6114171b3f7e4cf4004beb4d90e57cc0ec74f8342e832d9b02cfb5a92fcfc3f7

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6114171b3f7e4cf4004beb4d90e57cc0ec74f8342e832d9b02cfb5a92fcfc3f7.exe
Size

78KB
MD5

776e7dd383728d86b058b6b811fa6c42
SHA1

b89cc830b129e907452a6ea1a78c0f71ff3c3701
SHA256

6114171b3f7e4cf4004beb4d90e57cc0ec74f8342e832d9b02cfb5a92fcfc3f7
SHA512

dd45b3c65a72e7ccb930228f667d751b3ee8a7e37f254bca2ff529e3cf61b86cbd0dea5f304c5f7cc79f3e4460481c7e4664f3c2391156dfc040b13f44d4498c
SSDEEP

768:prtRVhYDaUhMlNBGwju+5elbM89i/iBXMnWIprVx5Ogw/1H5C87XdnhgH1Ks6gsg:pvMmNNfju+5ubj6COANdkIggsJVHcbns

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gegkpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmhdkknd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adndoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnoiqdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgicgca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doaneiop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feoodn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhdkknd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpcjgnhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieidhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncchae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefgbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geaepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ennqfenp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filapfbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padnaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camddhoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlppno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqppci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpjlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feoodn32.exe

Executes dropped EXE 64 IoCs

pid	Process
2448	Qlgpod32.exe
816	Addaif32.exe
4396	Adfnofpd.exe
1560	Aefjii32.exe
3084	Anaomkdb.exe
2216	Albpkc32.exe
4604	Adndoe32.exe
2128	Baadiiif.exe
3256	Boeebnhp.exe
1984	Bebjdgmj.exe
2192	Bdgged32.exe
1700	Camddhoi.exe
2188	Cbpajgmf.exe
4188	Cdpjlb32.exe
260	Cbdjeg32.exe
3812	Cnkkjh32.exe
4184	Dkokcl32.exe
4868	Dhclmp32.exe
4784	Dmadco32.exe
3964	Dbnmke32.exe
4588	Doaneiop.exe
1768	Dkhnjk32.exe
3264	Dfnbgc32.exe
4388	Efpomccg.exe
4376	Efblbbqd.exe
1860	Ennqfenp.exe
2060	Enpmld32.exe
4048	Eppjfgcp.exe
2784	Fmcjpl32.exe
2464	Feoodn32.exe
3780	Fmhdkknd.exe
1600	Fiodpl32.exe
1588	Gblbca32.exe
60	Gbnoiqdq.exe
1520	Gmdcfidg.exe
2680	Geaepk32.exe
912	Hefnkkkj.exe
3308	Hidgai32.exe
2972	Hifcgion.exe
3432	Hfjdqmng.exe
2204	Hoeieolb.exe
656	Imgicgca.exe
3164	Ifomll32.exe
2724	Iojbpo32.exe
1840	Iipfmggc.exe
4924	Iefgbh32.exe
3852	Ieidhh32.exe
1356	Joahqn32.exe
3320	Jpaekqhh.exe
1972	Jlgepanl.exe
3444	Jepjhg32.exe
780	Johnamkm.exe
4692	Jniood32.exe
1612	Jgbchj32.exe
4508	Kegpifod.exe
4336	Kgflcifg.exe
3868	Kpoalo32.exe
3248	Kflide32.exe
4428	Kcpjnjii.exe
2308	Kpcjgnhb.exe
2032	Kgnbdh32.exe
4864	Lljklo32.exe
4152	Lgpoihnl.exe
2056	Lokdnjkg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hoeieolb.exe	Hfjdqmng.exe
File opened for modification	C:\Windows\SysWOW64\Oaifpi32.exe	Npiiffqe.exe
File opened for modification	C:\Windows\SysWOW64\Ojajin32.exe	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Agdcpkll.exe	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbjfjci.exe	Jemfhacc.exe
File created	C:\Windows\SysWOW64\Mjnnbk32.exe	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Addaif32.exe	Qlgpod32.exe
File opened for modification	C:\Windows\SysWOW64\Fmhdkknd.exe	Feoodn32.exe
File created	C:\Windows\SysWOW64\Lhenai32.exe	Lhcali32.exe
File opened for modification	C:\Windows\SysWOW64\Lhenai32.exe	Lhcali32.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Efpomccg.exe	Dfnbgc32.exe
File created	C:\Windows\SysWOW64\Jocnlg32.exe	Jifecp32.exe
File opened for modification	C:\Windows\SysWOW64\Aagdnn32.exe	Afappe32.exe
File created	C:\Windows\SysWOW64\Dnngpj32.exe	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Eqlfhjig.exe	Enkmfolf.exe
File opened for modification	C:\Windows\SysWOW64\Mfeeabda.exe	Mmmqhl32.exe
File created	C:\Windows\SysWOW64\Eqncnj32.exe	Eomffaag.exe
File created	C:\Windows\SysWOW64\Fbbicl32.exe	Fqbliicp.exe
File created	C:\Windows\SysWOW64\Ecipcemb.dll	Fohfbpgi.exe
File opened for modification	C:\Windows\SysWOW64\Ilphdlqh.exe	Iefphb32.exe
File created	C:\Windows\SysWOW64\Kldbpfio.dll	Ennqfenp.exe
File created	C:\Windows\SysWOW64\Ennqfenp.exe	Efblbbqd.exe
File opened for modification	C:\Windows\SysWOW64\Johnamkm.exe	Jepjhg32.exe
File created	C:\Windows\SysWOW64\Lgpoihnl.exe	Lljklo32.exe
File opened for modification	C:\Windows\SysWOW64\Ofkgcobj.exe	Opnbae32.exe
File created	C:\Windows\SysWOW64\Mioaanec.dll	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Mpaqbf32.dll	Hlppno32.exe
File created	C:\Windows\SysWOW64\Cgmbbe32.dll	Iamamcop.exe
File opened for modification	C:\Windows\SysWOW64\Dbnmke32.exe	Dmadco32.exe
File created	C:\Windows\SysWOW64\Mjggal32.exe	Lhgkgijg.exe
File opened for modification	C:\Windows\SysWOW64\Qmdblp32.exe	Qjffpe32.exe
File created	C:\Windows\SysWOW64\Odanidih.dll	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Lckboblp.exe	Lhenai32.exe
File opened for modification	C:\Windows\SysWOW64\Dgjoif32.exe	Dkcndeen.exe
File opened for modification	C:\Windows\SysWOW64\Iipfmggc.exe	Iojbpo32.exe
File created	C:\Windows\SysWOW64\Gemdebha.dll	Kgnbdh32.exe
File created	C:\Windows\SysWOW64\Nmocfo32.dll	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Gcmjja32.dll	Jifecp32.exe
File opened for modification	C:\Windows\SysWOW64\Kidben32.exe	Klpakj32.exe
File created	C:\Windows\SysWOW64\Aqmiic32.dll	Hoeieolb.exe
File created	C:\Windows\SysWOW64\Ilphdlqh.exe	Iefphb32.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Fohfbpgi.exe	Fofilp32.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Pmmlla32.exe
File opened for modification	C:\Windows\SysWOW64\Dnngpj32.exe	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Eajlhg32.exe	Eahobg32.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Agdcpkll.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgpcliao.exe	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Mcfbkpab.exe	Mjnnbk32.exe
File opened for modification	C:\Windows\SysWOW64\Kegpifod.exe	Jgbchj32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdjeg32.exe	Cdpjlb32.exe
File created	C:\Windows\SysWOW64\Ekaacddn.dll	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Jnfpnk32.dll	Ppjbmc32.exe
File opened for modification	C:\Windows\SysWOW64\Pmpolgoi.exe	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Pfdjinjo.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Bhqndghj.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Hhihhecc.dll	Boeebnhp.exe
File created	C:\Windows\SysWOW64\Klpakj32.exe	Kibeoo32.exe
File created	C:\Windows\SysWOW64\Ghcfpl32.dll	Nciopppp.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Fkcpql32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8296	7648	WerFault.exe	348

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqppci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahkdgl32.dll"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginacp32.dll"	Aefjii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqfpckhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6114171b3f7e4cf4004beb4d90e57cc0ec74f8342e832d9b02cfb5a92fcfc3f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpnh32.dll"	Iefphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjakdno.dll"	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekmfnbj.dll"	Banjnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnpphljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbbicl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll"	Gegkpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Jikoopij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpnbd32.dll"	Addaif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkokcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pencqe32.dll"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdkep32.dll"	Efblbbqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jepjhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalem32.dll"	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiibaffb.dll"	Cbpajgmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icifhjkc.dll"	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbfan32.dll"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll"	Padnaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afappe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fboecfii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2448	2456	6114171b3f7e4cf4004beb4d90e57cc0ec74f8342e832d9b02cfb5a92fcfc3f7.exe	90
PID 2456 wrote to memory of 2448	2456	6114171b3f7e4cf4004beb4d90e57cc0ec74f8342e832d9b02cfb5a92fcfc3f7.exe	90
PID 2456 wrote to memory of 2448	2456	6114171b3f7e4cf4004beb4d90e57cc0ec74f8342e832d9b02cfb5a92fcfc3f7.exe	90
PID 2448 wrote to memory of 816	2448	Qlgpod32.exe	91
PID 2448 wrote to memory of 816	2448	Qlgpod32.exe	91
PID 2448 wrote to memory of 816	2448	Qlgpod32.exe	91
PID 816 wrote to memory of 4396	816	Addaif32.exe	92
PID 816 wrote to memory of 4396	816	Addaif32.exe	92
PID 816 wrote to memory of 4396	816	Addaif32.exe	92
PID 4396 wrote to memory of 1560	4396	Adfnofpd.exe	93
PID 4396 wrote to memory of 1560	4396	Adfnofpd.exe	93
PID 4396 wrote to memory of 1560	4396	Adfnofpd.exe	93
PID 1560 wrote to memory of 3084	1560	Aefjii32.exe	94
PID 1560 wrote to memory of 3084	1560	Aefjii32.exe	94
PID 1560 wrote to memory of 3084	1560	Aefjii32.exe	94
PID 3084 wrote to memory of 2216	3084	Anaomkdb.exe	95
PID 3084 wrote to memory of 2216	3084	Anaomkdb.exe	95
PID 3084 wrote to memory of 2216	3084	Anaomkdb.exe	95
PID 2216 wrote to memory of 4604	2216	Albpkc32.exe	96
PID 2216 wrote to memory of 4604	2216	Albpkc32.exe	96
PID 2216 wrote to memory of 4604	2216	Albpkc32.exe	96
PID 4604 wrote to memory of 2128	4604	Adndoe32.exe	97
PID 4604 wrote to memory of 2128	4604	Adndoe32.exe	97
PID 4604 wrote to memory of 2128	4604	Adndoe32.exe	97
PID 2128 wrote to memory of 3256	2128	Baadiiif.exe	98
PID 2128 wrote to memory of 3256	2128	Baadiiif.exe	98
PID 2128 wrote to memory of 3256	2128	Baadiiif.exe	98
PID 3256 wrote to memory of 1984	3256	Boeebnhp.exe	99
PID 3256 wrote to memory of 1984	3256	Boeebnhp.exe	99
PID 3256 wrote to memory of 1984	3256	Boeebnhp.exe	99
PID 1984 wrote to memory of 2192	1984	Bebjdgmj.exe	100
PID 1984 wrote to memory of 2192	1984	Bebjdgmj.exe	100
PID 1984 wrote to memory of 2192	1984	Bebjdgmj.exe	100
PID 2192 wrote to memory of 1700	2192	Bdgged32.exe	101
PID 2192 wrote to memory of 1700	2192	Bdgged32.exe	101
PID 2192 wrote to memory of 1700	2192	Bdgged32.exe	101
PID 1700 wrote to memory of 2188	1700	Camddhoi.exe	102
PID 1700 wrote to memory of 2188	1700	Camddhoi.exe	102
PID 1700 wrote to memory of 2188	1700	Camddhoi.exe	102
PID 2188 wrote to memory of 4188	2188	Cbpajgmf.exe	103
PID 2188 wrote to memory of 4188	2188	Cbpajgmf.exe	103
PID 2188 wrote to memory of 4188	2188	Cbpajgmf.exe	103
PID 4188 wrote to memory of 260	4188	Cdpjlb32.exe	104
PID 4188 wrote to memory of 260	4188	Cdpjlb32.exe	104
PID 4188 wrote to memory of 260	4188	Cdpjlb32.exe	104
PID 260 wrote to memory of 3812	260	Cbdjeg32.exe	105
PID 260 wrote to memory of 3812	260	Cbdjeg32.exe	105
PID 260 wrote to memory of 3812	260	Cbdjeg32.exe	105
PID 3812 wrote to memory of 4184	3812	Cnkkjh32.exe	106
PID 3812 wrote to memory of 4184	3812	Cnkkjh32.exe	106
PID 3812 wrote to memory of 4184	3812	Cnkkjh32.exe	106
PID 4184 wrote to memory of 4868	4184	Dkokcl32.exe	107
PID 4184 wrote to memory of 4868	4184	Dkokcl32.exe	107
PID 4184 wrote to memory of 4868	4184	Dkokcl32.exe	107
PID 4868 wrote to memory of 4784	4868	Dhclmp32.exe	108
PID 4868 wrote to memory of 4784	4868	Dhclmp32.exe	108
PID 4868 wrote to memory of 4784	4868	Dhclmp32.exe	108
PID 4784 wrote to memory of 3964	4784	Dmadco32.exe	109
PID 4784 wrote to memory of 3964	4784	Dmadco32.exe	109
PID 4784 wrote to memory of 3964	4784	Dmadco32.exe	109
PID 3964 wrote to memory of 4588	3964	Dbnmke32.exe	110
PID 3964 wrote to memory of 4588	3964	Dbnmke32.exe	110
PID 3964 wrote to memory of 4588	3964	Dbnmke32.exe	110
PID 4588 wrote to memory of 1768	4588	Doaneiop.exe	111

C:\Users\Admin\AppData\Local\Temp\6114171b3f7e4cf4004beb4d90e57cc0ec74f8342e832d9b02cfb5a92fcfc3f7.exe
"C:\Users\Admin\AppData\Local\Temp\6114171b3f7e4cf4004beb4d90e57cc0ec74f8342e832d9b02cfb5a92fcfc3f7.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\Qlgpod32.exe
  C:\Windows\system32\Qlgpod32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\Addaif32.exe
    C:\Windows\system32\Addaif32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\SysWOW64\Adfnofpd.exe
      C:\Windows\system32\Adfnofpd.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Boeebnhp.exe
        
        C:\Windows\system32\Boeebnhp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:260
        
        C:\Windows\SysWOW64\Cnkkjh32.exe
        
        C:\Windows\system32\Cnkkjh32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        23⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        25⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        28⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        29⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        30⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        33⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        34⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        36⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        38⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        39⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        40⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:656
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        44⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        46⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        48⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        50⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        52⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        55⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        57⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        59⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        61⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        65⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        66⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        67⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1328
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3460
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        70⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2064
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        72⤵
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        75⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        76⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        77⤵
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        78⤵
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        79⤵
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4080
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        81⤵
        
        PID:368
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        82⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        83⤵
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        84⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        85⤵
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        86⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        87⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        88⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        89⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        90⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        91⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        92⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        96⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        98⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        99⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        100⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        102⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        105⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        107⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        108⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        111⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        112⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        113⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        114⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        115⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        116⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        117⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        118⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        119⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        120⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        121⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        122⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        125⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        126⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        129⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        130⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        132⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        133⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        134⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        135⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        136⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        137⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        138⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        139⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        140⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        142⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        143⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        144⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        145⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        146⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        147⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        148⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        149⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        152⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        153⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        154⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        157⤵
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6536
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        159⤵
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        160⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        164⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        165⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        166⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        167⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        168⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        169⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        171⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        173⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        174⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        176⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        177⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        179⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        180⤵
        Drops file in System32 directory
        
        PID:6860
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        183⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        184⤵
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        185⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        188⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        189⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        190⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        191⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        192⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        193⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        194⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        195⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        196⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        197⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        199⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        200⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        201⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7296
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7340
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        205⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        206⤵
        Modifies registry class
        
        PID:7468
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        207⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        208⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7548
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        209⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7640
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        211⤵
        Drops file in System32 directory
        
        PID:7688
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        212⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        214⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7888
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7924
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        217⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        218⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        219⤵
        Modifies registry class
        
        PID:8092
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        220⤵
        Modifies registry class
        
        PID:8136
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        221⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7216
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        223⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        224⤵
        Modifies registry class
        
        PID:7348
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        225⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7476
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        227⤵
        Modifies registry class
        
        PID:7540
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        228⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7684
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        230⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        231⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7908
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        233⤵
        Modifies registry class
        
        PID:8000
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        234⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        235⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8148
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        236⤵
        Modifies registry class
        
        PID:7196
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        237⤵
        Modifies registry class
        
        PID:7328
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        238⤵
        Modifies registry class
        
        PID:7448
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        240⤵
        Modifies registry class
        
        PID:7996
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7756
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        242⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        243⤵
        Modifies registry class
        
        PID:8028
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        244⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8144
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7236
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        246⤵
        Drops file in System32 directory
        
        PID:7452
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        247⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        248⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7920
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        250⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        251⤵
        Modifies registry class
        
        PID:7488
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        252⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        253⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        254⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7648 -s 404
        255⤵
        Program crash
        
        PID:8296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7648 -ip 7648
1⤵
PID:8240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:8608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Addaif32.exe

Filesize
78KB

MD5
0ade84a45e820ffc392561547064ef85

SHA1
45254f4234759a59852b3abedea55ea5315db87f

SHA256
1c85652b0c0c888a9277d669769b81cbada76ab61bb0b1f05907728fbd5c7b33

SHA512
0b4fde94b516a61409c6be3907e39da425b54c606c41eedccd8937a8e054f10116cab23ee1044f458acf7a8a15e3f48352d7d42cc55b47adda2376f3de3ce81b

Download Submit
C:\Windows\SysWOW64\Adfnofpd.exe

Filesize
78KB

MD5
284cc5d9c34bf5b99b55441a8d97ad39

SHA1
0a98907754db6dc34ce489a1ffe87e742d24e5e9

SHA256
ee59b8fbfc82630e51f9e5de32b4e3f428380e05a8ac63e1e6bd33c33d69c0a4

SHA512
50df9d154751284d7cbc0c8e7bdf2976bf5f4e6334cd98e2e26600fe4dcd4d532c6f721f9f9faf02ec524555d793297b599f32c14eaa39517e3d591c1c03ca97

Download Submit
C:\Windows\SysWOW64\Adndoe32.exe

Filesize
78KB

MD5
7e42fd912af61dbe77ea14fabc7c35ba

SHA1
c7bd2568f3bbadd4a07f8cdceaa9fc546e7c673b

SHA256
06d062d8fdcfa522f3fce1629377b5490c033bb9ce1fee0dafed3a52062db0dd

SHA512
70e6ac6dc7c2484b22ca2e115100e3d4ab56be01aa478f434c7cf7e3405d5b85ed15b823289f3e7b3fd8317c29d2d8d4a4e60852ed38ec6442fa1d0808652951

Download Submit
C:\Windows\SysWOW64\Aefjii32.exe

Filesize
78KB

MD5
febc5d92794b3dfbf2bdc7642120968b

SHA1
09e96cb6b3a4d334af7c04147ca6e102d5759d8c

SHA256
003a0135458812606f6a91c9398f696fddc3bf4c08465954fb3cc79387627fb8

SHA512
392e35a326d1f7d265a6e878f3ae54457e6b1cd4b208d8484f493060a13fc060a26318ac7407e06ecce471d7a99afcb33766773ee3e1a36c1a7dff18b3c1f6da

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
78KB

MD5
df1547681301284d52e37fdd632bab06

SHA1
682e4575ad016d1302c1b9cae6b6ef48bd62e484

SHA256
8bf1f5d0e25ab66ff8230fc248981f1b2b2c0dc79fb604fac8a8ebf952a6753e

SHA512
0a78cb5f26929dae37657b377b78d5fc40367f74b7e160567009cb480d8a2df69672cfac2403c4e1e97414c3a5b3fe8442309326bf64ca96b9551588d22cc819

Download Submit
C:\Windows\SysWOW64\Albpkc32.exe

Filesize
78KB

MD5
a9f987ba5c92aa52f8fc4565633a763a

SHA1
e41d209dbd2188dbb4a72f41ec7526aa4fb1b83d

SHA256
ad37c8af0b2b2c5f45c6a7ce026d18f892dcbcfc7d89cb40efc92ed09aaeb84c

SHA512
09dca19dfe60bdd7803d16e6696a1e9d9409a54e6926c641527cea8cbcc819da114bf22047605c765649810d10995b98eddbce192a99e9d15750dfe4ebd800cd

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
78KB

MD5
d681599f7e5444e3a39e7b2f3632cd13

SHA1
2ca1efe3cdcfd004bcef2eaee9786d479df7868e

SHA256
32879b04519bc179170e5a732d77614005a175dc46ca742b3bd323689c515a7a

SHA512
a93841afb82df5dcef0bdae590c19b3fa6478fa79099f60f569bd49eac50c07542f3c2708d7ab209f907f149dbc24843d73fb9c37a1538e3ef82ddd89dcf3511

Download Submit
C:\Windows\SysWOW64\Baadiiif.exe

Filesize
78KB

MD5
07971acbf06659147fcb598bb9378b66

SHA1
88f9473c0cd83df43fe5adae0496c68dc3c853c6

SHA256
01919d4f78a8e680306618082ff7973228b5219fbbb2f078f2ce93dd8f2fefe8

SHA512
f15fed23d0c797751bf510caa2b164e4a5200b20e7a76c4c0c3b326250a61fb699437ccc4fe7f1d294fb4485efec3afdcb7c46f3d00b4317e449f83dc5c2915c

Download Submit
C:\Windows\SysWOW64\Bdgged32.exe

Filesize
78KB

MD5
3a41b33df7776c00aae369db7540c071

SHA1
8060392c9c8379dc52529da5f2d0fcbdba96c731

SHA256
483aeb57427bb2e78a6405c40d508ada5cad74bb9b242c415fb4fe9a0d524b20

SHA512
d8fe1160590135e71685610efdeddc05ef05fd42d35929e83f0e48cd73cf7b534f6835a9f3fb66653095b1826dd965d77e387eefe1eae85fe04cfb784656ff8d

Download Submit
C:\Windows\SysWOW64\Bebjdgmj.exe

Filesize
78KB

MD5
b84df1eadcf46115f09868a8954734cd

SHA1
56e942678b14af8e3e49a3900b5a797be96cbcbb

SHA256
185b6ef49ac1fb37b467f2c04df7615a9ccdce81f1e94a9085ac181817b67525

SHA512
504b34d5a82400012bccf60ad3674d7ddb8e319953907f13b33a0bb48075e3f0ff100182f114bb2671b69d39556069c70bec3a0ed786b4a553beb157386d8f4a

Download Submit
C:\Windows\SysWOW64\Boeebnhp.exe

Filesize
78KB

MD5
05e87a761289d3838ede429dba300903

SHA1
2210d746b6cb2e3ca3ca3bfda2792538bb4b875a

SHA256
1a9ff7be6949097b4a6ec4aca6ba5b8c88d9afe0842112612956e947e06bd94a

SHA512
15bffdb02cc696ec336103d18dd3874e879ff5940b5b753e76002c2e4bf4dba9fdfa00cab0c0d79978754bf6086c5f668fda347a4a82117d55c35d2cbf238916

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
78KB

MD5
9dffac8be0824e98a6cf1c7bde32937d

SHA1
5d11a6c12a1fb2798f6b8f169eebeeec1d92c95d

SHA256
b7b1c25df84768f946447443ebae52b7db822679957fe79ea1ea7e7961f8759f

SHA512
49e010c5b8cb0757a67fc82d8741db1df3144473152ed14a37a7fabef8583ee678edae7d33068c515dce77d07216a789b71f7735920f3cef36177f6eae4700a3

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
78KB

MD5
a8780deae7d935906d9488eebc1fd512

SHA1
f7e1f1d6a2b77b7e306f6d323758e0380bb1aeaf

SHA256
5c2dcbf7a202d3bc63e965ce35beba0d7f3446118f4ff40bfbea8d57609bb7d6

SHA512
17471672dd419df874f32eb465aae127db18dfb429f8d696a9d9b0f20bd2c5aef20ecab509d65e3c0ad1ff3307f26faed8bbd1e337d43c1c6783d929ab143cd3

Download Submit
C:\Windows\SysWOW64\Cbpajgmf.exe

Filesize
78KB

MD5
3bf059e7a4944b379be0d96844e0547c

SHA1
51ab8915133a5788f9d526be52e6383d527cfb56

SHA256
270e86f023ea07aee7fd3999d544a608b34c9d06f5cc662d6fca82ba377cf658

SHA512
0c945f33c6d39f014d03e7e23cf82b2235683248dc98fabfdcef243e8b1598817371bb933d10e094fe909ea68362dbea7e903194a6ffab2b037ef2ccc061e0d4

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
78KB

MD5
c2f122e596c9bf58553c638ab6516265

SHA1
0e7fdcc7990a8856acec7b5e76240093ed680b33

SHA256
2c0ad2f21088ddd11c5983da7b760cd9362955c74cce9c7e0f1b74d4dafe0359

SHA512
296b864717d1e052cf6bfc7c7a798abb32263a2897518373a85a7fc6c1c72fc80d819ba0cd7ad3d91286b063fdec7065ea2bdd0c319fd00ba8315af6603f0c9d

Download Submit
C:\Windows\SysWOW64\Cdpjlb32.exe

Filesize
78KB

MD5
dbf009cbb61f61cd8d33120f24812dcd

SHA1
431b15d5f4e2d77d9550c0af7fd66b2f5f73c965

SHA256
4f3f9cfd5fda39a761da8b5e9d208966d912a89201be5e7a1c373847ca5bb469

SHA512
35258bd4990bc43db6f21ff08bcc6ad17e4bbd189f6e6de4e55f99d4227ad03af75ac1e964a6f93372dde8d37fc097c8127088e1787066dd63b87dd9419d23a2

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
78KB

MD5
ff32899a8fe3509c506f0815fc910225

SHA1
2783a2557ad1c46fb576568bd8cd7721a8ec1421

SHA256
d83c0144367641ab5c0b92dcf38c141e4271aa64efb8c9e4ab034050be0f62a7

SHA512
ae854b368e775269704b67f234c09ae4091d41cf99fc3bfa174ac9532f16ecdfebcbd6c39029f7bf294e8a22e1ed559d55b920df284106dd0a0dae12eaf6be4a

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
78KB

MD5
d0fde1b5878222b2114e6cea47f60036

SHA1
a0767daea0cf271c15271f75bd38599b58084396

SHA256
3042d37b155738d46bbb4df556a5dbc0f1dc07244dfe6bfc697285ea9db8cfeb

SHA512
56bb1db6a643008f1c5a9302b164c05ad4643f93c202ef8b27f8cd75ff894c8a7dae640a7d34d790fe901795a4eb646b51385c10ace97a2125120f56a4fd3be1

Download Submit
C:\Windows\SysWOW64\Cnkkjh32.exe

Filesize
78KB

MD5
81588dd7cc86fe4732a1d25e26b2678d

SHA1
dfc53f3eddecba4184c94b872bff4c8a74924df9

SHA256
c091ce09eeada11dc47a9d30e047d5b46e6b83de5e8a453339a718fd076020a8

SHA512
92ac99c0103756cdd1de07782fd62dbe59ab0986a9efab7ea4ed733d9a12777d736b4fddf14ae1408838bde8d7aadd2424a54e3d940e390b3b578b5a4b3999bd

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
78KB

MD5
d54efccc0212424b57be333d60396119

SHA1
2fbd1a87146962101ad32ffe3552079b91b7a11c

SHA256
c3cb9be89d532af655935c3fc4f71cf43deb4c62ed2c69d1337de3aa1fc1dc05

SHA512
1e530a10798530daa1955421ba28fad98419d121c6b4cc8ef19a68ec20c46b4741a4ec0f0fcff6b65cb34ae827a5f2dad134c2f948b607795e6fece3011616ae

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
78KB

MD5
45075b00df2487f53b7fc305ecb18c4d

SHA1
3714a181a8e52777dbe51f2a0561cb68ccca3095

SHA256
db6cf28b19ed78eed2ae071f06806c64a1b1502b6cff9390f3433f7c0c218531

SHA512
8c763b00ecbec82d33dd8251ed94798920c52a1dd9abbe86b253a5ed2781daf602b96f3cd58ceb385795b15bc760e2e2a99853bf117e596fe0c5b3f402f6b5fe

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
78KB

MD5
5686f28300effd5f3609a7c482f6a2eb

SHA1
b32d8d9673e66342cc78fee5e900346188a61717

SHA256
cd3f03648a8755db0aca4cb662d8b42fca06bb7ced24e52621dc93ccf194fbb7

SHA512
c1ab31db719dc2931b1bcbff2b27020a7084d17aca5465442e9baac1f6b29f2c98c3d46cfbb8c9a7290c9425f647345e6c76bebca8090a85745708af83a5d68d

Download Submit
C:\Windows\SysWOW64\Dgjoif32.exe

Filesize
78KB

MD5
7b140d30ed0794886a8c9e501d5395c1

SHA1
79db5e81cfc144a055ed960a6f30ed3088e2036a

SHA256
9d7c1e82e1f6bc441d6a847a24459ce5faccb4a66295711c87838959dca22468

SHA512
9d408d67733fa5d649f7302c5eb1f0b833d6d979ed304f88f7b679370263fe9ff7f7383da2520c439e3eede70a6106724a74735df75e7116f402bd53afe7c43f

Download Submit
C:\Windows\SysWOW64\Dhbebj32.exe

Filesize
78KB

MD5
451799bf49e6ed95dc534e5461df631c

SHA1
4f529e7abcaef20f8e408985c037be634e69af8c

SHA256
fe1ee3a8e22a09e45b6715ebb51007a08b5493ffa378aad4c1d4b68081d83946

SHA512
ab594f1c31d21a5767a7df35e5b9c3438409d4305d852a2138c79d65c51e5c152ab0643a89dd9c53bf3dc7c364b715619a5af69bb1b499133c2f521abc2dca2b

Download Submit
C:\Windows\SysWOW64\Dhclmp32.exe

Filesize
78KB

MD5
a1e1096c2cae0496dbec7145bf5e223a

SHA1
46440517a14d8211699bd62243c67da9255927a3

SHA256
100b05cd459f677cf0e83ef20798292c7a67f35f96df10a0a69f5add66628b38

SHA512
9b6102b94d67a87440cc4d0bf5e22342fd1338794b83bbca4c4e47049a27ab10594d5911723096f4614757a7a5bc89cf5bca0a873e25d18f5c51af4d883703d5

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
78KB

MD5
a06785b4e2d72b6c8316a1a3ccf8b08e

SHA1
2284c50143a3e8b0681482a99333969b85780dbe

SHA256
f6530a7de9fc34398769d919a318e7ac570bccea086edd669711a6bb47911215

SHA512
f0e4dafcc95da84bd394b2b7f39fb2710e65919ede38862fc9b5ae4d70263823d25ad50bb1b3ec4cd0900c1a656bd711c6a6ab6113e1a2bb588f403622f7622e

Download Submit
C:\Windows\SysWOW64\Dkokcl32.exe

Filesize
78KB

MD5
28c81087d97137ad235c72a59f91ed08

SHA1
21fc9aeb855209c60165c1e9e8613c310cfa8b4a

SHA256
90f9a98efefddbf8f05a2d80b0555ae32a47ee472e0fed7881d4b85bfbf5c8a4

SHA512
f142c1b8dc8cd4791ef63825bc3bf1da1fe7b6cf68abb86cefada20a55e50a103b028559a23e0bb1bbf53ab37c53e574df402b1e9500f7851d8c54c7cf28969e

Download Submit
C:\Windows\SysWOW64\Dmadco32.exe

Filesize
78KB

MD5
d7dbd0979b9ff53d994c4ba804216886

SHA1
75aa177ee86802d00c3d7ddf27da21de8e7c1897

SHA256
06980ea89a83bba366ced5740948b7c77b1999878100246f5f1af2f9bf27f188

SHA512
4caaf16338f8f5a65f794cd75d94446903279af3895d31734757f5c98feb747050bae9876eb06cb3ce4ad23a7c7595192bfd4e454644c4f946bc5dfdcf8dd81a

Download Submit
C:\Windows\SysWOW64\Doaneiop.exe

Filesize
78KB

MD5
6eea2bf00478a128f776ed97cd4281e7

SHA1
be77797d94efd74d056c182c46e13516da98b31a

SHA256
0b16b57fe781ff93b109340012a0cf44d82b53f12fa99ea438b58a82e0d2a6d4

SHA512
075ef3b2f88b942df1cd184c3e6264da68688838e98713595b472092db84a604548eac5d71fad5e7fe3a3e9a9edd60dd632855564a9e414d688899733f5b035a

Download Submit
C:\Windows\SysWOW64\Efblbbqd.exe

Filesize
78KB

MD5
f852c4faae8dccbb5500cf08b59f4f26

SHA1
27dbdf214021c493ee253dadf5bf4c9584f7858d

SHA256
dfac3598c43ddb5ff55fa1212f1b78bbbb0ded987af40c710429ed7043783667

SHA512
91ecf77ab44b744890297f6fe150630a37654eed3e193335b712f73bdcf05f8f68ae819828e54f9a5ea31999e4451a9267bb6535e91be2335610301564c5d87e

Download Submit
C:\Windows\SysWOW64\Efpomccg.exe

Filesize
78KB

MD5
57c064fd35454830a04378e1fb006549

SHA1
c0cfccaa4ecb293675012eb5216b5a50592a9355

SHA256
9686f8cf068a4aca6c14a53256029f9c9b2a223ad21e86035b7d26b92978aad0

SHA512
b256fb77a0ff82677afdbd8ee4d7d5e2142a7c7fe563ac05a79a32444f391f0230c0c201065160585e4d7e5acd3b3fa03876a6839c800ec319d1bdd721fd871a

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
78KB

MD5
225e5332966bedb18709137edfb3e366

SHA1
32e90228391b970a96872fb17da808c6f5963f7f

SHA256
8dd6e500d3a0f3109b64be9eed2635879fe70500973e24b24ed5237fdfb1a91a

SHA512
d9aaae8f48d9b61b8eaf42b571c4a712444dcee95b2c44bc569b56df22ba55dde422751f84f3b84f1e9a3b295859512e5643554ea0353f5f4323413649b8bf42

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
78KB

MD5
27913c5e39310684de160a2587ebd734

SHA1
d967133b099b57c68257b974f09d2813bba2e713

SHA256
07e1e137f71aa23e3f22f0f1bae4209e884d14897d4be379101d42726f74a48f

SHA512
5db7844d4d3fb790253ddeb94d9daadaa23137677d9e3fec3b48633297dbf6b20f0e0a9e3fcace12a04d4633acc0b86c0c394d1df399fb55f43ae64200760042

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
78KB

MD5
b70ffff1dd75f7a7d5bb297a367274e6

SHA1
5ee72c2a52dd3c123b108e9699879cd36f492dc8

SHA256
43ba195b399f4b1487578ebf158775b967ceabf05a9f0355b608b5f41e638cdc

SHA512
fd5a4df9dd3e43598f433e02887f2fb124ac1d313d6bf4102208e4d0dc1bcb4e2fd88d7876bf2c3252ad05385ca4e3a036b9317b8344629b5976c389c4de9776

Download Submit
C:\Windows\SysWOW64\Eppjfgcp.exe

Filesize
78KB

MD5
4528e78287442d7c3a6846b261c58f54

SHA1
ec1a32cadcf7ebd49d2c9ee81a462e5f015b6451

SHA256
bd453853763983b6eef303a6cbbf671fc088725ab9ed07fcbffc0b335fed868c

SHA512
7d5ec6a42cea90b60da960f2fa24c7f0178e4a4744483953098ae5973f3e56f301e98afb66fb01a9508d8d421ae98cdd88624997c07b02467089a59094532a70

Download Submit
C:\Windows\SysWOW64\Eqlfhjig.exe

Filesize
78KB

MD5
e7ad394c70b7ca1e4b8086519cbc6008

SHA1
a4e047456cba08486433b2f2940a158081602d53

SHA256
b9a046ce9d1e179dcf8bc733f3d66b13f7403d904b3b27cf0f79b9254643a4c5

SHA512
aa2fb18e785da82e2db03ad806ec6bb0edd573feda1a728ce8bae2915490fd30f170b490a7f4b5ab2bd95c97d0b637d69b5277505628e116ec056e49a576dd4e

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
78KB

MD5
c3baa3276b5ec255ab2569e308a9d78d

SHA1
d0172fc766c8bcaba8d332e0ae2d7a6d23d3796b

SHA256
c2f2f9b8d89630bfd9c3da16af02c31d58cc813724f9949c05d28db9818b11a8

SHA512
0ef2e4aa8960faf57064221409e565552cf25f771afecb0df077fe17fece8f40d5dad665306c271a6557a27e29f22c9a2910c13a516344c4e1c09f32a01bdbef

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
78KB

MD5
84e86f35e47740f44b449a63bda2c05e

SHA1
8b0d68c654d9fd25c74e92c34987cf0a9ed486e6

SHA256
2340683f4f95359988bbc47f0bee2adbf66cfae551087fde3183ec5352dfe005

SHA512
f83058375eace77a0146dd59d805531c8ebaece2178c5af2a81762a4bcf6419d4cc517a1bee76225db34b15e62ce270c99264d9b3633da2a11955c5e7ac83a7b

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
78KB

MD5
684467902ab451e11620024cb2b26c12

SHA1
f84d24226d2c2065fe2a4aa5daf5026576c1449d

SHA256
438f5b675640f68316583d9e3777989d85cc37414545886c8e43fd55ef9e0595

SHA512
6d404cf976e36e08cec8051c651529c5020c5a7ea72316296f61bd730cbd352dc255b9160d84d7ddbd6275e3ce62d962125523e8eac53e572532bfcb85c50685

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
78KB

MD5
8d32c4ef78650a9819d1508d1a0c04da

SHA1
d4e214fb41d1704578bbcab013e9cbecb9bde33d

SHA256
00c67bb8b7cc4a2012c508b5ed49bd02314a578d1db6ab26f921e461f15a4051

SHA512
0af2a1adada7eaa9d0d9a265ebc93bafb2a2a61be309551525ee241b7a894f51271c056857855fec8f6a406bf1ae87591ace93873d38df19e1cc2a623c4e4bb5

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
78KB

MD5
dab4ae8b22ac0612e8cbc87839914e26

SHA1
4dd48c6db24b0d93868ba2f23cbff1c62fe6171f

SHA256
6eb2880cd50631ab209498e6180c12855bc4474f9a215cf1f7a62d9b4eed0d21

SHA512
8421d322d7f5ebba9369cb60d3cb712ab360bae810ab4c8fc55ac83a631d089ade4c9764b7d1321a833e758b5ac168f5897ab66e8536dc16e5d00f7e8d6c6133

Download Submit
C:\Windows\SysWOW64\Fohfbpgi.exe

Filesize
78KB

MD5
bb2d392af5fa41797eaf67deddb723d4

SHA1
12f3c76574a36fb44fcc80b2444fe3dd3927b098

SHA256
c8de7786f07e0366657f656211817246b193094c7c632d7f573c8b64640b2641

SHA512
89bb3d8d162f4a9d22a9fc07a5af2a473b1d213a736f043eb00ab82d043b37987c6b2fa27e5ac2925aac78d0a29e7d66047d218568908bc260ea6fc7a76f9634

Download Submit
C:\Windows\SysWOW64\Fqbliicp.exe

Filesize
78KB

MD5
b083f2f878e8be12fcc01cd4d6e13fe5

SHA1
532b9f9ba76ff7263cce7f5d5e53a18a6cb3bb40

SHA256
759fe4c626b009f7599669e1a476488444eaf1677f829c68d966731b1cb42485

SHA512
a0f984f01cf517fa461ca87df13fbfd46e12f5dd2d08c924425b8f8e390df24ee920cbf884cb40c3588150cb2bfdf6c0b694a9d82e02d26ee82b19bf65c0b84a

Download Submit
C:\Windows\SysWOW64\Halhfe32.exe

Filesize
78KB

MD5
d0df469a62c2ac1df7e954f328698d6a

SHA1
eec8d5c94ee9b6bdbe89b4e97e79e96258040a4c

SHA256
5b0b8f0a702a32d302d46bc3ed1a3401b9e83054e9299294e79fc9017cd47bcb

SHA512
742b79ef2665eb720b48264ccfd00bd959b0b3d147eeef15309d657ed02ccc7d6c3fd8753975cc701aba1853c9833f2e232c5cf1e6a17bda2a239e159f59c47a

Download Submit
C:\Windows\SysWOW64\Hhimhobl.exe

Filesize
78KB

MD5
27b0da9e3d2269fe8a0ab0053cb319a9

SHA1
6091905c45ed7fd57888d803f094e9858a62159f

SHA256
18b33725bfd5eed293600b47e9f8bbd4a7bdca97b1e5825d22568a04f9af51fc

SHA512
14f0c03c275bf70726b50a31e05b9f23fe3f56ea1f36b72d403fb867f44f0fe3aa673696d6441a3cedbe5d34b6c03984fc3353ecda2aa42adbedcbb8766c913e

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
78KB

MD5
efc90a389be14e36de6d322a1d27cdbb

SHA1
969e9cab803b94d0c26e780ce00b20bd69bedf85

SHA256
3a892b51739a2af966261bb5803c35635d97798f096d7d1950e1674a22c7a65d

SHA512
a392378b7959cb9bdf894e1730dc6b4fdde0ce9632d2fa82bf1b4fa452db70de6390c5e83c2eb7144c1436a2e6452d3d7b000f3abbebfd69062dc4e378aee513

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
78KB

MD5
b8489ad4864dc56ac1f7db1c093b2de0

SHA1
b58c9f1d781b93ff0e592851e45ee4706f48555b

SHA256
3092a6039244b1692b84ab802707ef10b382110c6d0a19305e2da51ca2404735

SHA512
6662045a5df3ee479bbbdce5c206c4d75dffbc22a346b6ecc4ae48f51a996b336de4b526f53a9bef182262b79f1fbf06894cebe9aaf6c335854dd4e8536c8234

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
78KB

MD5
db363f6ba893c17cd3deb295cf7bc4c6

SHA1
752a6a73a94df075879644126c18e8a1d11f139d

SHA256
1507aef2ffa7c0b730790140ea89eb2be578b1521416f7f41092b3143b8571bd

SHA512
7e574f4ec9ccb02c70e465c298879b834c5d4300cb04446884772f69647e10956af624231aaa1898d99656fe0b82e832128439f91f5cbc82bc28ae84d261b607

Download Submit
C:\Windows\SysWOW64\Jlgepanl.exe

Filesize
78KB

MD5
8d15dd8e82ce1dd099d859104493151e

SHA1
dea3fc1320df9a6a67b142f43e4a29dca0169d49

SHA256
37e2b229f31b4a79d76061a50ff56b14a107599b3fa955f13b35d48bc39d917a

SHA512
f0da0d4c42f2718de301732d65dcd4b2100e2df18b42cb79689b5fecd7f41b992d389a9c639700de3a720782ee2084a01fdea859655a9f027a1b7ef9f4dfc2a9

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
78KB

MD5
1a8fa22abd4c100134af1dd932d20ba2

SHA1
94d7bb027a6285891245870963005bb55b692f7c

SHA256
e3d9f814504a8743660fb0beeaaa3028d9bbbc5980b109b12d0cce2c12a0db41

SHA512
88a20ae7367cff044c124401ca988ce32a863ed74fab8b59dfd26f4661f2f401a7dfadb43188a288ebf51835483ff39bcfd9c0ac2886cdd8436b2dc97a79e99a

Download Submit
C:\Windows\SysWOW64\Kegpifod.exe

Filesize
78KB

MD5
9e9190d8bc061b363e1ac49169a9d164

SHA1
47a41494073f6cefc39acc7f549be60992f965b0

SHA256
cbc8bd5b85e5cb0e18658f800f4c08392bc3669812b4674db5b87c25b53ca07b

SHA512
c36817cb8554e0a886f5a2629ee7cce47210eb9822e789c6d275a99e7d7c81fe560f4c481adccc992d0d834e1c4441ad7a86ac81321bf7ca5d51b5b77d25ce20

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
78KB

MD5
b52eb1b1e772055742a31e669f04b55a

SHA1
a0eca9342e13a695dd2dd46e39efe235f219debb

SHA256
447d3ce7dbfbc9b8fd277670439c60073d74329601101a6f0502839f2ffaee2b

SHA512
d70abad9554a3bbd94a4a1c669a2b020bef2bb9b5c2bed2a28b187eb15fb6f808b9ae4839c3df83bf829a2f9919a207cc08b6831b8730ee039f2537094435331

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
78KB

MD5
237df89bdd5b2556c8ecc68787b5a253

SHA1
4808c39080419e368c12a101c5a4c6f6cfe746f1

SHA256
07b18e4bf75e2ddeb324f4dd08aeb87a90ef82aed2fc68da5665e92a0397e423

SHA512
ae06d98529077fc51d8e361ebc9868ac1049ee20e4067c97d71d4e82b156f46946917a72d85eb8fb1e592754c9b400a98a7ee7d7973714f16a936fbb29e5254f

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
78KB

MD5
f03b34a44679222fe92dc4de82149664

SHA1
6f002781e259ae3309846ebae2210e5dbcc1579b

SHA256
a946b2419b117a2df146b3c961ce35615c681d3db9292bf7ca0e55dec5f06c71

SHA512
f36ce4762678b4d982770cd6b6abd8291ef9b1b5231ac433df009df99c3188d4059df83230859f7be9b270e9682c3d6414731404fcd2ec06a1c455ac22f1126e

Download Submit
C:\Windows\SysWOW64\Mqafhl32.exe

Filesize
78KB

MD5
ab1ac26214e62185fd002217e53c1647

SHA1
dd762957b2d893d716343b62202ecdc78c9bd09e

SHA256
a84973bb248b3b888c1255fd5ce5b01176e9a3924c855b332aa28f6dd8d32417

SHA512
c2264da2c882be4897d6c76d653e28e435676e6fc0ac5c1645c201d53b2343706729873d1395971d1155340fced4808d48f6cc8249bb0c3b261fb552fb9e7e2e

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
78KB

MD5
4921a07ac551da8fc79dd7babbcde582

SHA1
59e50f54b63f656233513304f927cc449e1b3dcb

SHA256
0c866ca27212f52f74cd4f2224f6554ea17f8c8ecfb0f614adceb60d07df6204

SHA512
522922e42ad2a33fbb6bfc08731aa8d381d086f7fd99898285336d2e56490d9b964003edc943b0368890ce3260b1fd3c93d7e339257f7c180f5186c82260b1e6

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
78KB

MD5
dd5cd1cbdc8b40064e0914a80a3cbf6c

SHA1
27a6970cfb8429013d610fd4040cdc8d8b677b9d

SHA256
a2f2a13885459eac69b2df66092bef7601abf6a533e7f90ca07a4644adfcae89

SHA512
ed7b27c46c2a5ddfa5263ba450af7c8838b9d086160151837c26cdefe44526b2d18d14e03812aed5ef3633ab6a43c2f93e7bf894a9c3c0c61439218524b5dee6

Download Submit
C:\Windows\SysWOW64\Qlgpod32.exe

Filesize
78KB

MD5
f1a357640397fa5d7d628795cceb89f5

SHA1
c369c8c965f56e3f844b89a2927f1927d4d81c8d

SHA256
cb15e9ea559b8f6087df5bd35921e7c1c1c74f153be64b902d9ae6883147b14c

SHA512
80c8dd9aa3987020912a91cf5ac3895757169fafd5059aa367f781456fe7b654e6f0a4faee2c2033ea2c7b7a078bc8dc60ea686af78a60ee16554f744a416b8b

Download Submit
memory/60-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/260-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/260-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/816-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/816-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/912-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1560-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1560-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1588-281-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1860-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1860-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1984-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1984-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-230-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-109-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2192-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2192-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2216-49-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2216-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2464-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3084-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3084-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3256-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3256-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3264-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3264-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3308-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3780-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3812-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3964-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3964-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4048-245-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4184-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4388-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4388-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4868-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4868-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads