200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489

Analysis

max time kernel
132s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489.exe
Size

409KB
MD5

054219a1fff99ab709a4d3053171e83c
SHA1

c9e95a76069dd6c73731d7a4840def2e49a55d58
SHA256

200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489
SHA512

331bfc39233e2924c73928e9cf708654c631adb21200125f4aac8010f2ddb48a3e2ba2004ba6f7e979753b758072489bf0b6b45fd32dc9f5de60374017dc551c
SSDEEP

6144:A0Z3rZ0WdRcm4FmowdHoSuNZgZ0Wd/OWdPS2LStOshOWdPS2Ln:A0Z514wFHoS/F5fC5L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egegjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnkfmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eohmkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihbponja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afockelf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eohmkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjmlaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhimhobl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicgpelg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haodle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnobj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihbponja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haodle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpioin32.exe

UPX dump on OEP (original entry point) 50 IoCs

resource	yara_rule
behavioral2/files/0x000c000000016898-5.dat	UPX
behavioral2/memory/5080-12-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/files/0x0008000000023541-15.dat	UPX
behavioral2/files/0x0007000000023545-17.dat	UPX
behavioral2/files/0x0007000000023547-30.dat	UPX
behavioral2/files/0x000700000002354a-38.dat	UPX
behavioral2/memory/4804-47-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/files/0x000700000002354e-55.dat	UPX
behavioral2/files/0x000700000002354c-46.dat	UPX
behavioral2/files/0x0007000000023551-62.dat	UPX
behavioral2/files/0x0007000000023553-69.dat	UPX
behavioral2/files/0x0007000000023557-78.dat	UPX
behavioral2/files/0x000700000002355d-86.dat	UPX
behavioral2/files/0x0007000000023562-95.dat	UPX
behavioral2/files/0x0007000000023564-102.dat	UPX
behavioral2/memory/220-100-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/files/0x0007000000023566-110.dat	UPX
behavioral2/files/0x000700000002356a-127.dat	UPX
behavioral2/files/0x000700000002356c-134.dat	UPX
behavioral2/memory/1348-140-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/files/0x000700000002356e-143.dat	UPX
behavioral2/memory/392-151-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/files/0x0007000000023572-158.dat	UPX
behavioral2/files/0x0007000000023574-165.dat	UPX
behavioral2/files/0x0007000000023576-172.dat	UPX
behavioral2/files/0x0007000000023578-179.dat	UPX
behavioral2/files/0x000700000002357a-186.dat	UPX
behavioral2/files/0x000700000002357c-193.dat	UPX
behavioral2/files/0x000700000002357e-200.dat	UPX
behavioral2/files/0x0007000000023580-206.dat	UPX
behavioral2/files/0x0007000000023582-214.dat	UPX
behavioral2/files/0x0007000000023588-235.dat	UPX
behavioral2/files/0x000700000002358a-241.dat	UPX
behavioral2/files/0x0007000000023586-228.dat	UPX
behavioral2/files/0x0007000000023584-221.dat	UPX
behavioral2/files/0x0007000000023570-150.dat	UPX
behavioral2/memory/4452-128-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/files/0x0007000000023568-119.dat	UPX
behavioral2/files/0x00070000000235ac-334.dat	UPX
behavioral2/memory/3196-390-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/memory/5224-398-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/memory/5272-404-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/memory/5312-410-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/memory/5360-416-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/memory/5400-422-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/memory/5500-439-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/memory/5576-446-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral2/files/0x00070000000235e0-453.dat	UPX
behavioral2/files/0x00080000000235d6-465.dat	UPX
behavioral2/files/0x00070000000235f2-525.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
5080	Ddnobj32.exe
1948	Dkhgod32.exe
2080	Eqdpgk32.exe
3464	Eqgmmk32.exe
2296	Eohmkb32.exe
4804	Egcaod32.exe
1796	Eojiqb32.exe
5024	Egened32.exe
448	Fkhpfbce.exe
3156	Fkjmlaac.exe
5012	Fnkfmm32.exe
220	Gbiockdj.exe
4624	Gicgpelg.exe
2196	Gpmomo32.exe
1328	Gghdaa32.exe
4452	Gnblnlhl.exe
1348	Gihpkd32.exe
392	Gndick32.exe
3900	Glhimp32.exe
4264	Ghojbq32.exe
5112	Hbenoi32.exe
2772	Hioflcbj.exe
1156	Hpioin32.exe
1744	Hbgkei32.exe
404	Hiacacpg.exe
2564	Hnnljj32.exe
936	Hehdfdek.exe
2472	Hpmhdmea.exe
4920	Haodle32.exe
3944	Hhimhobl.exe
2024	Hppeim32.exe
4556	Haaaaeim.exe
5000	Ihkjno32.exe
1944	Ipbaol32.exe
2128	Ibqnkh32.exe
4712	Iijfhbhl.exe
696	Ipdndloi.exe
2156	Ibcjqgnm.exe
3908	Iimcma32.exe
4800	Ilkoim32.exe
2464	Ibegfglj.exe
812	Ieccbbkn.exe
3684	Ihbponja.exe
4840	Iolhkh32.exe
2636	Ilphdlqh.exe
4084	Iehmmb32.exe
4212	Jpnakk32.exe
3776	Pmhbqbae.exe
4324	Pmkofa32.exe
4424	Pfccogfc.exe
2072	Piapkbeg.exe
1540	Pbjddh32.exe
2844	Pidlqb32.exe
1788	Pjcikejg.exe
1908	Qbonoghb.exe
3196	Qmdblp32.exe
5184	Qcnjijoe.exe
5224	Qfmfefni.exe
5272	Apeknk32.exe
5312	Afockelf.exe
5360	Aadghn32.exe
5400	Abfdpfaj.exe
5440	Aagdnn32.exe
5500	Amnebo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Iolhkh32.exe	Ihbponja.exe
File created	C:\Windows\SysWOW64\Khihgadg.dll	Qfmfefni.exe
File opened for modification	C:\Windows\SysWOW64\Aadghn32.exe	Afockelf.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Egcaod32.exe	Eohmkb32.exe
File created	C:\Windows\SysWOW64\Gifffn32.dll	Haodle32.exe
File created	C:\Windows\SysWOW64\Iehmmb32.exe	Ilphdlqh.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Ihbponja.exe	Ieccbbkn.exe
File created	C:\Windows\SysWOW64\Qmdblp32.exe	Qbonoghb.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Kplqhmfl.dll	Egegjn32.exe
File created	C:\Windows\SysWOW64\Gghdaa32.exe	Gpmomo32.exe
File opened for modification	C:\Windows\SysWOW64\Hpioin32.exe	Hioflcbj.exe
File created	C:\Windows\SysWOW64\Cimjkpjn.dll	Ibqnkh32.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Fclhpo32.exe	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Egcaod32.exe	Eohmkb32.exe
File created	C:\Windows\SysWOW64\Eglfjicq.dll	Fkjmlaac.exe
File created	C:\Windows\SysWOW64\Dlhcmpgk.dll	Ipbaol32.exe
File created	C:\Windows\SysWOW64\Apeknk32.exe	Qfmfefni.exe
File created	C:\Windows\SysWOW64\Ckpamabg.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Djegekil.exe
File created	C:\Windows\SysWOW64\Fhgmqghl.dll	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Jdnoeb32.dll	Apeknk32.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Ccbolagk.dll	Glhimp32.exe
File created	C:\Windows\SysWOW64\Gbhibfek.dll	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Mbddol32.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Cnnnfkal.dll	Gicgpelg.exe
File created	C:\Windows\SysWOW64\Hbenoi32.exe	Ghojbq32.exe
File created	C:\Windows\SysWOW64\Hpioin32.exe	Hioflcbj.exe
File created	C:\Windows\SysWOW64\Bkmeha32.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Fkhpfbce.exe	Egened32.exe
File opened for modification	C:\Windows\SysWOW64\Fnkfmm32.exe	Fkjmlaac.exe
File created	C:\Windows\SysWOW64\Ieccbbkn.exe	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Mmmncpmp.dll	Ieccbbkn.exe
File opened for modification	C:\Windows\SysWOW64\Piapkbeg.exe	Pfccogfc.exe
File opened for modification	C:\Windows\SysWOW64\Bjfogbjb.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Lnedgk32.dll	Epffbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Libmeq32.dll	Gghdaa32.exe
File created	C:\Windows\SysWOW64\Hokomfqg.dll	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Jklliiom.dll	Ibegfglj.exe
File opened for modification	C:\Windows\SysWOW64\Qfmfefni.exe	Qcnjijoe.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cmedjl32.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Ejojljqa.exe
File opened for modification	C:\Windows\SysWOW64\Eqdpgk32.exe	Dkhgod32.exe
File created	C:\Windows\SysWOW64\Hhimhobl.exe	Haodle32.exe
File created	C:\Windows\SysWOW64\Hnjfof32.dll	Ihkjno32.exe
File created	C:\Windows\SysWOW64\Ibegfglj.exe	Ilkoim32.exe
File created	C:\Windows\SysWOW64\Pjcikejg.exe	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Ilpgfc32.dll	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Fjmfmh32.exe	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Ibqnkh32.exe	Ipbaol32.exe
File created	C:\Windows\SysWOW64\Qgiiak32.dll	Ihbponja.exe
File created	C:\Windows\SysWOW64\Cgmbbe32.dll	Iehmmb32.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fcneeo32.exe
File opened for modification	C:\Windows\SysWOW64\Fkjmlaac.exe	Fkhpfbce.exe
File created	C:\Windows\SysWOW64\Bbdcakkc.dll	Fnkfmm32.exe
File created	C:\Windows\SysWOW64\Fkdjqkoj.dll	Gpmomo32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmhdmea.exe	Hehdfdek.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Pmhbqbae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6520	6456	WerFault.exe	216

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdmb32.dll"	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpnh32.dll"	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgidjfjk.dll"	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdeeipfp.dll"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hehdfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdihk32.dll"	Egened32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnngpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnckkha.dll"	Eohmkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmomo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldjbclh.dll"	Hpmhdmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgqdaoi.dll"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gihpkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpioin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjccmbf.dll"	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egened32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmeq32.dll"	Gghdaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glhimp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eojiqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbhgp32.dll"	Eojiqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegcnaoo.dll"	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdjqkoj.dll"	Gpmomo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfof32.dll"	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkmeha32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 5080	2184	200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489.exe	92
PID 2184 wrote to memory of 5080	2184	200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489.exe	92
PID 2184 wrote to memory of 5080	2184	200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489.exe	92
PID 5080 wrote to memory of 1948	5080	Ddnobj32.exe	93
PID 5080 wrote to memory of 1948	5080	Ddnobj32.exe	93
PID 5080 wrote to memory of 1948	5080	Ddnobj32.exe	93
PID 1948 wrote to memory of 2080	1948	Dkhgod32.exe	94
PID 1948 wrote to memory of 2080	1948	Dkhgod32.exe	94
PID 1948 wrote to memory of 2080	1948	Dkhgod32.exe	94
PID 2080 wrote to memory of 3464	2080	Eqdpgk32.exe	95
PID 2080 wrote to memory of 3464	2080	Eqdpgk32.exe	95
PID 2080 wrote to memory of 3464	2080	Eqdpgk32.exe	95
PID 3464 wrote to memory of 2296	3464	Eqgmmk32.exe	96
PID 3464 wrote to memory of 2296	3464	Eqgmmk32.exe	96
PID 3464 wrote to memory of 2296	3464	Eqgmmk32.exe	96
PID 2296 wrote to memory of 4804	2296	Eohmkb32.exe	97
PID 2296 wrote to memory of 4804	2296	Eohmkb32.exe	97
PID 2296 wrote to memory of 4804	2296	Eohmkb32.exe	97
PID 4804 wrote to memory of 1796	4804	Egcaod32.exe	98
PID 4804 wrote to memory of 1796	4804	Egcaod32.exe	98
PID 4804 wrote to memory of 1796	4804	Egcaod32.exe	98
PID 1796 wrote to memory of 5024	1796	Eojiqb32.exe	100
PID 1796 wrote to memory of 5024	1796	Eojiqb32.exe	100
PID 1796 wrote to memory of 5024	1796	Eojiqb32.exe	100
PID 5024 wrote to memory of 448	5024	Egened32.exe	101
PID 5024 wrote to memory of 448	5024	Egened32.exe	101
PID 5024 wrote to memory of 448	5024	Egened32.exe	101
PID 448 wrote to memory of 3156	448	Fkhpfbce.exe	102
PID 448 wrote to memory of 3156	448	Fkhpfbce.exe	102
PID 448 wrote to memory of 3156	448	Fkhpfbce.exe	102
PID 3156 wrote to memory of 5012	3156	Fkjmlaac.exe	103
PID 3156 wrote to memory of 5012	3156	Fkjmlaac.exe	103
PID 3156 wrote to memory of 5012	3156	Fkjmlaac.exe	103
PID 5012 wrote to memory of 220	5012	Fnkfmm32.exe	104
PID 5012 wrote to memory of 220	5012	Fnkfmm32.exe	104
PID 5012 wrote to memory of 220	5012	Fnkfmm32.exe	104
PID 220 wrote to memory of 4624	220	Gbiockdj.exe	105
PID 220 wrote to memory of 4624	220	Gbiockdj.exe	105
PID 220 wrote to memory of 4624	220	Gbiockdj.exe	105
PID 4624 wrote to memory of 2196	4624	Gicgpelg.exe	106
PID 4624 wrote to memory of 2196	4624	Gicgpelg.exe	106
PID 4624 wrote to memory of 2196	4624	Gicgpelg.exe	106
PID 2196 wrote to memory of 1328	2196	Gpmomo32.exe	107
PID 2196 wrote to memory of 1328	2196	Gpmomo32.exe	107
PID 2196 wrote to memory of 1328	2196	Gpmomo32.exe	107
PID 1328 wrote to memory of 4452	1328	Gghdaa32.exe	108
PID 1328 wrote to memory of 4452	1328	Gghdaa32.exe	108
PID 1328 wrote to memory of 4452	1328	Gghdaa32.exe	108
PID 4452 wrote to memory of 1348	4452	Gnblnlhl.exe	109
PID 4452 wrote to memory of 1348	4452	Gnblnlhl.exe	109
PID 4452 wrote to memory of 1348	4452	Gnblnlhl.exe	109
PID 1348 wrote to memory of 392	1348	Gihpkd32.exe	110
PID 1348 wrote to memory of 392	1348	Gihpkd32.exe	110
PID 1348 wrote to memory of 392	1348	Gihpkd32.exe	110
PID 392 wrote to memory of 3900	392	Gndick32.exe	111
PID 392 wrote to memory of 3900	392	Gndick32.exe	111
PID 392 wrote to memory of 3900	392	Gndick32.exe	111
PID 3900 wrote to memory of 4264	3900	Glhimp32.exe	113
PID 3900 wrote to memory of 4264	3900	Glhimp32.exe	113
PID 3900 wrote to memory of 4264	3900	Glhimp32.exe	113
PID 4264 wrote to memory of 5112	4264	Ghojbq32.exe	114
PID 4264 wrote to memory of 5112	4264	Ghojbq32.exe	114
PID 4264 wrote to memory of 5112	4264	Ghojbq32.exe	114
PID 5112 wrote to memory of 2772	5112	Hbenoi32.exe	115

C:\Users\Admin\AppData\Local\Temp\200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489.exe
"C:\Users\Admin\AppData\Local\Temp\200c44b98984682bd85774bbdc1804ad3404ca010d9ee94ccfd89dd3f17ca489.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\Ddnobj32.exe
  C:\Windows\system32\Ddnobj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\Dkhgod32.exe
    C:\Windows\system32\Dkhgod32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\Eqdpgk32.exe
      C:\Windows\system32\Eqdpgk32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3464
      - C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        25⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        26⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        27⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        39⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        48⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        52⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        55⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        62⤵
        Executes dropped EXE
        
        PID:5360
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        64⤵
        Executes dropped EXE
        
        PID:5440
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        65⤵
        Executes dropped EXE
        
        PID:5500
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        66⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        68⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        69⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        72⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        74⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        79⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        81⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        86⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        87⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        88⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        91⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        93⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        94⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        97⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        98⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        100⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        105⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        106⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        107⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        109⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        113⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        116⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        118⤵
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        119⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        120⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 404
        121⤵
        Program crash
        
        PID:6520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3376,i,7064649017625232947,17746804975634116675,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
1⤵
PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6456 -ip 6456
1⤵
PID:6488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Babcil32.exe

Filesize
409KB

MD5
2240bcac98d1907eb401a5987ac8f987

SHA1
73f479151496223f2617531ec364b986f97ea39b

SHA256
3221beda4612a6c67458dee057ef0169e4720b2a63d9453c2f3e00c1c2659b91

SHA512
16e1e77bae47419c0c273e64a7f74a5d7a3d2c7544ea09aacbeb68f4fa123e217208ca0a69da029f4eab6b1022db0971d529f9cdd68eb8b0b643b45c7e0dfc97

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
64KB

MD5
cf9b5e422836c8cb082bcef6b6097d84

SHA1
70b18e053200b8f44ced18fcb7542e352cfca0d8

SHA256
02eca34093526e798753566f8fb1d9bf41c98ff9fe2d2c145cfe7e1e1e58e567

SHA512
ab332ebcbe790e6c7168a79dbf12d33a20b06f64c7e8e4ac5fc28154ebc9c3d6ca9b71a861759dbcbcad659adc38552f77de2b47cead7d6cc9d879b0b8885b4e

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
409KB

MD5
fed9144949bd3bb7072566e4ad820094

SHA1
4f21432f4ac57cc74b0fddca0d3438ad887ebdbf

SHA256
4483bf611893dfbc8b7975d879fb27866959700d575813aa54f701247b28bb4b

SHA512
5ac7fdd22c69783c22a4e6d9299c38f0a5b1b2dfd11677cce2df992994c95b9e47f7f3d8150fdb06712f8e6e9ab411b56c4e820619443f5a4f5f0c66aff7b05f

Download Submit
C:\Windows\SysWOW64\Ddnobj32.exe

Filesize
409KB

MD5
05fd0393a2d706eb0baf5d19021913af

SHA1
713005434053aa2cb3d6c95f7c4e104bc3d8c9c1

SHA256
839ccdebe66238963821c2f8bba15eb00e7c64228644a42a2543996601e8095b

SHA512
763ea07f4ea3b0cff2d5c131f27f09c82ca3bcc03697f1419699134265b148ec2f4d02e15d80b15e1ce50f15acc4f211b56d7a195f370c1000128cf2c13c7f28

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
409KB

MD5
e894bea12522cf2f4145e784395ecd42

SHA1
686844db463485d271e822afa23c881bf249dcc9

SHA256
9cbf022e08f8bc718aaa73b147e75c3bb31630eda5e0af761ed2cb51df4e1390

SHA512
412f75d194865cf6a51f10a49252c17b622eb9df76ab4c152e0f6a58352495f80ea4a406ea9ecdf2af7c5942c0a74d4eb2cbaa47fe91da17d3b98ea45b6e9442

Download Submit
C:\Windows\SysWOW64\Dkhgod32.exe

Filesize
409KB

MD5
400ebfcdf26a3d6fee13a2db7a350b1c

SHA1
949d8bbe07d9e0496b6e1af10b41010893d77ec7

SHA256
ee9a3c6e980b10d2cb01a2ae22415de4c8d20783e667c18c108b245cf4b649c6

SHA512
e9c88c84ca0b1cbc34323bf46f7f0616de548dc6aa98eb00e8833c00c4a05fbb6ef6c80ee97411934988c4623b7f7eaac0ccab4ee05e020690c7447855ca304a

Download Submit
C:\Windows\SysWOW64\Egcaod32.exe

Filesize
409KB

MD5
9b4c56e84ffbe762f2bbc8b36dcf90e4

SHA1
3263b5febf5899daaf3d01975338ccfc0ee262f9

SHA256
640dca12a46ce1b0b5260540f7ff73db793907d22b82c3b7a46f8c529134ef17

SHA512
1bf3e9142eb1d5d4f5d08cf82a2c58adade3d526e8bfc8c908fabdea317bf05e55887d619a2002937531b3c83f97be1e57fc5649f5867060d695df771a4714d2

Download Submit
C:\Windows\SysWOW64\Egened32.exe

Filesize
409KB

MD5
e42ea31e1d6d897e479987ff3d3073b4

SHA1
68eb4aac3886e03b7b35123ea9210c7dd5d750af

SHA256
62e8d10219149d98036c6cf168848cb4849b024762d4735a3511e89a8ff0068a

SHA512
0931862d1d52dd578c7b2110abae43f438fe60661c61df12b5243debf5a75ccecd976b26dfb916f39c052c0721c3306f8291bb1a54e8886fcaeb66f8664b6cc1

Download Submit
C:\Windows\SysWOW64\Eohmkb32.exe

Filesize
409KB

MD5
4a35ffe1a5ba18189b95495d6d557a18

SHA1
b222156d4d2637715aadad467318908714690a60

SHA256
59fae84322d0e9dce71516276fd84439579de0e5c4a5ea0dbc252c0285e265b3

SHA512
c5d0858f9048f7cd1cce269fd23fc81ea54557cc7fe90b95258ad5b08048f2c53705c0238bd7216baed22b956b0881311f59236629e43c38557b2343ca61d2c6

Download Submit
C:\Windows\SysWOW64\Eojiqb32.exe

Filesize
409KB

MD5
15eeda8db5c540c9cc1486f999549206

SHA1
a167c36b6b1b5daed3d9295a8dff39656f8f12bb

SHA256
1ef2beca74d0ea4a0ad14fad6d2ff5ce72c5088c5240113aef574e1543621e3f

SHA512
4f2416be82e0ca693f2f0d143bbee651b4d7fce34cae18ea52a8b81a7fb20650d59b0c0d9027830f8d5c73401c482d1b6aaf0272578e15a85ca24ed8943caebf

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
409KB

MD5
42d533598ef61e09b9588d6e29e0822e

SHA1
10e2fe8ba5634febc2dd51053828701aac8b448d

SHA256
4535cdab36600f5873d383e4ef1e2ecb3b933c55aa8139de2be6c341db8b9f01

SHA512
4a01b71fb1355bd46bdcd4a7923dc3293bacc2210681f239f98aa202153a87a4be5c0404e2824a7441956c708c63ff7075de63d5cebc51cfbe638b26856c5e49

Download Submit
C:\Windows\SysWOW64\Eqgmmk32.exe

Filesize
409KB

MD5
b29ee216a2ef96f3f4e7c4f0bd0f0652

SHA1
57b5d0970946e12471fcc57d6931cea44aa2bd9f

SHA256
db5502e86073081c08da96f592c491e94d1ab8cf8767eaef9514e40db3e3eda6

SHA512
93a6db2ce33cd01eba886dad87a88fc25fd9a37fb7717dc86436bba4b1d2ee0b27072d624c38df5d46282f91f927f000e0538f3bbf1642082dc2e2a674c7d111

Download Submit
C:\Windows\SysWOW64\Fkhpfbce.exe

Filesize
409KB

MD5
28b4a01b55162617e4c3aa6417fc274d

SHA1
9ef8f279b29000449b001f5efb9ded6cbf1a36ba

SHA256
54218c3ea90c026333c172272fcbc0e1ef4bf9b900c9814460d4a23c10efce29

SHA512
2d0736f9e2330a39dcd156120ac087935d085797aec3138362c48d75a56338c06a71c14eacb5016e65ae5924f7c2c33ed1eea8722ee14040f7fc101b31394e25

Download Submit
C:\Windows\SysWOW64\Fkjmlaac.exe

Filesize
409KB

MD5
2bc722c01a84b24868c71a4e8995fbe3

SHA1
6ab7da109f182ba9ab3832f8826f5a062aaabf40

SHA256
49a9d7f8a7de3022c3f94f341c54aa8cc921d2250e808c42d6483a0cd85002fc

SHA512
ad285d38a127212ef8bc24cfbd31180a0f9b298c3b2506b0e05b7a6a6bcb5bb2aab2f9f48b88f5d1c80ec676c259c616b0739d79df86545cf4c9e248b14c56ef

Download Submit
C:\Windows\SysWOW64\Fnkfmm32.exe

Filesize
409KB

MD5
68498d16e8bc48672f0c9d107b6bc8fe

SHA1
895d947a0ca27fabecd9d60c6c63f086c223b37f

SHA256
b1cb60a463112a65d91f4d6fc0493fd994d1c2763ab966e03bb0533e02fa4de0

SHA512
d01bc407fefa2dee12237fa6138f3d58111df7f90a5394b548578832956f6000566f11665ad1da02ed28cffe8db0c6470b0ad331fdd5eb9db063eb3e679d2b35

Download Submit
C:\Windows\SysWOW64\Gbiockdj.exe

Filesize
409KB

MD5
9774b8f2955594b8110ae5a49a84f408

SHA1
d6efe5d06425071ef679f64e11321d5f0f4e4619

SHA256
14ae7c95efde4216cb1a40454291ef5ed0a8749da9433f2408acf12de055cf63

SHA512
3deb5b28d317b2df203897dcc877195e6c3bbfdb696ae544bf24c582463229737300ee0e696d2307a3320dcf4696b80f341aed5366f2df30dcfd69944650c22b

Download Submit
C:\Windows\SysWOW64\Gghdaa32.exe

Filesize
409KB

MD5
321387a1089bd4a59d196fbc55faf262

SHA1
6274e3d4ef9daed113d4d79cb96f1d4b474e9ac1

SHA256
87450df9394b1f431dd0ea2ff0e5bc4e0b641a5286f5bc7ad5c05ffaaa951504

SHA512
7468bce8f5cf8801ef142d7fd557e81500d96ccbe3c4cd213535ade6352b576594dd2d254142ffbb0d6001de266c156261a5eb0a7981ebac265403230c772f9a

Download Submit
C:\Windows\SysWOW64\Ghojbq32.exe

Filesize
409KB

MD5
180bae4ad7becdfe0502cfa618c9306c

SHA1
524186612a9ca9ffb69f625e3b02f8743df9cae0

SHA256
0685f355dda62068ab3a6c4acf7b1ded5c3ffe0654e6befe86e117fb97567cc2

SHA512
1fbbc523a7f1596134b44ea1d00eeccdfdd1dbfd744e781240588e8041a996df33e62faf93322cc447fb6d5acd6f4f680a9a43247dffdd00860aa13db182e6ce

Download Submit
C:\Windows\SysWOW64\Gicgpelg.exe

Filesize
409KB

MD5
27271dc87be5d154e6c48a5b977be85b

SHA1
26e39c16d1b8f926607832bad5d3ad39947df217

SHA256
2fe229148d118038f8ac99eb9ba218ce87425d4469201d5a701680037850eda9

SHA512
809c9995e2ae3949514faefb44f5d0024b9eb76926c13297d9b4fd1d1e9a0f2439855bc7b4f6ed3bbab3d78bcdbd5eaa705a600de9c6d5083e27247db5f4ea8b

Download Submit
C:\Windows\SysWOW64\Gihpkd32.exe

Filesize
409KB

MD5
6a63ee12ddf67c8f958311151804dcf4

SHA1
45606d127bf216706c7a04d87f18203b62f942ea

SHA256
3f2f513db6f4cf42e7b778f599cded07e8028530c90755517cb3fbe5c4ba8b67

SHA512
7110e4be4a4170e8cbd7d9287252e6f5d7014cb1a208803403634977a446dd326a01d11d8bf1dbb30042f15048ea1aac7dc7c0fabe75c3acfb3516da4b449635

Download Submit
C:\Windows\SysWOW64\Glhimp32.exe

Filesize
409KB

MD5
796eaf73c29c477ac8c0ad9b59b18bd9

SHA1
e185201d6fa949836e5fb5b8b41b8bc8ebab20aa

SHA256
5c9dedf31d7c95882aa757b03e1d8a437b5f1e06bbeb0294d4c592930bafd30c

SHA512
b2f9cb86748fe6b678c69295c42ed61d8e702181befab3217bfc2bfa415509a0b2e4c3a4b5bccf588ec005114ada850b066c427aa3033d082c388ea1164e430f

Download Submit
C:\Windows\SysWOW64\Gnblnlhl.exe

Filesize
409KB

MD5
e897bbd28569207e3ca538faf0ae12e9

SHA1
4f1ce69f898473db4cfb5eda95d51c56ed1b19c4

SHA256
07ed5d98480b73aed4310347faef2b131c7a5d85010c4c5c300ae9fb314da4a2

SHA512
76fd188c74332282617633a41dab47b086a4253cbb405f0808cb74dd2c8f97c8636d973b77a9370f79f9e33be49f54b1f7fa890c17cc9baec0133bb79b9a15ca

Download Submit
C:\Windows\SysWOW64\Gndick32.exe

Filesize
409KB

MD5
8360edda76ce415b92c5a652f1f9bfa1

SHA1
a99440ed851ce0ae3a8e218c55998d84878b3546

SHA256
a6865e714a32dac406a9e959e76cdb8db0d6f640fc50575a01680bf30b643b9c

SHA512
aa478d753ba425eee8730fed1ccfc5b5c4b9db671eccdced86e9b9e7ecda2924b33eac871b42901df9a23179504d3f9570238644cbf659dca30109d883c8dd08

Download Submit
C:\Windows\SysWOW64\Gpmomo32.exe

Filesize
409KB

MD5
936a1e958ed7a5d0b86e6eda62ef94aa

SHA1
7da5bcc64eeb0515e4bf9c2232105dea6c6bde43

SHA256
ec488b0493d10a01d61772bf5680de7655bc84ea80175c0e27c779a8af32b88e

SHA512
632e14a54fd57868ffe7307ec5217e8497d6b5f6db47ece381ef2c249f034ebf55f8d8823e69eb8e4a660e2b6fc7414f2a624449e012a9021e0f9770187c15fb

Download Submit
C:\Windows\SysWOW64\Haaaaeim.exe

Filesize
409KB

MD5
241fba5efc08cb8dfca87e3f8edb1407

SHA1
85878b818b8fa10508aa16066e519d0cc440cc4d

SHA256
91d7553c88474b409ba0f6d6fcb8ab20dfae05cac36b9f68cacfefe396cfd248

SHA512
956e6d396d2ab01896b0c97a8b523f8457098f91c3758206f184a0189c7073e1c88fb31001174a4e6fe3e93aa7cc089fc1b07bcf9cf0cebbb9e27ae96d883a3d

Download Submit
C:\Windows\SysWOW64\Haodle32.exe

Filesize
409KB

MD5
13069dec1bca5b56b82557cbfc584ff9

SHA1
afe6cf1c992c2ae2207b283fc03c7752c0ff7220

SHA256
62a3e5fd56702a9504bb037c939b9383218543062812046dfb3d486d1db00e56

SHA512
274686b255590f68d3fa0925ae476921331536d90c3bc54404b952ed0bb82e3a85d98ab88f137baac645028147ffc3312e93c46c1ca9d2d81da9404c28c1a5e6

Download Submit
C:\Windows\SysWOW64\Hbenoi32.exe

Filesize
409KB

MD5
b02ccfce751221371c0a3a2b21f3117c

SHA1
4fc6cd12f1e330ef783abcfb17c6a4458af64732

SHA256
6faa335e50bc9a71f1003e99551514b1784ceab03cf95ff7b15b68f7c13861a4

SHA512
fd7ac12c45fa3537d69ee2adca6ff0a9164ac4cf02829179e5acc7207771c43547654b3fb64ac3611413d9311b61d80f4e656901bafae302aeb2fd2ad590e91e

Download Submit
C:\Windows\SysWOW64\Hbgkei32.exe

Filesize
409KB

MD5
83f4e6990660481659e588e6f2b1894c

SHA1
7288372c9a487d63bc419e1e0ec1b63c079d2326

SHA256
8fc7c2f3e0e1f5db9928971227fcf3cf6dfe5752c7b1c447c0453f8c0689e61f

SHA512
e9615d4a6676ee9a5fea4e9dcac841d8b0781798f231fde881bfbcb00537a2064715c37671d066d4882535070e4dfb25658b3154a2c7ee49c7631257210481fe

Download Submit
C:\Windows\SysWOW64\Hehdfdek.exe

Filesize
409KB

MD5
7bb4d0fedbd1764520a752256e69da19

SHA1
9ac845c948c2bbce98193100f01aeeca12c283d0

SHA256
a009c33e780dfa96a9fad93af934fdfc153ff1ec2ce7588a5ba967e2ca9d9bc9

SHA512
8782bd26866aded0bee6fc16cd867b1c12621ec7ec341c255a7349b245cec35ea03e04c9b44091e1488eed485b92402db4be3dd6010a25ba3a96a6c7fa81422d

Download Submit
C:\Windows\SysWOW64\Hhimhobl.exe

Filesize
409KB

MD5
84fd22e0719ea37dc0f3e3cd7a959ff6

SHA1
b2c2aa990efbc71a32e42432cdea82f146898b3e

SHA256
5cbba35e273eb16abf25f016495c0345186aae1147e2f8c80827cd25f077c3ec

SHA512
a582a989ade08c120ff36f8091050f460c86e030984a82783b4f4850838c652016b0e78551ba55d498e7572f1b52c728ddd023a3c635323d5bd2fc629b8e6768

Download Submit
C:\Windows\SysWOW64\Hiacacpg.exe

Filesize
409KB

MD5
8b9fefa09f9143e3a8740cebf804ea8e

SHA1
1c097f4ad2930f2caa7d58cc7d9f2aa5bb7aeb22

SHA256
af0a731601d7a3275487218349eb349ae007f5da53b791f2bfda03fbca5400f9

SHA512
4eb2e28f7d4757b45c654a9203d9c6db707f94ea29526cdb97c64ae7457d386e5969740f5ff793e03fe9ee4cbe1488633ecc7460cf542fb943830990d69508df

Download Submit
C:\Windows\SysWOW64\Hioflcbj.exe

Filesize
409KB

MD5
a8c8c735820b322038f57045584270eb

SHA1
a51de0e5f68cfe0a2b5cc1a57e5281e2bf3de671

SHA256
2b88e8da5445ace2da08eb1be50798cae8e110f3b9fa7452ad0221b7d0fa9e27

SHA512
c7ff28a68a8408e51dd03ab9617bbd210695bb07f7e86a398bde7f8f92309cd2d0d28b104d6882a797e2f53dde29d366498c6706c7b81101cc6a7d568ea73c0d

Download Submit
C:\Windows\SysWOW64\Hnnljj32.exe

Filesize
409KB

MD5
fc8eaeb4fa9316e6a815db25c5dd01df

SHA1
e4155223e1052c98666de06ad30954e59eaac621

SHA256
9bc01a53c8f6a0cf367a1786401530bbda2ab461a480effd0fd3d599b00d1a2a

SHA512
e231541519b975c62985be7fe61cf6dbed66c16ef47a5a27fd396908eff376e6e5b4a6afac4e5d1ed2c2f88da2282da27eb6a133eb112ad8a9763f98c77c468e

Download Submit
C:\Windows\SysWOW64\Hpioin32.exe

Filesize
409KB

MD5
f311578adeeeedc4ea348012f77cab61

SHA1
157d800519c2225e784ac9ecb538f27cff60661e

SHA256
44146ee1e1b77a868e8e04ef11cf0f14e892822eaa9aa5a3bed5966234b396a3

SHA512
593150df12cc0d43dc9d6b980d46b69e60a1391d273cc9fdb8a2e78336f422fea689afa503a40856eaa7a22eac59dca2f5bbbe15711e36c098710be700461a1e

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
409KB

MD5
4aa96cc87d36869bfe4e15b70df02dd6

SHA1
cbe984dce0875af81615849a6b3bfc11ef4d1080

SHA256
7fc4faa0017a19ecfbcaaa61d9ac064efa8e035d00635a016076da88803e23a8

SHA512
57de88a4e09eb6172ac72c0bf8f3b1601116fc506cccc4a1eb30d6adf7c9c2d9014303d28c49517492a0132b2e9fdf6c62ea709647abb0fb99249947284c544d

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
409KB

MD5
1a27773f813f67db3eeafbb73c076efd

SHA1
9fc82086ab21bfbf217b86114a850bbe6f7347f2

SHA256
f3dbe8540a86e1ca7b6406db441206df47f78338db6195d7293bed6517cfe308

SHA512
b2953c8cf1801ef49fa2e9684da564a132a110398e63a6d63d3f54f9747acc0171086a4858ea6b7585ac433731e81b37de752a4d70333d1a3cf906599bc82ca3

Download Submit
C:\Windows\SysWOW64\Pmhbqbae.exe

Filesize
409KB

MD5
80e50bfebe23a13158c50295c678e9de

SHA1
dc27462328d0ebb4c78d251a895bf7881f9b1e39

SHA256
16f7f05974c352f86b9c09e6391951fd4c4c7959e990fa11454a28c8213cb71e

SHA512
f2312d2aeca3ef5f402c329c59727d8215a2ad5293858c939e03d26551f6d344b2c5c6330fc8e83fd430466efc6c8e1d5f27b7854020c5487a7914875c2df112

Download Submit
memory/220-100-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/392-151-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/448-71-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/696-328-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1156-305-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1328-120-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1348-140-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1540-363-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1744-310-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1788-375-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1796-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1908-381-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1944-326-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1948-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2024-320-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2072-357-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2080-24-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2128-327-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2156-329-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2184-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2196-113-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2296-52-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2472-317-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2564-312-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2844-369-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3156-79-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3196-390-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3464-32-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3776-339-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3908-330-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3944-319-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4212-333-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4264-298-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4324-345-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4424-351-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4452-128-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4556-321-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4624-108-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4800-331-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4804-47-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5012-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5024-64-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5080-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5112-304-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5224-398-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5272-404-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5312-410-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5360-416-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5400-422-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5440-428-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5500-439-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5536-445-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5576-446-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5656-452-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5696-458-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5740-464-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5788-470-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5828-476-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5868-482-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5908-492-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5948-494-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/6028-503-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/6068-506-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/6112-512-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads