75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
Size

304KB
MD5

06304306b33795315e48a4530158f2a7
SHA1

64446ab24d7728a2cc285f1cc749d172c207e75b
SHA256

75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6
SHA512

4c2509dd3e91c5dad6ab8fd42ce54cde96315d458a236932cf4b6284a3afe1726ace214282ee64d6e8356b1e6f2ad33c5053b32759f44c3f309e1e8e2d5e2588
SSDEEP

3072:cnyQHiQW74FeGeDM1IRwMkUIunCaRdelrOyX6gu+tAcrbFAJc+RsUi1aVDkOvhJN:cyaarMNxunXe8yhrtMsQBvli+RQFdq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpacfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Behiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qbggce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifbbllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dadlclim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cibank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagiil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alkkhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boegpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bockjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe

Executes dropped EXE 64 IoCs

pid	Process
940	Plkbak32.exe
4336	Pbekne32.exe
1176	Pecgja32.exe
4924	Plmogkoe.exe
2752	Qbggce32.exe
4152	Qhdpll32.exe
1352	Qpkhmi32.exe
4372	Qbjdiedp.exe
3472	Albibj32.exe
1964	Ablaodbm.exe
2884	Ahiigkqd.exe
3268	Appahiag.exe
2504	Abnnddpj.exe
1568	Aihfanhg.exe
1252	Algbmjgk.exe
4688	Abqjjd32.exe
872	Aeoffo32.exe
3116	Ahncbk32.exe
3172	Apekch32.exe
4092	Aimoln32.exe
2212	Alkkhi32.exe
3148	Bpidngil.exe
3560	Bakqfp32.exe
4504	Booaodnd.exe
3284	Behiln32.exe
3092	Blbaihmn.exe
1596	Bbljeb32.exe
4556	Bifbbllg.exe
3632	Bockjc32.exe
3884	Bhlocipo.exe
2772	Boegpc32.exe
1072	Bikkml32.exe
4660	Cpedjf32.exe
4332	Cakjmm32.exe
3624	Cibank32.exe
4188	Clqnjf32.exe
3948	Cpljkdig.exe
3704	Ccjfgphj.exe
2124	Ceibclgn.exe
4236	Chgoogfa.exe
1164	Ccmclp32.exe
888	Capchmmb.exe
4888	Cekohk32.exe
432	Dhjkdg32.exe
524	Dpacfd32.exe
4996	Doccaall.exe
3872	Diihojkb.exe
800	Dcalgo32.exe
528	Dadlclim.exe
2920	Dagiil32.exe
316	Debeijoc.exe
3488	Dphifcoi.exe
3008	Dcfebonm.exe
624	Dfdbojmq.exe
2060	Dchbhn32.exe
4844	Dakbckbe.exe
3636	Ejbkehcg.exe
5080	Epmcab32.exe
4284	Eckonn32.exe
1364	Efikji32.exe
1804	Ejegjh32.exe
4492	Elccfc32.exe
3132	Epopgbia.exe
1992	Ecmlcmhe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cakjmm32.exe	Cpedjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Pbekne32.exe	Plkbak32.exe
File created	C:\Windows\SysWOW64\Eeglbd32.dll	Ablaodbm.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Iifpphha.dll	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Opjeff32.dll	Bhlocipo.exe
File created	C:\Windows\SysWOW64\Doccaall.exe	Dpacfd32.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Aimoln32.exe	Apekch32.exe
File created	C:\Windows\SysWOW64\Boegpc32.exe	Bhlocipo.exe
File opened for modification	C:\Windows\SysWOW64\Ccjfgphj.exe	Cpljkdig.exe
File created	C:\Windows\SysWOW64\Elhmablc.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Goohek32.dll	Bpidngil.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Dphifcoi.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Eckonn32.exe	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Elccfc32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Fjcclf32.exe	Ffggkgmk.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Aihfanhg.exe	Abnnddpj.exe
File created	C:\Windows\SysWOW64\Apekch32.exe	Ahncbk32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Algbmjgk.exe	Aihfanhg.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7972	7920	WerFault.exe	305

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bikkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pecgja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inomojol.dll"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Plmogkoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfjlh32.dll"	Qbggce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpedjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cibank32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmljla32.dll"	Ccjfgphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qpkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpidngil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blbaihmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkfba32.dll"	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccgkde.dll"	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Plkbak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikfoe32.dll"	Abnnddpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcdcn32.dll"	Qbjdiedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alkkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaid32.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qhdpll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aimoln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boegpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 940	2112	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe	85
PID 2112 wrote to memory of 940	2112	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe	85
PID 2112 wrote to memory of 940	2112	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe	85
PID 940 wrote to memory of 4336	940	Plkbak32.exe	86
PID 940 wrote to memory of 4336	940	Plkbak32.exe	86
PID 940 wrote to memory of 4336	940	Plkbak32.exe	86
PID 4336 wrote to memory of 1176	4336	Pbekne32.exe	87
PID 4336 wrote to memory of 1176	4336	Pbekne32.exe	87
PID 4336 wrote to memory of 1176	4336	Pbekne32.exe	87
PID 1176 wrote to memory of 4924	1176	Pecgja32.exe	88
PID 1176 wrote to memory of 4924	1176	Pecgja32.exe	88
PID 1176 wrote to memory of 4924	1176	Pecgja32.exe	88
PID 4924 wrote to memory of 2752	4924	Plmogkoe.exe	89
PID 4924 wrote to memory of 2752	4924	Plmogkoe.exe	89
PID 4924 wrote to memory of 2752	4924	Plmogkoe.exe	89
PID 2752 wrote to memory of 4152	2752	Qbggce32.exe	90
PID 2752 wrote to memory of 4152	2752	Qbggce32.exe	90
PID 2752 wrote to memory of 4152	2752	Qbggce32.exe	90
PID 4152 wrote to memory of 1352	4152	Qhdpll32.exe	91
PID 4152 wrote to memory of 1352	4152	Qhdpll32.exe	91
PID 4152 wrote to memory of 1352	4152	Qhdpll32.exe	91
PID 1352 wrote to memory of 4372	1352	Qpkhmi32.exe	92
PID 1352 wrote to memory of 4372	1352	Qpkhmi32.exe	92
PID 1352 wrote to memory of 4372	1352	Qpkhmi32.exe	92
PID 4372 wrote to memory of 3472	4372	Qbjdiedp.exe	93
PID 4372 wrote to memory of 3472	4372	Qbjdiedp.exe	93
PID 4372 wrote to memory of 3472	4372	Qbjdiedp.exe	93
PID 3472 wrote to memory of 1964	3472	Albibj32.exe	94
PID 3472 wrote to memory of 1964	3472	Albibj32.exe	94
PID 3472 wrote to memory of 1964	3472	Albibj32.exe	94
PID 1964 wrote to memory of 2884	1964	Ablaodbm.exe	95
PID 1964 wrote to memory of 2884	1964	Ablaodbm.exe	95
PID 1964 wrote to memory of 2884	1964	Ablaodbm.exe	95
PID 2884 wrote to memory of 3268	2884	Ahiigkqd.exe	96
PID 2884 wrote to memory of 3268	2884	Ahiigkqd.exe	96
PID 2884 wrote to memory of 3268	2884	Ahiigkqd.exe	96
PID 3268 wrote to memory of 2504	3268	Appahiag.exe	97
PID 3268 wrote to memory of 2504	3268	Appahiag.exe	97
PID 3268 wrote to memory of 2504	3268	Appahiag.exe	97
PID 2504 wrote to memory of 1568	2504	Abnnddpj.exe	99
PID 2504 wrote to memory of 1568	2504	Abnnddpj.exe	99
PID 2504 wrote to memory of 1568	2504	Abnnddpj.exe	99
PID 1568 wrote to memory of 1252	1568	Aihfanhg.exe	100
PID 1568 wrote to memory of 1252	1568	Aihfanhg.exe	100
PID 1568 wrote to memory of 1252	1568	Aihfanhg.exe	100
PID 1252 wrote to memory of 4688	1252	Algbmjgk.exe	101
PID 1252 wrote to memory of 4688	1252	Algbmjgk.exe	101
PID 1252 wrote to memory of 4688	1252	Algbmjgk.exe	101
PID 4688 wrote to memory of 872	4688	Abqjjd32.exe	102
PID 4688 wrote to memory of 872	4688	Abqjjd32.exe	102
PID 4688 wrote to memory of 872	4688	Abqjjd32.exe	102
PID 872 wrote to memory of 3116	872	Aeoffo32.exe	103
PID 872 wrote to memory of 3116	872	Aeoffo32.exe	103
PID 872 wrote to memory of 3116	872	Aeoffo32.exe	103
PID 3116 wrote to memory of 3172	3116	Ahncbk32.exe	104
PID 3116 wrote to memory of 3172	3116	Ahncbk32.exe	104
PID 3116 wrote to memory of 3172	3116	Ahncbk32.exe	104
PID 3172 wrote to memory of 4092	3172	Apekch32.exe	105
PID 3172 wrote to memory of 4092	3172	Apekch32.exe	105
PID 3172 wrote to memory of 4092	3172	Apekch32.exe	105
PID 4092 wrote to memory of 2212	4092	Aimoln32.exe	107
PID 4092 wrote to memory of 2212	4092	Aimoln32.exe	107
PID 4092 wrote to memory of 2212	4092	Aimoln32.exe	107
PID 2212 wrote to memory of 3148	2212	Alkkhi32.exe	108

C:\Users\Admin\AppData\Local\Temp\75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
"C:\Users\Admin\AppData\Local\Temp\75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\Plkbak32.exe
  C:\Windows\system32\Plkbak32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\Pbekne32.exe
    C:\Windows\system32\Pbekne32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\SysWOW64\Pecgja32.exe
      C:\Windows\system32\Pecgja32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Windows\SysWOW64\Plmogkoe.exe
        
        C:\Windows\system32\Plmogkoe.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\Qbggce32.exe
        
        C:\Windows\system32\Qbggce32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Qhdpll32.exe
        
        C:\Windows\system32\Qhdpll32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Qpkhmi32.exe
        
        C:\Windows\system32\Qpkhmi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Qbjdiedp.exe
        
        C:\Windows\system32\Qbjdiedp.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Albibj32.exe
        
        C:\Windows\system32\Albibj32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Ablaodbm.exe
        
        C:\Windows\system32\Ablaodbm.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Ahiigkqd.exe
        
        C:\Windows\system32\Ahiigkqd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Appahiag.exe
        
        C:\Windows\system32\Appahiag.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Abnnddpj.exe
        
        C:\Windows\system32\Abnnddpj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Aihfanhg.exe
        
        C:\Windows\system32\Aihfanhg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Algbmjgk.exe
        
        C:\Windows\system32\Algbmjgk.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Abqjjd32.exe
        
        C:\Windows\system32\Abqjjd32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Aeoffo32.exe
        
        C:\Windows\system32\Aeoffo32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Ahncbk32.exe
        
        C:\Windows\system32\Ahncbk32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Apekch32.exe
        
        C:\Windows\system32\Apekch32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Aimoln32.exe
        
        C:\Windows\system32\Aimoln32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Alkkhi32.exe
        
        C:\Windows\system32\Alkkhi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Bpidngil.exe
        
        C:\Windows\system32\Bpidngil.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Bakqfp32.exe
        
        C:\Windows\system32\Bakqfp32.exe
        24⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        25⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Behiln32.exe
        
        C:\Windows\system32\Behiln32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\Blbaihmn.exe
        
        C:\Windows\system32\Blbaihmn.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        28⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        35⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        37⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        40⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        41⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        42⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        43⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        44⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        45⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        47⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        53⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        56⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        57⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        62⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        65⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        66⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        67⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        68⤵
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        70⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        71⤵
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        72⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        74⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        75⤵
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        77⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        78⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        80⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        81⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        85⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        91⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        93⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        95⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        97⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        98⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        99⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        100⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        101⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        102⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        103⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        104⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        105⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        108⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        109⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        112⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        116⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        120⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        123⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        127⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        130⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        131⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        133⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        134⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        135⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        136⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        137⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        138⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        139⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6384
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        141⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        143⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        144⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        145⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        147⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        150⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        152⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        154⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        156⤵
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        157⤵
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        159⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        162⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        163⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        167⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        169⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        172⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        173⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        174⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6256
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        176⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        177⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        178⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        179⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        180⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        181⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        182⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        183⤵
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        184⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        186⤵
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6860
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        188⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        189⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        190⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        191⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        192⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        193⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6964
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        195⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        198⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        199⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        200⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        201⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        202⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        203⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        204⤵
        Drops file in System32 directory
        
        PID:7436
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7472
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        206⤵
        Modifies registry class
        
        PID:7512
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7552
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        208⤵
        Modifies registry class
        
        PID:7596
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        209⤵
        Drops file in System32 directory
        
        PID:7632
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        210⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        211⤵
        Drops file in System32 directory
        
        PID:7716
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7760
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7796
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7840
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        215⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        216⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7920 -s 416
        217⤵
        Program crash
        
        PID:7972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7920 -ip 7920
1⤵
PID:7948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ablaodbm.exe

Filesize
304KB

MD5
9f870da13bb808f0c74143028423468b

SHA1
ea54c354414137de8c8691128909bb0c2e5e56cc

SHA256
35e9e5d37bc27730335f2cf15d5d2c3f7de4b688767f80fca3ab0ac4ba99a97b

SHA512
33f070fc92b8238dd214909f7430236999fe9b19ce46979b17488690708df512e4a872baf2b6603a24b71eede4e0de6ce28c657ac8a3da9dd91652077bddbb02

Download Submit
C:\Windows\SysWOW64\Abnnddpj.exe

Filesize
304KB

MD5
aa290c0343eab430a645d9f506ad2e17

SHA1
6fc5455cfbef673031e9b7275a5eb4885dbd0449

SHA256
49258d9787402018d950b7fd38c02adae11215a1be87bad2a4f647404648ea93

SHA512
a6125c5a078ea79e8708335be47b146d87642bce701534284bcc8242803e780ae2af131b045f29b555121aef62414b9307759efa6c8ac4e16a1f7b815868a8e0

Download Submit
C:\Windows\SysWOW64\Abqjjd32.exe

Filesize
304KB

MD5
1d93cef655ac503f408d7646c6e9cc81

SHA1
96d1ba8eece81d572da3478f00014fc540b8ff0c

SHA256
e4ffc785a2298c54eec341989e9f0034ff0ca497f15254e9b4ab4ecb50a02e46

SHA512
5d5ff136fb76d7813e15df56a8831053e65ece6a74e5b2f010dc38466742230e01d537b854ae5d011e89c4b9021a888c6dda1a88dc7d4856b8bac4753bfd58fd

Download Submit
C:\Windows\SysWOW64\Aeoffo32.exe

Filesize
304KB

MD5
97dffff1bce62c0463a45d1835a04571

SHA1
80e7f8d9234d31cc7e2602ee9b2238309d169e5e

SHA256
046169d624f00375922d990e59e0aa9d7b2d73363110e61075b6d35ec92080ac

SHA512
18c2dbb265ce49bca036caa6bb0bbf1a8f03127f7e24ade279534cede234a8e68cdfab9df04e26910758f3ad4b1bcdd3e52bd96c78004c1df2c1248254988adb

Download Submit
C:\Windows\SysWOW64\Afeghb32.dll

Filesize
7KB

MD5
e1c99ffd1c46f7f0c9fcd7a644c8f07e

SHA1
1ef5b7f8ac4adb478357717252527ea6d658235f

SHA256
3090d2181b7baa6f7e247e34d7039ceae3ca5121ab546f5de6a08e3e02f80648

SHA512
3176e2006d704cf231a0ecab3c86823ec59155900f2a464ac5c9c21fc67cedac44c0571c7b68a177967b23cf9d9129ec12d450c7b09f4c760713eb3a5de454fa

Download Submit
C:\Windows\SysWOW64\Ahiigkqd.exe

Filesize
304KB

MD5
d67eb49c2978afc26d8a99d802aadf9e

SHA1
e46e7507e8fab5c09e4d4067399b409d8cb27bc3

SHA256
c6824537cd0bd4e994cd8cf16266990db70205cbf5f4023c2e52b926dcff4c9a

SHA512
a454ddf3cfa123f8824668e11a20976eefed83ff1f4c8fdabb7f10065796dbd6693e04c9ff17690cd1be34cad3df7b719f6f711e753069bd2ce77a5117e7fb7d

Download Submit
C:\Windows\SysWOW64\Ahncbk32.exe

Filesize
304KB

MD5
caa64a607b4e9c3109e481db8158554b

SHA1
c2b86d4573d2166011ee182fb528c1a5a4c17d0c

SHA256
93f91fcf21bf87572d8e529653b5a3f0957ff285291612419b478964391d8c9b

SHA512
dac1d8a72d27da739d2c2c016e3371e48ad58ce1cc184720959f87034d9f032e99318439f302937754e658821657e648c7f5b6b13aee2e60ba10286edff53c63

Download Submit
C:\Windows\SysWOW64\Aihfanhg.exe

Filesize
304KB

MD5
909931a952d77f469f342f2dc78c5133

SHA1
97d61f346018684eed533a5d42a53b240bfb0b6e

SHA256
c0029d32b04f1aeaa350fd1bb4e1755b039150ec4a10583e634c0e0ac9ef2918

SHA512
8ca7e0216cb21f0834feb3bf065980fbf25107da626776ffa52303de7574151c0724ecd3ef7e112b9737462898eb9ec358d0ce4db24a45e407b6fbf752bf5cba

Download Submit
C:\Windows\SysWOW64\Aimoln32.exe

Filesize
304KB

MD5
07c939b1cb935c62cb3ee3a7295bff76

SHA1
024033ac676692906545e0f30dc3e2109af0064c

SHA256
3f00769e472e33bf587ced2469cb02de7d48ceb3376324fc6c99e2d52cbea900

SHA512
33356be3cf65176e18854e1f32b7b3fa6f09e4f16fc1ef7dba524ae8bb4267f0478e9113ea3fac88fd637a67d2ed8b53cdf48c576b01949847227c793242a0fa

Download Submit
C:\Windows\SysWOW64\Albibj32.exe

Filesize
304KB

MD5
1baf117602cb72a2f9ca1529a1a6f9c7

SHA1
c5eb2ea10359a42119f8ac71036c4304a9f5f328

SHA256
755891b57608eed0ebefc80ecc47f223d7f1a7d733a910c62cb20235b076069e

SHA512
47f7cdf6c6fbf1c32f9f3b81b1e2bb12c13e3243f5c6cb33252ad7f40e931b9e010535fdca561b5074ff4e1595c6c8ec094cba40c1d426ba1c92933d7089d05a

Download Submit
C:\Windows\SysWOW64\Algbmjgk.exe

Filesize
304KB

MD5
fa9336aef5b6d6b8b277129c36543c03

SHA1
3f13ce1d10f15bc11e82845ec8f62a9b08bcfcf8

SHA256
c9ce443dd876469699352560048ce9a06abc9547fd1d8d27ec61d92ae7c4d07c

SHA512
1ca1e14cf79b2b36aede4e20d3e8ac4a9858d8cc94a309436a57f24b687a737457c1038a50ddda3f8646b2ee6749c2ab5751090dea2f96b10840a1d98dc6c404

Download Submit
C:\Windows\SysWOW64\Alkkhi32.exe

Filesize
304KB

MD5
0f6386702ff7075a1b5606e4a87def03

SHA1
5c2e7a2d75a73b9408648c49a824961a71d49c63

SHA256
213b8ef6bdd4a310238d77f4a5eb94ebc3842c0906e960254815fb1b64545556

SHA512
63fa312c25709168062a7babc8367866e766bf57e678ba40f36197b9b97c6aed986bffde4cbd826839bd9df8979631958f3e828862186e0a771999d9750eee06

Download Submit
C:\Windows\SysWOW64\Apekch32.exe

Filesize
304KB

MD5
2a94f38d9a810d8da86807f593ea6b7b

SHA1
5731894ca6468740fe155650fce8aa78c7d5ab2b

SHA256
64e977eaa31cb776d756c621c4e0f8b2b866cf2d12b6f81dd9920c7958ef6612

SHA512
392b97ced9edbb94290d60531ed5f9089f9553ba0534dd2e9bc6b8c08c7c7b1360334552aea36e026ed66f5203e73ada6172210189bc0c28f37384739e9ad8c5

Download Submit
C:\Windows\SysWOW64\Appahiag.exe

Filesize
304KB

MD5
7562895ee42eabd5574893a0d1433a1d

SHA1
e4879c41c9b68bd4586350a7f2ba1fc2b508c938

SHA256
1831f6eac856861178044c8da1a516771f98a49ba54336e5c72a9f45a62f3217

SHA512
70c1fbd12104343392b06d6906e21395aaf67d57a95c16f80b6aafc0536848b7f5018f42ee93d6439f3b294d8bab0b605f39f4ac73c4787faba5d9bba129babe

Download Submit
C:\Windows\SysWOW64\Bakqfp32.exe

Filesize
304KB

MD5
5e0fa30dcae9b5e7daa6b71333308ce1

SHA1
c0ed328c10175911d316c9744517909a9263240d

SHA256
f2ff7d71378c3e69b0a3c892dfd07ee2cfe951b81f6ee3cd3770efc3ff0acbcf

SHA512
5b912f37f40fbbbd7767ef8e62519e4310453e05b2bf9f17fd5fd98dcd66ac8d78b8c24bd8cab4de914cd0aa97faaebb3b6a23dc772c95c31d614d1a75c8c337

Download Submit
C:\Windows\SysWOW64\Bbljeb32.exe

Filesize
304KB

MD5
603f917776694637da26348d48de5c5d

SHA1
51ab535fe013c803daef6a2deaa79b00d32c54ba

SHA256
ffd06c6a7c900692701ac507fd7f538b31fcce0845b2438ed7185d96f42465a1

SHA512
380e6cef3a16a39763eca914030282dd4f91bb054e5ece4aeaf4a6c3c4de8f98486cba6dc8d1a0daae1f662abed68e6438a31df182387ea3b9b0e3531b1cccee

Download Submit
C:\Windows\SysWOW64\Behiln32.exe

Filesize
304KB

MD5
f51f1b6b6b416cb42b32edc3773250b9

SHA1
384933bdfaf1cce8d3d9f18d3acc4406a98a197e

SHA256
da6ad00ac9cd9218aceff88654ac25477b809472bbd5d95d8364e9ee244c7090

SHA512
ff55277772f96e5126a593f8d846d397bca0cf62084a3059de20e756bb7d618a692b279d583546865b3268e93a1ff90abf7a94523a67b320a42a700cdaaac431

Download Submit
C:\Windows\SysWOW64\Bhlocipo.exe

Filesize
304KB

MD5
b6fcacd4bca765c4e73a0516c5063088

SHA1
7a2724c5f1e545b83613a6b47303bbc4220e88d2

SHA256
1e8c80b61d291167f90e93668caeb1cae4fad107cf9faebf88cabc5e14ff142b

SHA512
41b9cc2b0e19fe73d5006d69ce6a27109e26b5636ee7501d377062928df19194a00ff8902687c276d1b44ab7091b803cd92f0093eae9b432a5e187d5caa6d733

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
304KB

MD5
8853b3dcc8a153b4bd1be82bd5cda430

SHA1
d20d77d03f25bf2a930ddd39c9c806406d7bb15e

SHA256
32ee102204f0ef84cb10b8dcb7dcaca18aac8a7c2aab7113d1efd51e2b9c151d

SHA512
645ad9c3b59f9a79b91538885962bc235266d678e23b3529d5d4698e7aba593ba63a485d9f0886be3d59040398e27a5e3ebc8d3c09918ca1d2bcea25ab8f324a

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
304KB

MD5
78da83c861d703f31e02ee123d0856cd

SHA1
396c1a2ee9d116689f9e648bd92cda3ef1fec4a8

SHA256
152c58c3cc4871b6f890a89921dc05b56df2800c56144afb6b0d1ef6540a8b76

SHA512
cc1f451235304f2363707386aecc9083adff0de8f4055f98d08a8236c8d6b9c312eb14d9f6d0144f20b2f4a0a929212dd923be0f2c63b0ee3e7bc97eff877137

Download Submit
C:\Windows\SysWOW64\Blbaihmn.exe

Filesize
304KB

MD5
e33901500816a8d4036f9be7eb09898c

SHA1
474869441de90c93b35bc49dd190e59bdbfd66e0

SHA256
5ae77886dd517b5e23ffdc8779947cee26b4ca2fbca3f5ace14e597c1ba1b0b9

SHA512
eea92c69b52c03f4e89be7b2ecadb43bdab64f0761adc6e58ddc0dad8197484f14bda8e8ff04b35b42da8d214f9670e2f0ba6413fbb09c9cb279c7b3bab8d2cd

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
304KB

MD5
d9be052e8ad8a7d3cd1e0851edeeb407

SHA1
eb2f0a925270fc6d54e4875907b8ce8c18b34075

SHA256
bf0f1818b583d2889829cf0728cbc1a28127b15a8ec50ef3c2e3163ee6b5c26c

SHA512
afeb59e5e655fc5561660cffe0ded977ef8de31663b85379a16409b1792216e5e0323b1445f5d2418bb53735c6d5a328d3ac3b8a071d69e92ea54abd616cd8a5

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
304KB

MD5
6a74b8aab77abef49945b9ea66894651

SHA1
cf4b24ee3635799edbdd1bf446a88b9c79a32da8

SHA256
8132d2324646f55f9643df43750cf3d6938713e02599223f4e48ac84f72a8151

SHA512
7b47a184931501e213e3a1c113edbfe0e298d5eda8d03d6c59cade1bbcf4e93ad5f3704e4f0e2ae31a8e35c60037cf776edc95f047737fe21617ed5a73600b50

Download Submit
C:\Windows\SysWOW64\Booaodnd.exe

Filesize
304KB

MD5
9b47c8a33b22a6d63355526213b2e326

SHA1
3ce3f8e614a0561b241443d93f1caf4645a2f7c5

SHA256
a4f9260627a470ae6675bcdd329c05748a968a5633c6e1183c30f624d375247c

SHA512
e281afad5109c6eceb900ef60cf6b93267195e29104d673a74624ab3618b48a3a0e221292c579277bf2f5e2d42d0ba41b9cd62db60c2e09e7ce73daa848a8a0c

Download Submit
C:\Windows\SysWOW64\Bpidngil.exe

Filesize
304KB

MD5
315aecd513ad64f8029cecdb368aab26

SHA1
74588d9b4df4c86122ed7ba97a5e5dfe910b2afd

SHA256
04b4dc78d648e34cea44bb32f4650eedb48e4e88a5ecc0747d7e39c22bfa1365

SHA512
17affe63f615e54871a6cbc91745be030807dcf29dea0b5eed991ca2b8a10be74fb301cea54bdc7611664256012035bfe4cefc8b5c4efcf6eda65f36ffdd1821

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
304KB

MD5
dd780dd2fd50db9055c58fc6430bb8fe

SHA1
4c0b7e3199bc585a1ed1cc2bafe4ced9c4f86a4b

SHA256
3fc2ca278f6d20f57f5e16b70032b73594c6bb58bbe9bd2ffdfc638859bbb8bf

SHA512
907c6b24ab5a32f229e617b10993debdcf6d5362f831d1ce4df3218327792dabb8d40eae0dfb28fc87832b207f3a8f168aeb9efaea8f2acf4640711a2109ce06

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
304KB

MD5
88ad27aedb9bb0e2c3b6dc17aedbb6be

SHA1
11e04988fec59413a08288649966f67c92ba47a0

SHA256
3187b198f486863835b96759567ef1c45ab200074540b1648d2d697d1e8524a8

SHA512
0d2fbfad30a065936eac8f51f2c886dac5e6797595d365a2152c7d63ccb843df7d3839bc1f69916e93b1abe1eece6b35c65fe92899b1fcdbcfd13ba96caed25a

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
304KB

MD5
bb397143dcb33390e1afe6c74931455c

SHA1
1c7b062cf10289a2e13978d13bbbb9c1f488894e

SHA256
43720858407a4c67d6e65974f1614bac7f3660d3d8621aa5a2ffd49b626b5e7a

SHA512
022e64a29b050f58eb29bf04f18af2e45d94ac95d2887b3fa1d07423759f8d3a88e3371d8acd1ad66990809eacb33d89e2cec9ca837239aed422efc6f6a7c065

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
304KB

MD5
b42104b2d2b334370c47b61307611c6b

SHA1
ac66569bea059638607aad6c532b47e3a21c600c

SHA256
edbc375d91a6789e08f22403e8e036afeed953b2efb96e04480b585de6ab4a4b

SHA512
a2980bc1d08f3f7abc54013cfc2cbcdf0d184028345da5b9ade115df4a22b451c4218f3025ed2ff400b51f01ecbce7a02c7343734255034d818edba37a7de3ea

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
304KB

MD5
b5addfd84c039b5b55653e0d361d90ce

SHA1
38caec9e7c2498ed61a9800724e66be4bf8999c1

SHA256
7fdcfcbe4e5cfece23b01de13004fb5d432932ce88083673ca82bf2d82aaaade

SHA512
5f7a8795aa47ff3acf5ba6e97359bf0bd3689aab4b43580e33ee04699c8b2777f412962ed1049b4a80a356b1ff409132f8a825a0f2c188b7f6204f3435872e5e

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
304KB

MD5
057ab7017c3553668fa175c9f833907f

SHA1
82cc26b12eabce53540c9aa8139d70fedf663fcb

SHA256
073aa8a5452363554f7fc1bd8161c367c21eee2f47b482ec97cf285d7e88bd31

SHA512
a347b678a987f11ccfcd463cd5a6f49ff07787a282dc1b7749f13b7c029c3f0628335eae38668c7b489c6c207dc324ee3d68cd90ddfc95820aafdbcc4a2e6da1

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
304KB

MD5
60b961ef51790b3ea993c7dae9012ba2

SHA1
d6f2126a2a1a1a8994ed568c77f534b038103d34

SHA256
ab194c3391a5db638aa9c45d762f71c0bed50256fbcea1dd6a3903bb08d4beb4

SHA512
e27619c45c8148fb6f005302714f4667bc268692439b28d53157af5c64e5d952e3ae781108bb78ad4adb4156cd2cda9ffe20c8bd66b1b8db1ccaded18636870f

Download Submit
C:\Windows\SysWOW64\Pbekne32.exe

Filesize
304KB

MD5
1c672d5ce8553bcfb15e5e638815ca34

SHA1
101c2c432c8a4dc8df45cee5e27b72b7f730dffd

SHA256
6fd0a0c132b478549f0247c17d631dcb548d4220e504262a0f4b5e782199f436

SHA512
3e319a1f6a56e20ff3e3ce2c1d182dab9ed1516a362fd49adf5cd690b543f818f0b67e5784f5136a849da38b7dad58d8174e4d31aa6773a8840e35a9dab12889

Download Submit
C:\Windows\SysWOW64\Pecgja32.exe

Filesize
304KB

MD5
02f23a43ab9ce88dbaf6d710ee72aca1

SHA1
60525d4e13125dd888ac8395de2f7cb73139f3a2

SHA256
db576de55fa586aa0ff6855a4fd7e2681239feef17a5baa6a743385fa7a0a957

SHA512
87d629275a7d8aa663172e1dcef6191f8bd8f51c04bc4a1002fd4a75bb4d2a48eda84ec3a0b1147b7b42ef9501239b56a621fe2a984b4cab0cecda1e89f12927

Download Submit
C:\Windows\SysWOW64\Plkbak32.exe

Filesize
304KB

MD5
08873a93178b328ae9948b6d7538c7d1

SHA1
75b37ad6e5b4eae651ddce947003fed196195cd4

SHA256
044df1752f7380e63b83dfb99149b1fcc7301e8eed0e88cd32f937acb2638ed3

SHA512
7bb3e1b97d90a4c9bc7b1aa0e42acd44a41512825139b6742d8d2cc1f5abf1234afcf92605e0b89b16838b3406dea12c0aac413e4209b14bcbeba7b8787be785

Download Submit
C:\Windows\SysWOW64\Plmogkoe.exe

Filesize
304KB

MD5
76c66b92c494735e0cd8faa41bc28e3b

SHA1
a6c4b199d83e5ff622d179c8271aadd2b33fe94d

SHA256
d9f1c5329ea6b8d81a24b1e611ffb3e41c41859d42ea0c2ef9bacd09a6820641

SHA512
d678a9734c07d33faed46776d3840ca30fb6c26349188d81730dfb44848f86baa25c80998c295bea04bf33e368aef1a56655fb93bfb877b0a110cfc97b36ec64

Download Submit
C:\Windows\SysWOW64\Qbggce32.exe

Filesize
304KB

MD5
8ea49a042ba9f621aa2852d205f08e6a

SHA1
9e2cc29714303fea7ccb193f57bb9e7b79423eab

SHA256
53e34f02221a593fb7284d789221ac1e024fc53295cb0204e9c30a2de5cd4386

SHA512
00a3d125ce1c078ec8a826230af76e5beecde2ed8b0346ce85e305f2a9e611a5f8bb3792ee63910b13a15723132904a0de511af0ba6b43bf90febda39035be53

Download Submit
C:\Windows\SysWOW64\Qbjdiedp.exe

Filesize
304KB

MD5
2c2829fbdd6915944b8b250d8780366d

SHA1
22fb3c42aab21d3cafb28f54d3719efd0f381b7e

SHA256
ccef66b3a3f107f62f5d2a3e797b307ef69afec8c1c3e3a9ab4d25d2189c00a0

SHA512
592445983c8ed57479d0b463ebbb7f4dec7ff266513a0aa3603cfedd53e79f7bbd1ac5cdd8832d0ad450b1c421ce3b856c0f4f2c0809bd9d0666b063027b7e21

Download Submit
C:\Windows\SysWOW64\Qhdpll32.exe

Filesize
304KB

MD5
2ff5823bc2b23de012192f88d0cd3126

SHA1
a0a913dd4d7220e2c43e4182871ee03c466e1c1e

SHA256
853465dd6081620b5b902fba717c6cfb33e1d17d1c0021c8d5ea8310666411ad

SHA512
b8c58802a57fc7e237c918cbd111df7071ddf96ee96e0dddffd3e2e3026551ecc0f7d79eab9e68369ddb14b76874a0db151a9ffd8b2b2db672fd89a1f1207500

Download Submit
C:\Windows\SysWOW64\Qpkhmi32.exe

Filesize
304KB

MD5
892920c5ad4492790d882c6a6e6aab12

SHA1
3d51e6c5367ed04eb59afe3cf29eab5e7c4b31e9

SHA256
617e984ace6cbdb1eea29080685cb9bfb1926d48b4fd3c493c9fda0f020c7fe9

SHA512
c7fe12c2281a8c80a6a731b72ecf6b0841c391b67efa39f3be4b75d712a3a0cefa5e57e9581fbc867e5fe3612c7984ababf230c5cd7dc015b4226c2aa9352f55

Download Submit
memory/316-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/524-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/528-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/800-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/888-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/940-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1072-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1176-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1252-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2752-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2920-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3116-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3132-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3148-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3172-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3268-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3284-204-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3472-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3560-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3632-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3872-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3884-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4092-164-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4152-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4236-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4556-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4688-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-404-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4996-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads