysis

max time kernel
161s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0475843ec92c8173fed819f01deb07bb.exe
Size

361KB
MD5

0475843ec92c8173fed819f01deb07bb
SHA1

8a07abc59754925e944d60c0a8e813430a508d66
SHA256

1e1e33aeeab90e458882666987f19d3c20d9bf57d5be431a31bc8c04c180f67d
SHA512

8c34197ad3187bbd01f3041c698e9d4362a432a80c6142d842967b43a7a6b4611199a3edf7a1338eb930f10c818685e908dfc1ed85ce53983ec4c7dc87715eb7
SSDEEP

6144:InWP58w7w7LsVQ///NR5fLvQ///NREQ///NR5fLYG3eujPQ///NR5f:I458w0Mw/Nq/NZ/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpinac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmgni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geqlhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaokdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipohpdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijeme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjqdafmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faamghko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfndlphp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljephmgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaqapggb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neebkkgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdppaidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeodqocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmgpbjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jookjpam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnanadfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqgiel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oapllk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkflpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjeklfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmlmjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jklihbol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poqckdap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqehgco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Homcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Albpff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laacmbkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlialb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gceaofmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhghge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfnooe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lglcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Golcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdhalj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idbalhho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gplged32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmbpbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphddlfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfndlphp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfjlolpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egelgoah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jklihbol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkangg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkgen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkfno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfiedfmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmcnap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gplged32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhoind32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pboblika.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhdeoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeodqocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enedio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjpaffhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pimmil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqbcqnph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdppaidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgpbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkmkfncf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moomgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okcccdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpipkl32.exe

Executes dropped EXE 64 IoCs

pid	Process
3396	Pfbmdabh.exe
5052	Ammnhilb.exe
1168	Bclppboi.exe
3196	Bimach32.exe
3552	Cplckbmc.exe
1104	Clbdpc32.exe
4308	Dpllbp32.exe
2576	Dlcmgqdd.exe
2984	Emgblc32.exe
3252	Eippgckc.exe
3324	Gphddlfp.exe
640	Hdppaidl.exe
4016	Jmijnfgd.exe
4248	Kmlgcf32.exe
2344	Mhmcck32.exe
2728	Qhghge32.exe
2972	Aijeme32.exe
2212	Bfghlhmd.exe
1676	Blkgen32.exe
2800	Cpipkl32.exe
436	Dlpigk32.exe
4520	Eeodqocd.exe
892	Fgffka32.exe
408	Fcmgpbjc.exe
1448	Ggdbmoho.exe
3524	Gplged32.exe
3868	Hlhaee32.exe
1892	Homcbo32.exe
4120	Iqombb32.exe
3124	Jjqdafmp.exe
1876	Lglcag32.exe
4952	Mhefhf32.exe
4740	Mhoind32.exe
1996	Oacmchcl.exe
4980	Ogbbqo32.exe
1140	Deqqek32.exe
628	Dajnol32.exe
496	Djbbhafj.exe
3916	Ejdonq32.exe
464	Enedio32.exe
3156	Fkehdnee.exe
2832	Faamghko.exe
2208	Fhkecb32.exe
4300	Giokid32.exe
3920	Golcak32.exe
2648	Hohcmjic.exe
4584	Iheaqolo.exe
4416	Ioafchai.exe
840	Icdhdfcj.exe
2220	Kfndlphp.exe
2116	Kmobii32.exe
4236	Kkdoje32.exe
852	Ljephmgl.exe
4436	Lkflpe32.exe
208	Lijlii32.exe
1532	Lpinac32.exe
1308	Mfjlolpp.exe
2408	Mlialb32.exe
3096	Mimbfg32.exe
1156	Pdjeklfj.exe
3684	Pboblika.exe
4776	Qmlmjq32.exe
8	Qkpmcddi.exe
1744	Qdhalj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dpllbp32.exe	Clbdpc32.exe
File created	C:\Windows\SysWOW64\Qibfdkgh.exe	Qfanbpjg.exe
File opened for modification	C:\Windows\SysWOW64\Ldkfno32.exe	Lnanadfi.exe
File created	C:\Windows\SysWOW64\Egbhgqgk.dll	Dlcmgqdd.exe
File created	C:\Windows\SysWOW64\Jhcdgo32.dll	Mlialb32.exe
File created	C:\Windows\SysWOW64\Dnhncjom.exe	Djjemlhf.exe
File opened for modification	C:\Windows\SysWOW64\Lglopjkg.exe	Ldkfno32.exe
File created	C:\Windows\SysWOW64\Mbiapehp.dll	Iheaqolo.exe
File opened for modification	C:\Windows\SysWOW64\Clbdpc32.exe	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Hdppaidl.exe	Gphddlfp.exe
File opened for modification	C:\Windows\SysWOW64\Ioafchai.exe	Iheaqolo.exe
File created	C:\Windows\SysWOW64\Ngllodpm.dll	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Qpoaai32.dll	Lkmkfncf.exe
File created	C:\Windows\SysWOW64\Cegjdgdl.dll	Habeni32.exe
File created	C:\Windows\SysWOW64\Enonclfe.dll	Kpdjbapj.exe
File opened for modification	C:\Windows\SysWOW64\Gphddlfp.exe	Eippgckc.exe
File created	C:\Windows\SysWOW64\Faecedlb.dll	Hlhaee32.exe
File created	C:\Windows\SysWOW64\Ajepci32.dll	Fhkecb32.exe
File created	C:\Windows\SysWOW64\Qkpmcddi.exe	Qmlmjq32.exe
File created	C:\Windows\SysWOW64\Embdofop.exe	Egelgoah.exe
File opened for modification	C:\Windows\SysWOW64\Qibfdkgh.exe	Qfanbpjg.exe
File created	C:\Windows\SysWOW64\Effdbcbq.dll	Jmijnfgd.exe
File created	C:\Windows\SysWOW64\Mgieqpje.dll	Iqombb32.exe
File created	C:\Windows\SysWOW64\Geqlhp32.exe	Felbmqpl.exe
File created	C:\Windows\SysWOW64\Pnimia32.dll	Bcomonkq.exe
File created	C:\Windows\SysWOW64\Kfdqfbai.dll	Ejdonq32.exe
File created	C:\Windows\SysWOW64\Ddnmnf32.dll	Iaokdn32.exe
File created	C:\Windows\SysWOW64\Moomgl32.exe	Lkmkfncf.exe
File created	C:\Windows\SysWOW64\Klpbko32.dll	Pifghmae.exe
File opened for modification	C:\Windows\SysWOW64\Habeni32.exe	Hjimaole.exe
File opened for modification	C:\Windows\SysWOW64\Mfjlolpp.exe	Lpinac32.exe
File created	C:\Windows\SysWOW64\Dlcmgqdd.exe	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Golcak32.exe	Giokid32.exe
File created	C:\Windows\SysWOW64\Pboblika.exe	Pdjeklfj.exe
File created	C:\Windows\SysWOW64\Mafnie32.dll	Locnlmoe.exe
File created	C:\Windows\SysWOW64\Egoqkpqo.dll	Nfnooe32.exe
File created	C:\Windows\SysWOW64\Edllihfi.dll	Enajobbf.exe
File created	C:\Windows\SysWOW64\Nbibeo32.exe	Neebkkgi.exe
File opened for modification	C:\Windows\SysWOW64\Icdhdfcj.exe	Ioafchai.exe
File opened for modification	C:\Windows\SysWOW64\Kfndlphp.exe	Icdhdfcj.exe
File created	C:\Windows\SysWOW64\Hlibnkcm.dll	Kkdoje32.exe
File opened for modification	C:\Windows\SysWOW64\Lkflpe32.exe	Ljephmgl.exe
File created	C:\Windows\SysWOW64\Jhbkgiif.dll	Fcmgpbjc.exe
File opened for modification	C:\Windows\SysWOW64\Okfpid32.exe	Oapllk32.exe
File opened for modification	C:\Windows\SysWOW64\Ammnhilb.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Koekpi32.exe	Kpdjbapj.exe
File opened for modification	C:\Windows\SysWOW64\Mhoind32.exe	Mhefhf32.exe
File created	C:\Windows\SysWOW64\Qeddkilb.dll	Dgcoaock.exe
File created	C:\Windows\SysWOW64\Inflio32.exe	Iaokdn32.exe
File created	C:\Windows\SysWOW64\Ljfejf32.dll	Qfanbpjg.exe
File opened for modification	C:\Windows\SysWOW64\Mqnfon32.exe	Mkangg32.exe
File created	C:\Windows\SysWOW64\Ginjpq32.dll	Okcccdkp.exe
File created	C:\Windows\SysWOW64\Ggmdggnj.dll	Oacmchcl.exe
File opened for modification	C:\Windows\SysWOW64\Pifghmae.exe	Poqckdap.exe
File created	C:\Windows\SysWOW64\Eippgckc.exe	Emgblc32.exe
File created	C:\Windows\SysWOW64\Blkgen32.exe	Bfghlhmd.exe
File created	C:\Windows\SysWOW64\Mhefhf32.exe	Lglcag32.exe
File created	C:\Windows\SysWOW64\Ggdbmoho.exe	Fcmgpbjc.exe
File created	C:\Windows\SysWOW64\Ijjgbqlh.dll	Hohcmjic.exe
File opened for modification	C:\Windows\SysWOW64\Nqgiel32.exe	Nkjqme32.exe
File opened for modification	C:\Windows\SysWOW64\Dajnol32.exe	Deqqek32.exe
File created	C:\Windows\SysWOW64\Lbpfpc32.dll	Djjemlhf.exe
File opened for modification	C:\Windows\SysWOW64\Klgend32.exe	Knfepldb.exe
File opened for modification	C:\Windows\SysWOW64\Obeikc32.exe	Nkkggl32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4784	2060	WerFault.exe	248
5084	2060	WerFault.exe	248

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lglcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enedio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icdhdfcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Endnohdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkfno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cempebgi.dll"	Jjqdafmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klgend32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edllihfi.dll"	Enajobbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnpiedch.dll"	Hmbpbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnnbn32.dll"	Iaqapggb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkplho.dll"	Mimbfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgcoaock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egikekfa.dll"	Endnohdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmkqknci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkibl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhmcck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfndlphp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmobii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Homcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dajnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbeef32.dll"	Fhhaclqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jookjpam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkfno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjdeo32.dll"	Gphddlfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcccjf32.dll"	Cnealfkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegjdgdl.dll"	Habeni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomoj32.dll"	Ldkfno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgend32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plimpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhefhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafnie32.dll"	Locnlmoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poqckdap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Albpff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeddkilb.dll"	Dgcoaock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flebpn32.dll"	Nkkggl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laacmbkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpipkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioafchai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aneppo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfiedfmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnfnn32.dll"	Lkjhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbibeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eippgckc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejdonq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gceaofmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnanadfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcgdmeb.dll"	Cpipkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Golcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baeepd32.dll"	Mfjlolpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eflocepa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjimaole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neebkkgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhoind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjpaffhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokkjn32.dll"	Pdjeklfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obeikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcomonkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iqombb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emhdeoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmkibl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdhalj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aohbbqme.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 3396	4788	0475843ec92c8173fed819f01deb07bb.exe	96
PID 4788 wrote to memory of 3396	4788	0475843ec92c8173fed819f01deb07bb.exe	96
PID 4788 wrote to memory of 3396	4788	0475843ec92c8173fed819f01deb07bb.exe	96
PID 3396 wrote to memory of 5052	3396	Pfbmdabh.exe	97
PID 3396 wrote to memory of 5052	3396	Pfbmdabh.exe	97
PID 3396 wrote to memory of 5052	3396	Pfbmdabh.exe	97
PID 5052 wrote to memory of 1168	5052	Ammnhilb.exe	98
PID 5052 wrote to memory of 1168	5052	Ammnhilb.exe	98
PID 5052 wrote to memory of 1168	5052	Ammnhilb.exe	98
PID 1168 wrote to memory of 3196	1168	Bclppboi.exe	99
PID 1168 wrote to memory of 3196	1168	Bclppboi.exe	99
PID 1168 wrote to memory of 3196	1168	Bclppboi.exe	99
PID 3196 wrote to memory of 3552	3196	Bimach32.exe	100
PID 3196 wrote to memory of 3552	3196	Bimach32.exe	100
PID 3196 wrote to memory of 3552	3196	Bimach32.exe	100
PID 3552 wrote to memory of 1104	3552	Cplckbmc.exe	101
PID 3552 wrote to memory of 1104	3552	Cplckbmc.exe	101
PID 3552 wrote to memory of 1104	3552	Cplckbmc.exe	101
PID 1104 wrote to memory of 4308	1104	Clbdpc32.exe	102
PID 1104 wrote to memory of 4308	1104	Clbdpc32.exe	102
PID 1104 wrote to memory of 4308	1104	Clbdpc32.exe	102
PID 4308 wrote to memory of 2576	4308	Dpllbp32.exe	103
PID 4308 wrote to memory of 2576	4308	Dpllbp32.exe	103
PID 4308 wrote to memory of 2576	4308	Dpllbp32.exe	103
PID 2576 wrote to memory of 2984	2576	Dlcmgqdd.exe	104
PID 2576 wrote to memory of 2984	2576	Dlcmgqdd.exe	104
PID 2576 wrote to memory of 2984	2576	Dlcmgqdd.exe	104
PID 2984 wrote to memory of 3252	2984	Emgblc32.exe	105
PID 2984 wrote to memory of 3252	2984	Emgblc32.exe	105
PID 2984 wrote to memory of 3252	2984	Emgblc32.exe	105
PID 3252 wrote to memory of 3324	3252	Eippgckc.exe	106
PID 3252 wrote to memory of 3324	3252	Eippgckc.exe	106
PID 3252 wrote to memory of 3324	3252	Eippgckc.exe	106
PID 3324 wrote to memory of 640	3324	Gphddlfp.exe	107
PID 3324 wrote to memory of 640	3324	Gphddlfp.exe	107
PID 3324 wrote to memory of 640	3324	Gphddlfp.exe	107
PID 640 wrote to memory of 4016	640	Hdppaidl.exe	108
PID 640 wrote to memory of 4016	640	Hdppaidl.exe	108
PID 640 wrote to memory of 4016	640	Hdppaidl.exe	108
PID 4016 wrote to memory of 4248	4016	Jmijnfgd.exe	109
PID 4016 wrote to memory of 4248	4016	Jmijnfgd.exe	109
PID 4016 wrote to memory of 4248	4016	Jmijnfgd.exe	109
PID 4248 wrote to memory of 2344	4248	Kmlgcf32.exe	110
PID 4248 wrote to memory of 2344	4248	Kmlgcf32.exe	110
PID 4248 wrote to memory of 2344	4248	Kmlgcf32.exe	110
PID 2344 wrote to memory of 2728	2344	Mhmcck32.exe	111
PID 2344 wrote to memory of 2728	2344	Mhmcck32.exe	111
PID 2344 wrote to memory of 2728	2344	Mhmcck32.exe	111
PID 2728 wrote to memory of 2972	2728	Qhghge32.exe	112
PID 2728 wrote to memory of 2972	2728	Qhghge32.exe	112
PID 2728 wrote to memory of 2972	2728	Qhghge32.exe	112
PID 2972 wrote to memory of 2212	2972	Aijeme32.exe	113
PID 2972 wrote to memory of 2212	2972	Aijeme32.exe	113
PID 2972 wrote to memory of 2212	2972	Aijeme32.exe	113
PID 2212 wrote to memory of 1676	2212	Bfghlhmd.exe	114
PID 2212 wrote to memory of 1676	2212	Bfghlhmd.exe	114
PID 2212 wrote to memory of 1676	2212	Bfghlhmd.exe	114
PID 1676 wrote to memory of 2800	1676	Blkgen32.exe	115
PID 1676 wrote to memory of 2800	1676	Blkgen32.exe	115
PID 1676 wrote to memory of 2800	1676	Blkgen32.exe	115
PID 2800 wrote to memory of 436	2800	Cpipkl32.exe	116
PID 2800 wrote to memory of 436	2800	Cpipkl32.exe	116
PID 2800 wrote to memory of 436	2800	Cpipkl32.exe	116
PID 436 wrote to memory of 4520	436	Dlpigk32.exe	119

C:\Users\Admin\AppData\Local\Temp\0475843ec92c8173fed819f01deb07bb.exe
"C:\Users\Admin\AppData\Local\Temp\0475843ec92c8173fed819f01deb07bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\Pfbmdabh.exe
  C:\Windows\system32\Pfbmdabh.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\SysWOW64\Ammnhilb.exe
    C:\Windows\system32\Ammnhilb.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\SysWOW64\Bclppboi.exe
      C:\Windows\system32\Bclppboi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
      - C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Dlcmgqdd.exe
        
        C:\Windows\system32\Dlcmgqdd.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Emgblc32.exe
        
        C:\Windows\system32\Emgblc32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Eippgckc.exe
        
        C:\Windows\system32\Eippgckc.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Gphddlfp.exe
        
        C:\Windows\system32\Gphddlfp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Hdppaidl.exe
        
        C:\Windows\system32\Hdppaidl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Jmijnfgd.exe
        
        C:\Windows\system32\Jmijnfgd.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Kmlgcf32.exe
        
        C:\Windows\system32\Kmlgcf32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Mhmcck32.exe
        
        C:\Windows\system32\Mhmcck32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Qhghge32.exe
        
        C:\Windows\system32\Qhghge32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Aijeme32.exe
        
        C:\Windows\system32\Aijeme32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Bfghlhmd.exe
        
        C:\Windows\system32\Bfghlhmd.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Blkgen32.exe
        
        C:\Windows\system32\Blkgen32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Cpipkl32.exe
        
        C:\Windows\system32\Cpipkl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Dlpigk32.exe
        
        C:\Windows\system32\Dlpigk32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Eeodqocd.exe
        
        C:\Windows\system32\Eeodqocd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Fgffka32.exe
        
        C:\Windows\system32\Fgffka32.exe
        24⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Fcmgpbjc.exe
        
        C:\Windows\system32\Fcmgpbjc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Ggdbmoho.exe
        
        C:\Windows\system32\Ggdbmoho.exe
        26⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Gplged32.exe
        
        C:\Windows\system32\Gplged32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Hlhaee32.exe
        
        C:\Windows\system32\Hlhaee32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\Homcbo32.exe
        
        C:\Windows\system32\Homcbo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Iqombb32.exe
        
        C:\Windows\system32\Iqombb32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Jjqdafmp.exe
        
        C:\Windows\system32\Jjqdafmp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Lglcag32.exe
        
        C:\Windows\system32\Lglcag32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Mhefhf32.exe
        
        C:\Windows\system32\Mhefhf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Mhoind32.exe
        
        C:\Windows\system32\Mhoind32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Oacmchcl.exe
        
        C:\Windows\system32\Oacmchcl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Ogbbqo32.exe
        
        C:\Windows\system32\Ogbbqo32.exe
        36⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Deqqek32.exe
        
        C:\Windows\system32\Deqqek32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Dajnol32.exe
        
        C:\Windows\system32\Dajnol32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Djbbhafj.exe
        
        C:\Windows\system32\Djbbhafj.exe
        39⤵
        Executes dropped EXE
        
        PID:496
        
        C:\Windows\SysWOW64\Ejdonq32.exe
        
        C:\Windows\system32\Ejdonq32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Enedio32.exe
        
        C:\Windows\system32\Enedio32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Fkehdnee.exe
        
        C:\Windows\system32\Fkehdnee.exe
        42⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Faamghko.exe
        
        C:\Windows\system32\Faamghko.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Fhkecb32.exe
        
        C:\Windows\system32\Fhkecb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Giokid32.exe
        
        C:\Windows\system32\Giokid32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Golcak32.exe
        
        C:\Windows\system32\Golcak32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Hohcmjic.exe
        
        C:\Windows\system32\Hohcmjic.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\Iheaqolo.exe
        
        C:\Windows\system32\Iheaqolo.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Ioafchai.exe
        
        C:\Windows\system32\Ioafchai.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Icdhdfcj.exe
        
        C:\Windows\system32\Icdhdfcj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Kfndlphp.exe
        
        C:\Windows\system32\Kfndlphp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Kmobii32.exe
        
        C:\Windows\system32\Kmobii32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Kkdoje32.exe
        
        C:\Windows\system32\Kkdoje32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Ljephmgl.exe
        
        C:\Windows\system32\Ljephmgl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Lijlii32.exe
        
        C:\Windows\system32\Lijlii32.exe
        56⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Lpinac32.exe
        
        C:\Windows\system32\Lpinac32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Mfjlolpp.exe
        
        C:\Windows\system32\Mfjlolpp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Mlialb32.exe
        
        C:\Windows\system32\Mlialb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Mimbfg32.exe
        
        C:\Windows\system32\Mimbfg32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Pdjeklfj.exe
        
        C:\Windows\system32\Pdjeklfj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Pboblika.exe
        
        C:\Windows\system32\Pboblika.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Qmlmjq32.exe
        
        C:\Windows\system32\Qmlmjq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Qkpmcddi.exe
        
        C:\Windows\system32\Qkpmcddi.exe
        64⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Qdhalj32.exe
        
        C:\Windows\system32\Qdhalj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Aneppo32.exe
        
        C:\Windows\system32\Aneppo32.exe
        66⤵
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Djjemlhf.exe
        
        C:\Windows\system32\Djjemlhf.exe
        67⤵
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Dnhncjom.exe
        
        C:\Windows\system32\Dnhncjom.exe
        68⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\Dgqblp32.exe
        
        C:\Windows\system32\Dgqblp32.exe
        69⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\Dmnkdfce.exe
        
        C:\Windows\system32\Dmnkdfce.exe
        70⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Dgcoaock.exe
        
        C:\Windows\system32\Dgcoaock.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Dnmgni32.exe
        
        C:\Windows\system32\Dnmgni32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3580
        
        C:\Windows\SysWOW64\Egelgoah.exe
        
        C:\Windows\system32\Egelgoah.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Embdofop.exe
        
        C:\Windows\system32\Embdofop.exe
        74⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Eapmedef.exe
        
        C:\Windows\system32\Eapmedef.exe
        75⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Endnohdp.exe
        
        C:\Windows\system32\Endnohdp.exe
        76⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Fhhaclqc.exe
        
        C:\Windows\system32\Fhhaclqc.exe
        77⤵
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Felbmqpl.exe
        
        C:\Windows\system32\Felbmqpl.exe
        78⤵
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Geqlhp32.exe
        
        C:\Windows\system32\Geqlhp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3896
        
        C:\Windows\SysWOW64\Gjpaffhl.exe
        
        C:\Windows\system32\Gjpaffhl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Gehbio32.exe
        
        C:\Windows\system32\Gehbio32.exe
        81⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Iaokdn32.exe
        
        C:\Windows\system32\Iaokdn32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Inflio32.exe
        
        C:\Windows\system32\Inflio32.exe
        83⤵
        
        PID:924
        
        C:\Windows\SysWOW64\Idbalhho.exe
        
        C:\Windows\system32\Idbalhho.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3180
        
        C:\Windows\SysWOW64\Jklihbol.exe
        
        C:\Windows\system32\Jklihbol.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3884
        
        C:\Windows\SysWOW64\Jookjpam.exe
        
        C:\Windows\system32\Jookjpam.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Knfepldb.exe
        
        C:\Windows\system32\Knfepldb.exe
        87⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Klgend32.exe
        
        C:\Windows\system32\Klgend32.exe
        88⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Lbpmbipk.exe
        
        C:\Windows\system32\Lbpmbipk.exe
        89⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Locnlmoe.exe
        
        C:\Windows\system32\Locnlmoe.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Lkmkfncf.exe
        
        C:\Windows\system32\Lkmkfncf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Moomgl32.exe
        
        C:\Windows\system32\Moomgl32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Mfiedfmd.exe
        
        C:\Windows\system32\Mfiedfmd.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Mmcnap32.exe
        
        C:\Windows\system32\Mmcnap32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Mbpfig32.exe
        
        C:\Windows\system32\Mbpfig32.exe
        95⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Mkhkblii.exe
        
        C:\Windows\system32\Mkhkblii.exe
        96⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Nfnooe32.exe
        
        C:\Windows\system32\Nfnooe32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Nkkggl32.exe
        
        C:\Windows\system32\Nkkggl32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Obeikc32.exe
        
        C:\Windows\system32\Obeikc32.exe
        99⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Poqckdap.exe
        
        C:\Windows\system32\Poqckdap.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Pifghmae.exe
        
        C:\Windows\system32\Pifghmae.exe
        101⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Plimpg32.exe
        
        C:\Windows\system32\Plimpg32.exe
        102⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Pimmil32.exe
        
        C:\Windows\system32\Pimmil32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Qfanbpjg.exe
        
        C:\Windows\system32\Qfanbpjg.exe
        104⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Qibfdkgh.exe
        
        C:\Windows\system32\Qibfdkgh.exe
        105⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Aooolbep.exe
        
        C:\Windows\system32\Aooolbep.exe
        106⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Albpff32.exe
        
        C:\Windows\system32\Albpff32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Abmhbplf.exe
        
        C:\Windows\system32\Abmhbplf.exe
        108⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Aohbbqme.exe
        
        C:\Windows\system32\Aohbbqme.exe
        109⤵
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Bcomonkq.exe
        
        C:\Windows\system32\Bcomonkq.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Cnealfkf.exe
        
        C:\Windows\system32\Cnealfkf.exe
        111⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Enajobbf.exe
        
        C:\Windows\system32\Enajobbf.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Eflocepa.exe
        
        C:\Windows\system32\Eflocepa.exe
        113⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Eqbcqnph.exe
        
        C:\Windows\system32\Eqbcqnph.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Emhdeoel.exe
        
        C:\Windows\system32\Emhdeoel.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ecblbi32.exe
        
        C:\Windows\system32\Ecblbi32.exe
        116⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Fmkqknci.exe
        
        C:\Windows\system32\Fmkqknci.exe
        117⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Fgqehgco.exe
        
        C:\Windows\system32\Fgqehgco.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Fcgemhic.exe
        
        C:\Windows\system32\Fcgemhic.exe
        119⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Fggkifmg.exe
        
        C:\Windows\system32\Fggkifmg.exe
        120⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Fmdcamko.exe
        
        C:\Windows\system32\Fmdcamko.exe
        121⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Gmkibl32.exe
        
        C:\Windows\system32\Gmkibl32.exe
        122⤵
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Gceaofmc.exe
        
        C:\Windows\system32\Gceaofmc.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Hmbpbk32.exe
        
        C:\Windows\system32\Hmbpbk32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Hpchdf32.exe
        
        C:\Windows\system32\Hpchdf32.exe
        125⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Hjimaole.exe
        
        C:\Windows\system32\Hjimaole.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Habeni32.exe
        
        C:\Windows\system32\Habeni32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Iffcgoka.exe
        
        C:\Windows\system32\Iffcgoka.exe
        128⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Ipohpdbb.exe
        
        C:\Windows\system32\Ipohpdbb.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Iaqapggb.exe
        
        C:\Windows\system32\Iaqapggb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Kpdjbapj.exe
        
        C:\Windows\system32\Kpdjbapj.exe
        131⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Koekpi32.exe
        
        C:\Windows\system32\Koekpi32.exe
        132⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Lnanadfi.exe
        
        C:\Windows\system32\Lnanadfi.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Ldkfno32.exe
        
        C:\Windows\system32\Ldkfno32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Lglopjkg.exe
        
        C:\Windows\system32\Lglopjkg.exe
        135⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Laacmbkm.exe
        
        C:\Windows\system32\Laacmbkm.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Lkjhfh32.exe
        
        C:\Windows\system32\Lkjhfh32.exe
        137⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Mkangg32.exe
        
        C:\Windows\system32\Mkangg32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Mqnfon32.exe
        
        C:\Windows\system32\Mqnfon32.exe
        139⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Nkjqme32.exe
        
        C:\Windows\system32\Nkjqme32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Nqgiel32.exe
        
        C:\Windows\system32\Nqgiel32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1820
        
        C:\Windows\SysWOW64\Neebkkgi.exe
        
        C:\Windows\system32\Neebkkgi.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Nbibeo32.exe
        
        C:\Windows\system32\Nbibeo32.exe
        143⤵
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Nkagndmc.exe
        
        C:\Windows\system32\Nkagndmc.exe
        144⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Nqnofkkj.exe
        
        C:\Windows\system32\Nqnofkkj.exe
        145⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Okcccdkp.exe
        
        C:\Windows\system32\Okcccdkp.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Oapllk32.exe
        
        C:\Windows\system32\Oapllk32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Okfpid32.exe
        
        C:\Windows\system32\Okfpid32.exe
        148⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 400
        149⤵
        Program crash
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 400
        149⤵
        Program crash
        
        PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2060 -ip 2060
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aijeme32.exe

Filesize
361KB

MD5
17f69fd117035071d888f1303438b95f

SHA1
f48130d90d8b514ba9d3073c8b58d975670afce5

SHA256
9e5d93ac37d929799267dafbc3909b432eed9891a9243650388337437c89b750

SHA512
c529438c5032d9d530878e7c3a6946562de288b900c605ca5b1200ced8e7d994e9755be05929d446bf50ba5615bafd651ff5fb042e4be03cacc2df837ff344ba

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
361KB

MD5
77695c2f67910ad71b3bba93d8a234b2

SHA1
59e0e70bcd71b23997afbb6f2d22be86a6a022c6

SHA256
587ba2cd3b10211125353f390c43573ac04cfb1fa5817454adacd8d07c58077c

SHA512
9a4a42edd5359d1a992a5fc93989d6ee188f09e3f5bcdc5e039940f9fa8610e34a4254c969a11745d6050d655703849c11e12f505d69306dd9df0eb77b41d9b3

Download Submit
C:\Windows\SysWOW64\Bclppboi.exe

Filesize
361KB

MD5
ae1380d569f597cd1a5829988bb719e8

SHA1
c6165ad6ad49a3a11f0adbbad186753e14c830ad

SHA256
ebf1e6b39164fd26f4aee0d642af4ebf94c6a42dcfd07a727ac6fef82e811834

SHA512
65fc50cdd340e3892669bd516a31e9ebc802e05145019b85d9f80edab9599521aa57642c23aef53f9977d65eb7bf932accd872d3a212b8f800f4e5a8580faddc

Download Submit
C:\Windows\SysWOW64\Bfghlhmd.exe

Filesize
361KB

MD5
e719de134a6cdc098f96e880ed941308

SHA1
dec7afab4304d231b201fd0715ce4898d4592cb6

SHA256
9a8cbfc637d5e8111b51ead246a21b1f5374f80bda2c7a2bb26fd01bbe34a740

SHA512
7077b64e20d6be8740959126d04d5ebe0e69a3d28c3e6b2ef98fd485215250715504ac9580ba2864618734e38f071302d18d1f1608e9845f58f047e1a3575708

Download Submit
C:\Windows\SysWOW64\Bimach32.exe

Filesize
361KB

MD5
074f2445fc4fbec636b0d1c29f015b1c

SHA1
0feffc5e38df5c2ae925ee7b212a543dc26bb1c5

SHA256
844bdb13add69223cfe50389ad65071bc84886f7d6cf15f74c8d155b0e5fb5cc

SHA512
1a0365e3bab824d5d8476c0035d905952a5adef9505b516146606c39660e1b4be75123b0891e19ed283fd82a88d23d3bb99820afa349e45999e18aebc5b92f5f

Download Submit
C:\Windows\SysWOW64\Blkgen32.exe

Filesize
361KB

MD5
7c604f1078a6db36c75aeb100f1c8ac1

SHA1
648000caa36f313d65848e5d7b7452bb6ed9833e

SHA256
dbc418f5a0fe172d5206c599a36d4c72addb1b6e651e7fac26fc010c5e23d28b

SHA512
4c665fdc35ca2d206ec59848fc707542f6bbfcd959f1d279b767d2a063b11de5708263216a54441727e3035a0bb31f5ee97295b1bc4a869c5c8ffd449d88155c

Download Submit
C:\Windows\SysWOW64\Clbdpc32.exe

Filesize
361KB

MD5
f668e78a4f1e5291a58e983a62469f60

SHA1
2a3e81a125e84d513ef5707f84933fddd4870c35

SHA256
d4968cf90f9d155efbbf8d92c8d63843665ccc7d584e7b8b667d47c3bdb62cf5

SHA512
58ee965b7e243ec9b61c02585517e9e4817bb64d86dcf755dcb8c88b3f9c7b49cf1fe4b0950b4174ad2024b2bdb4139298587252f71cad248565dd4cd8254a9f

Download Submit
C:\Windows\SysWOW64\Cpipkl32.exe

Filesize
361KB

MD5
639cec9f48c3fd5635fe9a7f133cb5d2

SHA1
1d5f3a9220bc4b04a5612ecec01f38335d888e51

SHA256
5d8bff9a0590573249c3d9b935af13ae10178910f274e9f632b7613814283dd7

SHA512
15fbf83fe9d1a0af26406c9dbd155256d0897295ca93b3a297a66fa8cc4303d0ef41d25b88612215055ae14a98083764f9c9bf53004ddc97ffa89e657741c9a6

Download Submit
C:\Windows\SysWOW64\Cplckbmc.exe

Filesize
361KB

MD5
7e050d7032d4fd6bcf659342d8b8531d

SHA1
42a355b9953cad436c784d52e6ea5fbca1a41767

SHA256
3902ae88bc20ebc8a7e7aeac628807fb8c070634deb7108fdac33b40e0b41574

SHA512
1458a87f0ab1d0ee98a53db5b9f93a9998d350e4519bac6337ffb9189f958032d5d64db8e5dbc1be5a20414a03aede22273eed1680ef0fae42c9be16fd4c3479

Download Submit
C:\Windows\SysWOW64\Deqqek32.exe

Filesize
320KB

MD5
4e223f74dd15b7b9c74a5c58dfd185ff

SHA1
06031f306685fb9a96191fb6187f6759aa299cdc

SHA256
1ddbfe05e22c0964c62da186b77be0a7f1bc9594b4bce67350553b83e560fbd4

SHA512
070e87e58d5eb7a8f4709a1438d740da7b3205e10217e72136979a53e611fef25a320a75887ff9455d5be13676af8925736cd621eade0514a5e981f83d09dd71

Download Submit
C:\Windows\SysWOW64\Dlcmgqdd.exe

Filesize
361KB

MD5
681d19d6288daef1a4eef7c25891f591

SHA1
bb3d34c0b9fbc76b6045b3be590010b5f869d603

SHA256
3d934a6216e43f0a94b475611f0623ffa47c19f5c7a5bc96977f4dc3db72d6d2

SHA512
60ecd87f2ecb5e3ee0cb24808a5d9bb07f9adfcbf842f876823c35f3f35f395d9c23d380b387b5fd7967d9e0fb2071493c9b8e9b6e8c2af9d0b9744fc6f722ac

Download Submit
C:\Windows\SysWOW64\Dlpigk32.exe

Filesize
361KB

MD5
b45e077afb42c88673abc4dca770ff05

SHA1
e2e8ac379061cfae6230a91215ed548e6dd25238

SHA256
114de133c3a17a751923579a961b1f6072c6c02046f84d6943f1f021f297a5b6

SHA512
03743045be97284208b8dbcf0be44781272de2fc274165ad1a8ff28dbbddc216bc818ae317a1e1d992e6167a441eefe6d6f9fff2bf222046e609803edfa0d91c

Download Submit
C:\Windows\SysWOW64\Dpllbp32.exe

Filesize
361KB

MD5
04005edf9604803246210cc8d6e79904

SHA1
82b304c9ac53fab4751fa3f94dc9b4698998e02b

SHA256
ae6ad7a027b1d00368a86801a095189dab5b537a2bd8cc98c65d342bf62df01c

SHA512
12d8f5a70404c7605d6699ec4b0646c36d9323137030f1956fde66eecc7d6cda801c56c258af2dd5db64a4807d7d393ea21e37e625f9110fd3b83ae1e4374caa

Download Submit
C:\Windows\SysWOW64\Eeodqocd.exe

Filesize
361KB

MD5
d3d2b87d6ead1f3633f33e4c567c9a14

SHA1
71f62a25ea2959692e36b9ae9f1d006bc1b55274

SHA256
cf339a9123e415f625830614c33f847522ab192f915c2f9a0fa34255e5f621b0

SHA512
af3e17f823ecda05f1a4251ede6ddce782a5d23271cdbce553ce57df27dbe661509d9462b5c1a8a100ec7573d740e9e462acedea20d29bb8b10cd24146dc8e4a

Download Submit
C:\Windows\SysWOW64\Eippgckc.exe

Filesize
361KB

MD5
b72cc3ed1cb6059a4075b17a75d0399c

SHA1
a27944f81eae6ba9ec5067912ca49e1ea1b6a684

SHA256
a02bdeece52dd37f6cc1cb0ca9d31f1b66b5a23e1eb4a073136c758f2410b5b1

SHA512
b9742c5887a996bd78f2b89c9c86187ec49cda31bf658ef2328be4089e5b4a47902d6f9537b65ab251f02ef85e9fda172d944b6d9da22b60f3136c319e1ca139

Download Submit
C:\Windows\SysWOW64\Emgblc32.exe

Filesize
361KB

MD5
e8e530108dc8e12443031182ed0c5389

SHA1
ac3f724b3b0d0467372a203ab4c3b80f9ddcf7aa

SHA256
0859b6dd9d66cc369ad727b9dfe19d56caf18c34734f98414cb45e8f5985263e

SHA512
75c3e3d7b511bed8eee5906fe27591458543efb70e76cc1db6620d62bc704256cfb824e685d0e5b7007b8b597e94e85ba15991555342f43b82f347975b2b5114

Download Submit
C:\Windows\SysWOW64\Enedio32.exe

Filesize
361KB

MD5
0e84d17f295e05cbb0e077dadc10206e

SHA1
f4320bfa474275395acaa7eeae175d91f257b475

SHA256
65d5ee3d0ba3ace45fdf92ad21b90836cb8bf0cfeed75b0d18393924797221be

SHA512
f72615dc19d9d31a77a896044c8e0091116beea20488c5682252a0aa1313887409538520de6bd461cb44e85c5c4806d4f68fcf356a614f5a64b29abb16348943

Download Submit
C:\Windows\SysWOW64\Fcmgpbjc.exe

Filesize
361KB

MD5
0af689c1d458fa078016a873beb3f06f

SHA1
f4fdecf2eae47b0f960c5751ba08b790a1cb885d

SHA256
839867314857161c1dd452739dda9473717380bfb9c99e38f07db3e740191782

SHA512
371d5e555250ca8f29d77853d53ce254be3072a4725c4c5128b9c40f3c5094a16d24f47b6eaf6e4e61270301054ce50673aba042545919532e08866a1ec31c6e

Download Submit
C:\Windows\SysWOW64\Fgffka32.exe

Filesize
361KB

MD5
c4a1947ed933e93465029c3ad958b15c

SHA1
014f1756b00b49efe8fc50f2cc4d84fa7b1e64b2

SHA256
2d15fb517d72f142c6d565b4e98959c54eeab10ed2e5a52905b7ed3b58f14b3e

SHA512
9de6bc93d664e76e0a1b7b0aa0fc19d6e40d99d520e1d1bfc1bbe1227f2f2e767c58a9dc9851a016790ff3938027a9bc681c1ce77ec431bc9fdc99439f187bf2

Download Submit
C:\Windows\SysWOW64\Ggdbmoho.exe

Filesize
361KB

MD5
eccd96b1533d04f10b42e62fa3ce4b08

SHA1
9c280c0f11a81ba1d2fc5f9e0e0e99126e4d0e67

SHA256
cf8475842ab8234a4f99e8aeae145b1d0992b1208aad86b69696b6ed7281a59f

SHA512
24000f5e50c62bd404d739e419774aab8b870a8558b6b4f1b7c377f078bc9d68b64cd3221c1256d78004c811c28ccffaf5553f2b56cbedabb19fb400fd5f127a

Download Submit
C:\Windows\SysWOW64\Gphddlfp.exe

Filesize
361KB

MD5
27bd6256c560ad89a3b209d4b5203027

SHA1
b7b7ddcf30f5ce7eabb1a53ef07909567a5a50c1

SHA256
e18e987f33e18de7ed4948d232f8c46380eaff889d99383e8fd7665e7f8ba82e

SHA512
7dfd96a8922367e3ecbae2189d6e854908839f13329a411d77f88db931bba79d6d474cbabe83f9e18e18a622763a42932cbd5fdeb9e5f53e23a9873e14c6cf24

Download Submit
C:\Windows\SysWOW64\Gplged32.exe

Filesize
361KB

MD5
f49f9e9b8eacd80b08d5e4a87a4b7d1a

SHA1
d8e34d07fd96257b407719dffe578cb9dfa961c4

SHA256
f24cdf10679969a4b2a12f197e21cc94bd4165ad8e37c3fdede987b346b294f7

SHA512
59f0ff7e9cdabdbfb31322a1bac3e16575ac9b2a9637239edda2d1dbcf263dd55204aa3c4f826cabb72fc9ca4857e93417a8d67065ca7c8abc33d57dfdf2b39e

Download Submit
C:\Windows\SysWOW64\Hdppaidl.exe

Filesize
361KB

MD5
e6613c77290628356635207fd206cab2

SHA1
3718b005ded86546214f8ce421bfeda19ea91101

SHA256
09ae7ebeedf926e75ea21a71160aad541d9c0e642729342fcfc52b756cd09bd8

SHA512
30a4a5a73f1b3982704094ec5f8e330ef50ef94db1003f3b48cb3ff9aadb9cace375cd968823d9221a1a7e8020b198d0e4335bd075882752ec37f62a4ba789f0

Download Submit
C:\Windows\SysWOW64\Hlhaee32.exe

Filesize
361KB

MD5
67fdff5112a0e7589e3435708ea87d64

SHA1
d1792ebac47104b1e95732b21c08314048a16953

SHA256
090cc1cc629a6dbba5d22b594e223a3b84f97060482ab5aaf0b21d15ed021b7c

SHA512
7ea79efd3d1bd137ae049c78c6b940b6f9d5547d0102e426781d241da1a5fb3313bb2a30f34e71c2bd918a6c8c6a2ce077872bf0d2667e47a74475a693a5c3ff

Download Submit
C:\Windows\SysWOW64\Homcbo32.exe

Filesize
361KB

MD5
50846c3525e3eab108e2858c5349028d

SHA1
445c85017ff0998d0964fdc35f0a8a0b003ccee9

SHA256
1ae9ed48d21a24cb6684ea30fdae935258fc5e600b78465ac47fe8f0f8f65057

SHA512
b12d989b893a7e75c995da5d055ff29a80658964a2ed44de1c0abfe8f21b61548eefa744885a165dfe2055e97b02569476e2c81483af6e6b11db8a1234723980

Download Submit
C:\Windows\SysWOW64\Iqombb32.exe

Filesize
361KB

MD5
83e8e9bb7ebfb558cd20887b92c701b8

SHA1
62926ad74155236ce9c965302235bd10e080be0d

SHA256
4db738db647aef9493c10d93a47c631cb746e0f56959801fd4a7e7280da21423

SHA512
28895f10ea729514b473c4f6e6c189a507d1e95caf0bb701159baeb3b8aaade8fc011395558bf7bec754647ffeacadf100965703cc5934a373c0484b004de5ec

Download Submit
C:\Windows\SysWOW64\Jjqdafmp.exe

Filesize
361KB

MD5
23b0679cd342b993a2d1ab7f0261d1da

SHA1
516696a55e6ed86e98e8f63aadccbb34291843e1

SHA256
17c49bab114361b66ad40af8be575cec4dd1ff709e1a6358073ae7b0b217e929

SHA512
87e901a9453572c14170194befe79165a9d5882286f15f6c3510ea97ae3880094da3c4b4e24445e7e8846f8ca7528bd0c2fc2f6e2e6c7c911193a408861f8cd5

Download Submit
C:\Windows\SysWOW64\Jmijnfgd.exe

Filesize
361KB

MD5
b43fc299a72e105a1eaf3fb15dfe4813

SHA1
4bf57e08eff042a371aa6c2642398f98c701a445

SHA256
8844501fc2c66f3c50e6d8066a2b9f319329935b5d7e570f80324d3e6fd018a0

SHA512
0eaf10637d7a462c57f7a4c0e616edbe1be92542ce38a3cd4be5f455440ad3105c3bb05a3929b39d346ef50fa6cced10854cb4240772c53692a4ae645764fc30

Download Submit
C:\Windows\SysWOW64\Kmlgcf32.exe

Filesize
361KB

MD5
e504f135d19e1bdc7f6eb7048d8d7b36

SHA1
bf1ca66055ba51f1224390ee8224de51942a322b

SHA256
3cedee6ca2efb4beab30a1dac396e9244685aac36f266fd491ae08e33d7aa6b9

SHA512
4d48cbd05d61f04d3b45f87b82f41ee7df69c8b9a9cb2fc4e40edb92c9f0aa197d76b0f7d9e6e148135fe83150c50640684dee10626dfdd8378027fe2cb16129

Download Submit
C:\Windows\SysWOW64\Lglcag32.exe

Filesize
361KB

MD5
90008bb164b0fa91a7ca0d33dda6e5c0

SHA1
2a7fa1c9f5ae47df14ee561349e62d8fe6048a09

SHA256
9350f1cb08b4d9c8f1a401fb775d7584a4d82f52dab022d078b7121764a6806c

SHA512
24ceaafdd7bcfbb6cc01db50b26dee9b5d1dcefa6f8cac7a1977ccc348a92ac6bfdeb3103f388b436a2d11a7391014c342da4d9a679e6d4a458c29ea93295d54

Download Submit
C:\Windows\SysWOW64\Lpinac32.exe

Filesize
361KB

MD5
8cba966f8947d8dc1fea729b20d14346

SHA1
f6b75d708bd4296a81883b03503c959e8a751e73

SHA256
2b762ebfa755db4295556f082c66b0fd4ca2012f1cbcb5824bb6ed22137c29d0

SHA512
63a94faf83bb173244a91c7bc08876c686e37cb05354526e21328148ac6f8839c4c35b55898201f08adfdc06a1e4ae3a0569a617f93c7e16c7b23e468cdcba98

Download Submit
C:\Windows\SysWOW64\Mhefhf32.exe

Filesize
361KB

MD5
6b055b019c86e2e45ce78e351deb65ba

SHA1
b445d64c92ceead8c571a99d2b49e76e720ada9b

SHA256
0e05297c2c28e2da107ebfd4eedff69db05fa3ff587a60a69f89f9a88e202bfc

SHA512
e827767eddff09d8b96b8acdc3bec5c19497be843c2789626177c24a9167f2c05b4b90180e97c5fe2186bd45f96105fd78a930a5ac6f38bbc2a279ac7d7d5feb

Download Submit
C:\Windows\SysWOW64\Mhmcck32.exe

Filesize
361KB

MD5
0d0275846b8dc6ca6ec7c3686990cc61

SHA1
7af533a1c940b0d72136f1a228dd42301723058a

SHA256
515d4c432d4c56d8ba83b998524384c78b51e810f26ed2424ba1f3f8393adfb1

SHA512
74dac6b2b1a648b90c3c42112f3d557c101f16a0989f3b5527ebc05373be4cc92febbfd5d4a873d7beb12f2338b8a1bcae1c759e721c9070485f6f0167e113e1

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
361KB

MD5
319e76e0a3c10e2e0e5c53c24c7e6d04

SHA1
4af561f5d4ca5ecde4d42ac80bd4fa5ab18bb472

SHA256
0a5e520fb256f0bd5944cd627292ac367c7839238dede82d5b8c4ebd46ccc6e3

SHA512
b7bae63546e939143c3ea1aad79b6b38b1fb3624538cf746b1621a5abfcfd832f803865248cc63b190ef9b173d2c7b305409e2f571a51f6621986556f1ce8f59

Download Submit
C:\Windows\SysWOW64\Pimmil32.exe

Filesize
361KB

MD5
1a82f4b1f8d044d2e2bcff0e6354e4ce

SHA1
fa50f5d9f11a3bf1719f31507df6e31bda49b665

SHA256
9eabdbf839702f60957c6375407ea0b73fd3eea3a471981dfd03989b09d5c056

SHA512
edaa4f85f2f3e9d9909c25f184af80a15395cc977a6ad6677267a1ee505af68fec720d0b70bc00a0bf4fa8645a9887dae3f990c378185c94e4834b8489fb3fab

Download Submit
C:\Windows\SysWOW64\Qhghge32.exe

Filesize
361KB

MD5
35696fc4243b160b6409d0d2af192afb

SHA1
e4dcdd73b85290351cab46e0f22cf11afb011617

SHA256
875cdb7b297062e97e4b7dedb424c3e916ebf85588549bfcfcfb1e8880f19fba

SHA512
9fbee005ee031f368b416a2e402481fba20d03c57419cbab54f789e655b5d135fe6650c78a0446eabf86d63ef30dfa9c26ac3c128878a468244933e72fb63d0f

Download Submit
memory/8-496-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/208-441-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/408-207-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/436-179-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/464-344-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/496-323-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/628-322-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/640-98-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/840-406-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/852-433-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/892-196-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1104-50-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1140-320-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1156-472-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1168-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1308-454-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1448-214-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1532-452-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1676-164-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1892-238-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1996-290-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2116-415-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2208-370-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2212-151-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2220-409-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2344-123-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2408-460-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2576-65-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2648-386-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2728-131-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2800-175-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2832-352-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2972-146-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2984-73-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3096-466-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3124-262-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3156-346-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3196-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3252-87-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3324-90-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3396-10-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3524-227-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3552-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3684-479-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3868-230-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3916-331-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3920-379-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4016-106-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4120-246-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4236-421-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4248-115-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4308-58-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4416-394-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4436-439-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4520-189-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4584-388-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4740-280-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4776-485-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4788-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4788-82-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4788-2-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4952-274-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4980-302-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5052-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads