40bd30251cdcb088457bb6f88734fac3aaf7fe98f533109e59195f0826c04315

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40bd30251cdcb088457bb6f88734fac3aaf7fe98f533109e59195f0826c04315.exe
Size

76KB
MD5

371208e3c1338e1590f657aee2b9a6e9
SHA1

491c26abcfbdb71e2cf6f69d5c898ebc54b2ca8a
SHA256

40bd30251cdcb088457bb6f88734fac3aaf7fe98f533109e59195f0826c04315
SHA512

7c64d84e249e225eb2a3a5edc95f1748850b07726feb290146eebb51b40014611ca855242999d532febdeacd7be0d6db0686125951306db7e3fe8b8fe9e2bed1
SSDEEP

1536:Kefw4qlNMAeBBiZxDRDqOShNdF1cRdK4L7mHioQV+/eCeyvCQ:JOlNleBBEx8OaN1zk7mHrk+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmefd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihbijhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe

Executes dropped EXE 64 IoCs

pid	Process
1296	Hmabdibj.exe
1764	Hbnjmp32.exe
2408	Hihbijhn.exe
4612	Hobkfd32.exe
2988	Hbpgbo32.exe
4232	Hkikkeeo.exe
2132	Hfnphn32.exe
4248	Hkkhqd32.exe
4980	Hfqlnm32.exe
3260	Hkmefd32.exe
948	Iefioj32.exe
4032	Ikpaldog.exe
852	Ibjjhn32.exe
3692	Icifbang.exe
3700	Imakkfdg.exe
5004	Ifjodl32.exe
1356	Ipbdmaah.exe
1796	Ilidbbgl.exe
1484	Jeaikh32.exe
3168	Jpgmha32.exe
456	Jioaqfcc.exe
4588	Jbhfjljd.exe
4036	Jbjcolha.exe
4412	Jlbgha32.exe
1872	Jfhlejnh.exe
3428	Jmbdbd32.exe
1588	Kmdqgd32.exe
4528	Kdnidn32.exe
1620	Kikame32.exe
4384	Kfoafi32.exe
5088	Kimnbd32.exe
4672	Kdcbom32.exe
4440	Kmkfhc32.exe
1856	Kbhoqj32.exe
3760	Kibgmdcn.exe
3872	Kplpjn32.exe
472	Lbjlfi32.exe
3216	Lmppcbjd.exe
3748	Ldjhpl32.exe
1132	Ligqhc32.exe
1868	Ldleel32.exe
3636	Lfkaag32.exe
3832	Lmdina32.exe
1108	Ldoaklml.exe
1384	Lmgfda32.exe
376	Lbdolh32.exe
1092	Lingibiq.exe
2940	Mdckfk32.exe
2900	Medgncoe.exe
4468	Mgddhf32.exe
1708	Mlampmdo.exe
3328	Mdhdajea.exe
2172	Mlcifmbl.exe
3412	Mcmabg32.exe
4320	Migjoaaf.exe
2200	Mdmnlj32.exe
2696	Menjdbgj.exe
1364	Mlhbal32.exe
1784	Ngmgne32.exe
3612	Nljofl32.exe
2868	Npmagine.exe
3836	Nggjdc32.exe
3568	Olcbmj32.exe
856	Ogifjcdp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eheqhpfp.dll	Iefioj32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Enoogcin.dll	Hkikkeeo.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Jeaikh32.exe	Ilidbbgl.exe
File created	C:\Windows\SysWOW64\Abckpb32.dll	Jeaikh32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Hbpgbo32.exe	Hobkfd32.exe
File created	C:\Windows\SysWOW64\Keblci32.dll	Ikpaldog.exe
File created	C:\Windows\SysWOW64\Nmpmkplp.dll	Jioaqfcc.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jioaqfcc.exe	Jpgmha32.exe
File opened for modification	C:\Windows\SysWOW64\Jioaqfcc.exe	Jpgmha32.exe
File created	C:\Windows\SysWOW64\Lmppcbjd.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Pacghh32.dll	Ifjodl32.exe
File created	C:\Windows\SysWOW64\Kimnbd32.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Hihbijhn.exe	Hbnjmp32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Kmdqgd32.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cndikf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5240	6136	WerFault.exe	218

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacghh32.dll"	Ifjodl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkhqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllifblf.dll"	Jpgmha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dammlf32.dll"	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imakkfdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 1296	3624	40bd30251cdcb088457bb6f88734fac3aaf7fe98f533109e59195f0826c04315.exe	84
PID 3624 wrote to memory of 1296	3624	40bd30251cdcb088457bb6f88734fac3aaf7fe98f533109e59195f0826c04315.exe	84
PID 3624 wrote to memory of 1296	3624	40bd30251cdcb088457bb6f88734fac3aaf7fe98f533109e59195f0826c04315.exe	84
PID 1296 wrote to memory of 1764	1296	Hmabdibj.exe	85
PID 1296 wrote to memory of 1764	1296	Hmabdibj.exe	85
PID 1296 wrote to memory of 1764	1296	Hmabdibj.exe	85
PID 1764 wrote to memory of 2408	1764	Hbnjmp32.exe	86
PID 1764 wrote to memory of 2408	1764	Hbnjmp32.exe	86
PID 1764 wrote to memory of 2408	1764	Hbnjmp32.exe	86
PID 2408 wrote to memory of 4612	2408	Hihbijhn.exe	87
PID 2408 wrote to memory of 4612	2408	Hihbijhn.exe	87
PID 2408 wrote to memory of 4612	2408	Hihbijhn.exe	87
PID 4612 wrote to memory of 2988	4612	Hobkfd32.exe	88
PID 4612 wrote to memory of 2988	4612	Hobkfd32.exe	88
PID 4612 wrote to memory of 2988	4612	Hobkfd32.exe	88
PID 2988 wrote to memory of 4232	2988	Hbpgbo32.exe	89
PID 2988 wrote to memory of 4232	2988	Hbpgbo32.exe	89
PID 2988 wrote to memory of 4232	2988	Hbpgbo32.exe	89
PID 4232 wrote to memory of 2132	4232	Hkikkeeo.exe	90
PID 4232 wrote to memory of 2132	4232	Hkikkeeo.exe	90
PID 4232 wrote to memory of 2132	4232	Hkikkeeo.exe	90
PID 2132 wrote to memory of 4248	2132	Hfnphn32.exe	91
PID 2132 wrote to memory of 4248	2132	Hfnphn32.exe	91
PID 2132 wrote to memory of 4248	2132	Hfnphn32.exe	91
PID 4248 wrote to memory of 4980	4248	Hkkhqd32.exe	92
PID 4248 wrote to memory of 4980	4248	Hkkhqd32.exe	92
PID 4248 wrote to memory of 4980	4248	Hkkhqd32.exe	92
PID 4980 wrote to memory of 3260	4980	Hfqlnm32.exe	93
PID 4980 wrote to memory of 3260	4980	Hfqlnm32.exe	93
PID 4980 wrote to memory of 3260	4980	Hfqlnm32.exe	93
PID 3260 wrote to memory of 948	3260	Hkmefd32.exe	95
PID 3260 wrote to memory of 948	3260	Hkmefd32.exe	95
PID 3260 wrote to memory of 948	3260	Hkmefd32.exe	95
PID 948 wrote to memory of 4032	948	Iefioj32.exe	96
PID 948 wrote to memory of 4032	948	Iefioj32.exe	96
PID 948 wrote to memory of 4032	948	Iefioj32.exe	96
PID 4032 wrote to memory of 852	4032	Ikpaldog.exe	97
PID 4032 wrote to memory of 852	4032	Ikpaldog.exe	97
PID 4032 wrote to memory of 852	4032	Ikpaldog.exe	97
PID 852 wrote to memory of 3692	852	Ibjjhn32.exe	98
PID 852 wrote to memory of 3692	852	Ibjjhn32.exe	98
PID 852 wrote to memory of 3692	852	Ibjjhn32.exe	98
PID 3692 wrote to memory of 3700	3692	Icifbang.exe	99
PID 3692 wrote to memory of 3700	3692	Icifbang.exe	99
PID 3692 wrote to memory of 3700	3692	Icifbang.exe	99
PID 3700 wrote to memory of 5004	3700	Imakkfdg.exe	100
PID 3700 wrote to memory of 5004	3700	Imakkfdg.exe	100
PID 3700 wrote to memory of 5004	3700	Imakkfdg.exe	100
PID 5004 wrote to memory of 1356	5004	Ifjodl32.exe	101
PID 5004 wrote to memory of 1356	5004	Ifjodl32.exe	101
PID 5004 wrote to memory of 1356	5004	Ifjodl32.exe	101
PID 1356 wrote to memory of 1796	1356	Ipbdmaah.exe	102
PID 1356 wrote to memory of 1796	1356	Ipbdmaah.exe	102
PID 1356 wrote to memory of 1796	1356	Ipbdmaah.exe	102
PID 1796 wrote to memory of 1484	1796	Ilidbbgl.exe	103
PID 1796 wrote to memory of 1484	1796	Ilidbbgl.exe	103
PID 1796 wrote to memory of 1484	1796	Ilidbbgl.exe	103
PID 1484 wrote to memory of 3168	1484	Jeaikh32.exe	104
PID 1484 wrote to memory of 3168	1484	Jeaikh32.exe	104
PID 1484 wrote to memory of 3168	1484	Jeaikh32.exe	104
PID 3168 wrote to memory of 456	3168	Jpgmha32.exe	105
PID 3168 wrote to memory of 456	3168	Jpgmha32.exe	105
PID 3168 wrote to memory of 456	3168	Jpgmha32.exe	105
PID 456 wrote to memory of 4588	456	Jioaqfcc.exe	106

C:\Users\Admin\AppData\Local\Temp\40bd30251cdcb088457bb6f88734fac3aaf7fe98f533109e59195f0826c04315.exe
"C:\Users\Admin\AppData\Local\Temp\40bd30251cdcb088457bb6f88734fac3aaf7fe98f533109e59195f0826c04315.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\Hmabdibj.exe
  C:\Windows\system32\Hmabdibj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\Hbnjmp32.exe
    C:\Windows\system32\Hbnjmp32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\Hihbijhn.exe
      C:\Windows\system32\Hihbijhn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4612
      - C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        24⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        28⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        30⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        32⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        37⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        46⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        48⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        49⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        53⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        66⤵
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        69⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        70⤵
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        71⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        72⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        76⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        77⤵
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        78⤵
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        80⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:520
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        83⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4856
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        88⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        89⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        95⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        98⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        99⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        103⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        105⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        107⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        108⤵
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        109⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        114⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        116⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        118⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        119⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        125⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        126⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        132⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 400
        133⤵
        Program crash
        
        PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6136 -ip 6136
1⤵
PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagflcje.exe

Filesize
76KB

MD5
b6b472f5c3526afd85f2337beba2e171

SHA1
9716173fee625a0fe957100e6639b468b309fa16

SHA256
b77b55ee46247437118214758a031ee3da0082bff3e0ec551b98b4f2aab054ff

SHA512
bc84a5c1a3750a5ae16b560ad045010068bcb470491f5c48d7cd7942863d7bddcad5a9c9e458dd4ba5fa3b0ed9c1cec9f6eb00d843b85f0f504653cc47d863cf

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
76KB

MD5
30078266c0fd634a4e8c2683222ca9e2

SHA1
60106c7d626a7a0b76664dcbb46a16668e6c847f

SHA256
e40b679d63bf49cafa4fc1e30c8b4cf8441bd1233fc9e2f1ef430306e940fa5c

SHA512
e62002de950ee80c8acd8df3c7a015f031f67ea074aee39d2194105ffa695f458c9b7492d01077b09bb031c4357a6da0c05204472a0252b699a420c8b1e6c95f

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
76KB

MD5
7953dcc59e2278a086490b49077743f4

SHA1
4ce7a61a34f64d42c6b7c16a9254b7d0bee043ce

SHA256
129e4ae0a75958d7aa09fb64104a42ec8bf0a5873f2a3f4d4042a4ce8b740fba

SHA512
e24a65b1fd299f25ea8c958d42aa81107c02c4e52069f422db754dff4214260b365a4a75df8b8b2157aefc4027324ae9f04a08dff57f1cf62fa21c3297a13d7d

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
76KB

MD5
ed1a31bc25d93cd3a562b15bc559f467

SHA1
0b54ee9d2331ccac59458df69335fdb5b162bfa7

SHA256
d8531ea198f29023abe949dc1a78a01d3bbc71cd42148dc99bd793d9d9925229

SHA512
c31c1881ecd923127a31ed937c2ac9aa824999750581b15e2ffc1d3946ac8f1fb9aac7104733a6e8154fe5a7b0807438233b8d8956754c58c3fc71c8afbe05cf

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
76KB

MD5
bce4d8df2dca54bce39de733fcf7bfb8

SHA1
f91bb582552c0b9e3bbfdfad8bc27a4a219c8f97

SHA256
9cdb90c5e4c5a02756b2235af95ffce40e087e14054fed9cb6b033a50434f2f8

SHA512
84960173e404d8d28e75930d3143e752291b2b728da2faa2f64b1dcdf42a1de021b2b6358105facebc959f98481e85b93b376f896ee5c83d5f1b4ac6914aa6cf

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
76KB

MD5
6ea0b83124a50d1e77d9059bd653138d

SHA1
7cf3815452f08cbe2fb0c3bb72ed1045c8b55458

SHA256
ee6158dd54d9ead0dd22a3984147c799a1d321dc6cfdb3d2036f7fab0cae9dc1

SHA512
ff6caaedaba00de7334d0c168b158c71992ceffc553b118f37b943e36ab9ec6ff981e747318e756158d69af3f5eeba1f3447d0a4693548371b2179b28ffa69fc

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
76KB

MD5
66f0a1180eb767d8a1600f8520870be8

SHA1
dad643bc1580370e0f7cd12e4a70041f3358e0dd

SHA256
850fe0929a9cba1367e99c00e0c6e92d2607f1668592ac420d14bab570191396

SHA512
4a68044a79e1debf7fe980d057c6333bac3c36323654a5055db34e3d357e04ff380cb15b4738457b96f825c0926f59be7fe530557201b12668c44f3b846441c6

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
76KB

MD5
9fdcaa79ddc56782750ddca96589c56e

SHA1
171d8e7b63862a0f8c2285d49235bd97ce436e20

SHA256
3f2f81f463ce7213fccb65a4d086c8c020d2245cc0c805e010975533c2d2535f

SHA512
f59f9c8b77895c1ad0b0dc81ef7f124a47e551f0108bf2dadb68c6e1c103a45bf82616faa9ef51d9d1e6e3643af71834ca04dd6bf7ac4f6033eb657d28a12d75

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
76KB

MD5
5d7a2180e54e6fef5e834d1972148d4f

SHA1
e12d41e00c1b7668606abf3d98c2b81e4d6b9d0c

SHA256
9e8f24c9293d9323a8f7d23ff37397d73eeabeb1fa6215fa1798de29e11ac6bb

SHA512
329e63b1a06e423acaf8e810660cf3b5c2151612cb42031b2b691c65725c96d2e939eb663ad524839c8e23cea744a2dfc099a0162174a7ac469c2a8629375c3e

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
76KB

MD5
28d9e31c2fcc39d3ce088b40eb33ac91

SHA1
bf622667aeb152bf00cecfbf1b757e9b4d27a6cd

SHA256
81a03e6c26fa4eeb7a3e6d740f142c6d5d8c2fe84d1e1da3ae77c6e73dbca039

SHA512
d4641df0e59acc5b2e9ec2322f990e6627e6f710a8114391efd41244f5f261972c2c3ae3051c5eff6357b6443f7f9f21d527beff14b1d66fbaf3d578ffcc8688

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
76KB

MD5
347e401d392c585bd8f1f2c2de410d12

SHA1
da9247b12d9094a77f6567682772de1324955d69

SHA256
c25cabf1994b2b14678426456a08a1d5c9b142a848b25832b4208b28a845bd9e

SHA512
74a0580f0bdf351de29b2a0baea9b3ede08dbbe3abf3f4e75a3bc43bd44545b506d996641067cb17405bbb18681df0aa2313699bcb81689200f2c430712eedda

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
76KB

MD5
3864fd6e24ba496e4114c8c2bc593a9b

SHA1
07b5ba39d3d809dfc03d6f1073eb8fef99838472

SHA256
f9c5a4a3a946a024ca70454f08fb6423554d9b773ef74ee9a6cbaec504659b4c

SHA512
8edebd9c705e015993bd0a90276bffad58eb97fd257f635067ba310627089e915674dcecb9cfcb1ff15a4f406c8b75c8eccd46bb7948d7364faf44c10d17739d

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
76KB

MD5
cb9652911b042a544b69181c3530ebd0

SHA1
bba2a224247634456649771cf0e68702d85f1502

SHA256
d1ddd2b2cdc8e0881341824348e1f1809b2f3721a2cee5a0edfdb4c3de62fdf4

SHA512
5d53da4cb8536e3005a83f2c87aaeb847dad426decab4e9ec1c4c222cd3d00da7d00e2b0717dd61ce0a055e9c59b10e7539773bcfb872d45cab3fcbee022443f

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
76KB

MD5
d549f7906eed8ee4e81dafde6085ab95

SHA1
2df5126cc6190c2016138b0a942b76df0466fb1b

SHA256
54442cd3554560c08b6afa561d6ada3fec1daf87d234368cbe300fdcb7a64059

SHA512
3f0b856d102e5215218110045badef8382f34eeb8f01a8382a6d28313316819d033d7252a015399d6e512feed9b8084ef8d51c01a39fa7e8f77ce517d18c7d57

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
76KB

MD5
d5ff7d0e601a6317a782eb761cc68b89

SHA1
698d5782f4df7646ba0dcfba98ec6e8ed0df2533

SHA256
a5806aa5078e2b5d0c70a6f47dea7cd6a1fdf7f7ea77070b1ca3a013be54454c

SHA512
3ef626a996a786cc61b3caf7432a3480da4c748d2d5ea058022972dc4f099f4833f2420b12e266d14f310e2e73966467d5aaae000d5423cb0ad23035631b281a

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
76KB

MD5
c9689e01cc8e720ff77ca7777c92f5df

SHA1
0e87d1de898b1708640f3688fbfca4238f0c33b5

SHA256
69162471a388e244933b7c1c8425f3bf4a2ec6656e1494a8776937bab0b02a7a

SHA512
20b7cda0e501f930968ea1f31bc03e6d6d0a8df3cd789d505f944fd9c62d85fe703c8729c6ad8524ef9eac0e29348c8714f7ef519e323d730dfb1c39d7d9e233

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
76KB

MD5
4bf07dc92cf9a0100f5cb67075ef5871

SHA1
c462579b0d355ce2dadb05c93d656fb4cf89a26f

SHA256
9189d944336f40da572ad0fcc04ffcbe42e33a3ae84429f1ba5b2afb8095768b

SHA512
d4f23b81953c695652a13e3dd009a254b4e005a1c6038ee9c6cbf375fd29ee110cf3a2eb71a17acbc59eaacb686724b15efd184f653f9b4fadb051812e956e3d

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
76KB

MD5
820ae1b210b7d4b55e64f16ca03da7b3

SHA1
838c7a5a8e0ccbdc13169a4b4b8a7ca5f9183350

SHA256
8b759f0c00bef5d9d35667ca7b644f9c46be02f4ec4f026eb2c23b4c3cc6f1ec

SHA512
cf99295786e6908026f244ed4bc24df8a30d0255ac7e5d1007865049b9cc191f1fc138f7b2a750e7182a92cbcaea8a3cb1a2952e77176592508f4b3fce3cc78f

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
76KB

MD5
98cab88ced0274195e0f445cfeef296f

SHA1
6ff4627900916cd54c9a1262a73a1d3c2236b8dd

SHA256
04823601ea82071cf58f4738220cda6e22f90b8e523be236ad590ea232de08e2

SHA512
224599f756da6bbcef5274ccb19e97f23867be440983856051b6953ecaeb0f95daf89589ee82d21b3cecdcc23b792e3191c1f480590f0f27f95660578b63ffd1

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
76KB

MD5
5e46ccbb65078973de91eac26a8fefd5

SHA1
4dc4e1f3d9d1c236dd24a2adebd53fefba516ea4

SHA256
aa23e05085bf8bbd832e0d2bbfb79e980a28f51330033b16a058f29f3bc7e1b2

SHA512
84552c5ea8cc163c9516df525c420b09b48e0be1b4dec9daf1ff274714e7c8839a0b771c4dc371dccdd1402079e0d395f4abe090e453e6d0fb57690862eaa0a3

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
76KB

MD5
55e758b9a1b23e43c7c3c033e2ceb701

SHA1
db4f458ec0b5afa0fd8483908bf7592135778f00

SHA256
5b66b251da5e5cce380e6b1945cfff127b38799e242729af22a2c1b42081db5e

SHA512
7e5845cef50d69c5e2b588ff2c71f73fa76101fb5b7edf42d57d3a490cef6c6a50c2637ccdd53cc76c5fa31913c941d9a98948999a657c542c94411e250d6b27

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
76KB

MD5
4db5551df2b176cca4265a5547c36062

SHA1
29fab70ed7fe6e406294597b59ad4fd1d1911a7f

SHA256
62ae33d7ad287d5202f3b8381593a3ec5ee5627994d129b1cf29ff462e761604

SHA512
c381adba2f9ebb752fc4f1a3d7b632ca334c716805ed17e74fddbb3f728d233cf0bd5fef1b9540daab22749e3a203632a207177531644324103787ce3d55b49e

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
76KB

MD5
3204537796bff1216dd3c223355fcb67

SHA1
471f8dd2e5dde75fb9adcf28d6972cdca63a92dc

SHA256
d187ab02ccc54734168c17b9b72f4b4e8831949e26dcdad927ca1b5c8f78de66

SHA512
7aa59787e9cfa82fa0748fbf0a340b9664a3f425a3606e6164b6e3ce7a7abaa6146d3f0e60385cc2dcb3babd3e6092a092e9173dff7786885da2ba5221446ac7

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
76KB

MD5
cb32ff4865ff051940d015630c3002be

SHA1
202daa8e783fa2632a5e71ec224ab28ffb6bdd9d

SHA256
6eff33895f9c521b380530766580aa701d4fd107dfa66b6f1087520a1e9bf75d

SHA512
431a1db94dd814b3710b9e2765fdaf5ae7a9d812db9117292720ae12cc3339827cc44955fa280d831fb2d1dacaf314956dbe37d8e7bf0df656a4752048bc9715

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
76KB

MD5
e5a01928eb7aeb2bd770a9f8d7a6c345

SHA1
b6940d6b5e3a512e4ed8b4557b19b0cfd727a8a9

SHA256
ef7c3fdc129de31028880950b2c346dfc36550f7289042c743474c2461e1552d

SHA512
9e9cd4814528acbc9ff62de746beca8c4eac81435bff6a216efabe1ee1aaa78053d030128788944e59a9c0afa7c50f452a082abaf1d88856c34942c78dfb830a

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
76KB

MD5
93d2b362b39c56a528bfe0c02237610b

SHA1
d25da2101c3d9b8e1de3d5c9fe9cda69d1e0f6ba

SHA256
1b56952bf4f302401f8b7af1fee70e95b323a8b46e28a63b4d5cdc5697074909

SHA512
d7910ae56fc4161fbb29bf071dfd809ccfa15b3c0d713b11f4a51721992c9a3e3842be8bb05da8f194e0c2aa844f3e4d43b7bdd502f62a4a2ac119b1af6e47ac

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
76KB

MD5
24dd5b3f53a18be92b240daaa5aebbd9

SHA1
49a1bf92f75ce6a0c1fd2ac44fc45ed740f8e2cd

SHA256
93b223015b3fa31d892e1063f637cb9fdda18289c0834eabfe053e13744369a6

SHA512
850ea7b6ff6705dbe8e9d4b6bd0e583418e394ebf163473a33bbcc005f7b7b5ce1c34bb59c87f8b68593f18d218e62d40d71c70522246b432bb13f95b15d1f28

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
76KB

MD5
eafc82507bf4e4c8786c23711750c953

SHA1
6e09eacedbf8749172ca65a0427b2224abb0fd58

SHA256
7e959d152406cc308b48cc96ab8aa0116a2ac0bf52ee9ec649601c2e2f177d48

SHA512
2a55fb1380be5a1a707bcc91a82b895f9181e79315c4c002c5ff051a305012c02f0061efa5636f51cf9e50775d8ef2728e6b02c8c1a4f6702b5e007ea04301d1

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
76KB

MD5
dd08ffad0499549ed4b075270626b87e

SHA1
081a04ca27390f5ab686bb642927a8bd0ff2c119

SHA256
d972a6bb2a231715152343cd4ad249e036b93cee155384ccfb2c143d23806b15

SHA512
e01bbd8b65b591dc84c126ed67e0d6db8a5b53e348095a2452c58675ef14e30f66ec83ebaedd10d5fbf0a5b835a5f7cfc3cc4951cd9697c6386d489e1db8591c

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
76KB

MD5
305988ed06d49837e2c0b9a0890d59cb

SHA1
592eb9817056192fddba1275dbda25a3d1f551d9

SHA256
5be481ba26beda1f86f942c9bb8fbadf87efdcd95b5adf3809f0521c8edfc40c

SHA512
475814e43331ed62ad80ba5cd258f48afde06826cec4d53d7377bcc878a577934599e1f2849c893937708e3de9c04d739a9ab69785291303fb5907b53f20d6d5

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
76KB

MD5
74c3cd6ecde02bf0e9b9cec4924723a7

SHA1
6c74120ea13bc82f5be2a4dfc51b55b8b07d1191

SHA256
806bb59981c0f53b7c8fd739d0ba224271f8d92edead2faf3591fd7c17ef897b

SHA512
494151182348a102b959166e90ac1a40ba391c613663509af36a4fcf56649ed1c61afae56ae14d3541a21a51362ed04b07f7e0e00bf0e58a31edea31805135fb

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
76KB

MD5
7d3f076f78b376e58dd8b6de2baf2bb8

SHA1
427e8fb55bed0c14a4997cd86b236ac629bf8f8e

SHA256
da835d42946a576162427759bfb9ba67b1daf4066cada698e8f491aaf76d23da

SHA512
89b4cd74706271474b6e3c0458a06ed7eefaf5bbf802f65c0ee4433797b9d39705bc9f3297deef7cd3d06ced6d733d33f78caa0f74957cc0af41f102cee56297

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
76KB

MD5
0b6eaafcdaf595b5116a9246c3243c38

SHA1
b4c9f29be4d23bfa6ad6c2d78127f14950693483

SHA256
f8aecff7109c8e1b27a1833feada38d11ea37e8bed465a918b0150e822b0760d

SHA512
8782bed96401dfb831a9fb8977abacb5f481fc5c5047993e3c32f233b32b52a90a00a6f3a5dcd339176586c6278892be76256518fa444ff9ca1c578e2cd9405f

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
76KB

MD5
c6279491b92cc05f5b627a390526124c

SHA1
917d215eab4fcfbc58fa9c94c3fbf30bb29e98bb

SHA256
2be8cbe6f1c8e84c05f18d3d4c13b8f9dbe6d80acc6d9fd56a5498484c8fd0c1

SHA512
41dba7869ddb966b2de95563c4025a1cc1cbfaad4e0cca27f8b52a08092d79d123d443a1f59954ec80048f320803b579e5f4eaa36e44473896292c00728e9c28

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
76KB

MD5
085e410d7c8c88f95b88d0d571732c64

SHA1
e48bb1f57ed57e9a57c61f63b2b473b3fc497ba6

SHA256
58319dc346625cb1a95a8009f98621bafd77ef2903091fe493c06137ca3575c5

SHA512
ca893ee2dd8cc3fe4699d021157ed80374bea87950720cd80565094c116fa7a179e69e8d5cb8a5d04edbfee31cc098e9b5dce8b69c0c77c568aa470088c0ad31

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
76KB

MD5
e6958ea85075c9640dfa37453ae53d77

SHA1
5db240ca8d26fd3fddfac70c1bfd9c8237b4e0bd

SHA256
65ee088f4267cdab5835749433974933260821035003c39d9eeeb81f0cdf1ef2

SHA512
57b52ec6238c01376f65d18d5d52878c377a31822575f005cc3165dd2c9971dc39e904ea5f9fa2a882749d0733ddbea6ac921e49eaf004872d9f410d5b2a2e8e

Download Submit
memory/376-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/472-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/852-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1296-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1364-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1872-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3748-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads