0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Size

52KB
MD5

7f23b9c62704939cf3d2c12a28cd87d2
SHA1

5e7f256a4d1ca7a4e57154210f22e08edae0b7b8
SHA256

0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6
SHA512

e3d5004923a465117b668bdb0a57daea8f235bf2ccf8f5276b547f54db22925bfc8477dad51c5801813102af2b71b6e4043975b02ed5f0fb448795d030cd9e13
SSDEEP

768:o/tiwMwPHoqiNMOkNImTgzucyGF6XOtRx894qsICBx26Eh+Kv7BQ/1H5z:o/timIFQ1TOu6OXvU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joekag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnlkedai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glbjggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndgfpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlblcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbdehlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jebfng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haodle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giljfddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digehphc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hplbickp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggkqgaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jldbpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmhijd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bllbaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apnndj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glkmmefl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipbaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nblolm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe

Executes dropped EXE 64 IoCs

pid	Process
2344	Bllbaa32.exe
4712	Cnfaohbj.exe
2540	Dokgdkeh.exe
3340	Digehphc.exe
3800	Eiokinbk.exe
1652	Eifaim32.exe
488	Flkdfh32.exe
4732	Glbjggof.exe
1160	Glkmmefl.exe
404	Hplbickp.exe
1676	Hlepcdoa.exe
1600	Iikmbh32.exe
3992	Imkbnf32.exe
4444	Joahqn32.exe
1164	Jepjhg32.exe
3084	Jebfng32.exe
3460	Jnlkedai.exe
1372	Keimof32.exe
2728	Kcbfcigf.exe
4704	Lgbloglj.exe
3252	Lfjfecno.exe
3312	Modgdicm.exe
3784	Mfchlbfd.exe
368	Mqkiok32.exe
4376	Nmdgikhi.exe
1204	Nncccnol.exe
3328	Nfohgqlg.exe
5104	Njmqnobn.exe
2952	Oplfkeob.exe
4612	Opeiadfg.exe
1660	Pccahbmn.exe
4964	Pnmopk32.exe
4928	Qhhpop32.exe
3412	Qdoacabq.exe
2316	Qdaniq32.exe
3464	Adcjop32.exe
4844	Apmhiq32.exe
3672	Agimkk32.exe
4292	Boenhgdd.exe
4848	Bphgeo32.exe
4588	Bnlhncgi.exe
2520	Cpmapodj.exe
2532	Cdmfllhn.exe
3708	Cpfcfmlp.exe
744	Dddllkbf.exe
4440	Dolmodpi.exe
3964	Doojec32.exe
552	Dndgfpbo.exe
4952	Eqdpgk32.exe
1188	Eqgmmk32.exe
4480	Eohmkb32.exe
2940	Egcaod32.exe
1468	Egened32.exe
2420	Eiekog32.exe
2960	Fkfcqb32.exe
4568	Foclgq32.exe
1336	Fbdehlip.exe
3156	Gnpphljo.exe
2676	Gghdaa32.exe
3408	Ggkqgaol.exe
1548	Glhimp32.exe
2496	Giljfddl.exe
4608	Hahokfag.exe
4024	Hbgkei32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Nodiqp32.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Lgbloglj.exe	Kcbfcigf.exe
File created	C:\Windows\SysWOW64\Bpqjjjjl.exe	Abmjqe32.exe
File opened for modification	C:\Windows\SysWOW64\Ipbaol32.exe	Hldiinke.exe
File created	C:\Windows\SysWOW64\Ihjoke32.dll	Iolhkh32.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Bjhkmbho.exe	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Dpjfgf32.exe	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Hlepcdoa.exe	Hplbickp.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Cnokmj32.dll	Mfenglqf.exe
File created	C:\Windows\SysWOW64\Mbdiknlb.exe	Mfnhfm32.exe
File opened for modification	C:\Windows\SysWOW64\Nblolm32.exe	Mfenglqf.exe
File created	C:\Windows\SysWOW64\Mfnhfm32.exe	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Aemghi32.dll	Mfnhfm32.exe
File opened for modification	C:\Windows\SysWOW64\Mqkiok32.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Kpjccmbf.dll	Eqdpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Oikjkc32.exe
File opened for modification	C:\Windows\SysWOW64\Jemfhacc.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Joekag32.exe	Jemfhacc.exe
File created	C:\Windows\SysWOW64\Hmjbog32.dll	Joekag32.exe
File opened for modification	C:\Windows\SysWOW64\Apjdikqd.exe	Ajmladbl.exe
File created	C:\Windows\SysWOW64\Ddhomdje.exe	Dpjfgf32.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Plgdqf32.dll	Foclgq32.exe
File created	C:\Windows\SysWOW64\Ajmladbl.exe	Acccdj32.exe
File opened for modification	C:\Windows\SysWOW64\Bphqji32.exe	Bkkhbb32.exe
File created	C:\Windows\SysWOW64\Iikmbh32.exe	Hlepcdoa.exe
File created	C:\Windows\SysWOW64\Nmhijd32.exe	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Jjjojj32.dll	Nmdgikhi.exe
File created	C:\Windows\SysWOW64\Aeodmbol.dll	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Dokgdkeh.exe	Cnfaohbj.exe
File created	C:\Windows\SysWOW64\Nmdgikhi.exe	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Aidehpea.exe	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Ifncdb32.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Fbdnne32.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Keimof32.exe	Jnlkedai.exe
File opened for modification	C:\Windows\SysWOW64\Glhimp32.exe	Ggkqgaol.exe
File created	C:\Windows\SysWOW64\Kdohflaf.dll	Lomjicei.exe
File created	C:\Windows\SysWOW64\Kiljgf32.dll	Cnfaohbj.exe
File created	C:\Windows\SysWOW64\Jlbejloe.exe	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Jpegkj32.exe	Joekag32.exe
File created	C:\Windows\SysWOW64\Glofjfnn.dll	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Iblbgn32.dll	Ajmladbl.exe
File opened for modification	C:\Windows\SysWOW64\Jpegkj32.exe	Joekag32.exe
File created	C:\Windows\SysWOW64\Nfqnbjfi.exe	Nmhijd32.exe
File created	C:\Windows\SysWOW64\Ajohfcpj.exe	Apjdikqd.exe
File created	C:\Windows\SysWOW64\Mkhpmopi.dll	Fbdnne32.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cpfcfmlp.exe
File opened for modification	C:\Windows\SysWOW64\Qjffpe32.exe	Pjcikejg.exe
File created	C:\Windows\SysWOW64\Jdnoeb32.dll	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Bkkhbb32.exe	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Ngcglo32.dll	Jemfhacc.exe
File created	C:\Windows\SysWOW64\Mgmqkimh.dll	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Ipbaol32.exe	Hldiinke.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Opeiadfg.exe	Oplfkeob.exe
File opened for modification	C:\Windows\SysWOW64\Agimkk32.exe	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Egcaod32.exe	Eohmkb32.exe
File opened for modification	C:\Windows\SysWOW64\Eaaiahei.exe	Dpalgenf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6652	6432	WerFault.exe	239

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeccjdie.dll"	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnlkedai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemghi32.dll"	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll"	Joahqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjdikqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafjpc32.dll"	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkehj32.dll"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll"	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll"	Glkmmefl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flkdfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll"	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joekag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbdehlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnfhilh.dll"	Hahokfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnoekk.dll"	Imkbnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgeihg.dll"	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll"	Flkdfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lafmjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnifpf32.dll"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnpphljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikmbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djegekil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmqghl.dll"	Fbaahf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2344	1780	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe	91
PID 1780 wrote to memory of 2344	1780	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe	91
PID 1780 wrote to memory of 2344	1780	0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe	91
PID 2344 wrote to memory of 4712	2344	Bllbaa32.exe	92
PID 2344 wrote to memory of 4712	2344	Bllbaa32.exe	92
PID 2344 wrote to memory of 4712	2344	Bllbaa32.exe	92
PID 4712 wrote to memory of 2540	4712	Cnfaohbj.exe	93
PID 4712 wrote to memory of 2540	4712	Cnfaohbj.exe	93
PID 4712 wrote to memory of 2540	4712	Cnfaohbj.exe	93
PID 2540 wrote to memory of 3340	2540	Dokgdkeh.exe	94
PID 2540 wrote to memory of 3340	2540	Dokgdkeh.exe	94
PID 2540 wrote to memory of 3340	2540	Dokgdkeh.exe	94
PID 3340 wrote to memory of 3800	3340	Digehphc.exe	95
PID 3340 wrote to memory of 3800	3340	Digehphc.exe	95
PID 3340 wrote to memory of 3800	3340	Digehphc.exe	95
PID 3800 wrote to memory of 1652	3800	Eiokinbk.exe	96
PID 3800 wrote to memory of 1652	3800	Eiokinbk.exe	96
PID 3800 wrote to memory of 1652	3800	Eiokinbk.exe	96
PID 1652 wrote to memory of 488	1652	Eifaim32.exe	97
PID 1652 wrote to memory of 488	1652	Eifaim32.exe	97
PID 1652 wrote to memory of 488	1652	Eifaim32.exe	97
PID 488 wrote to memory of 4732	488	Flkdfh32.exe	98
PID 488 wrote to memory of 4732	488	Flkdfh32.exe	98
PID 488 wrote to memory of 4732	488	Flkdfh32.exe	98
PID 4732 wrote to memory of 1160	4732	Glbjggof.exe	99
PID 4732 wrote to memory of 1160	4732	Glbjggof.exe	99
PID 4732 wrote to memory of 1160	4732	Glbjggof.exe	99
PID 1160 wrote to memory of 404	1160	Glkmmefl.exe	100
PID 1160 wrote to memory of 404	1160	Glkmmefl.exe	100
PID 1160 wrote to memory of 404	1160	Glkmmefl.exe	100
PID 404 wrote to memory of 1676	404	Hplbickp.exe	101
PID 404 wrote to memory of 1676	404	Hplbickp.exe	101
PID 404 wrote to memory of 1676	404	Hplbickp.exe	101
PID 1676 wrote to memory of 1600	1676	Hlepcdoa.exe	102
PID 1676 wrote to memory of 1600	1676	Hlepcdoa.exe	102
PID 1676 wrote to memory of 1600	1676	Hlepcdoa.exe	102
PID 1600 wrote to memory of 3992	1600	Iikmbh32.exe	103
PID 1600 wrote to memory of 3992	1600	Iikmbh32.exe	103
PID 1600 wrote to memory of 3992	1600	Iikmbh32.exe	103
PID 3992 wrote to memory of 4444	3992	Imkbnf32.exe	104
PID 3992 wrote to memory of 4444	3992	Imkbnf32.exe	104
PID 3992 wrote to memory of 4444	3992	Imkbnf32.exe	104
PID 4444 wrote to memory of 1164	4444	Joahqn32.exe	105
PID 4444 wrote to memory of 1164	4444	Joahqn32.exe	105
PID 4444 wrote to memory of 1164	4444	Joahqn32.exe	105
PID 1164 wrote to memory of 3084	1164	Jepjhg32.exe	106
PID 1164 wrote to memory of 3084	1164	Jepjhg32.exe	106
PID 1164 wrote to memory of 3084	1164	Jepjhg32.exe	106
PID 3084 wrote to memory of 3460	3084	Jebfng32.exe	107
PID 3084 wrote to memory of 3460	3084	Jebfng32.exe	107
PID 3084 wrote to memory of 3460	3084	Jebfng32.exe	107
PID 3460 wrote to memory of 1372	3460	Jnlkedai.exe	108
PID 3460 wrote to memory of 1372	3460	Jnlkedai.exe	108
PID 3460 wrote to memory of 1372	3460	Jnlkedai.exe	108
PID 1372 wrote to memory of 2728	1372	Keimof32.exe	109
PID 1372 wrote to memory of 2728	1372	Keimof32.exe	109
PID 1372 wrote to memory of 2728	1372	Keimof32.exe	109
PID 2728 wrote to memory of 4704	2728	Kcbfcigf.exe	110
PID 2728 wrote to memory of 4704	2728	Kcbfcigf.exe	110
PID 2728 wrote to memory of 4704	2728	Kcbfcigf.exe	110
PID 4704 wrote to memory of 3252	4704	Lgbloglj.exe	111
PID 4704 wrote to memory of 3252	4704	Lgbloglj.exe	111
PID 4704 wrote to memory of 3252	4704	Lgbloglj.exe	111
PID 3252 wrote to memory of 3312	3252	Lfjfecno.exe	112

C:\Users\Admin\AppData\Local\Temp\0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe
"C:\Users\Admin\AppData\Local\Temp\0298f44f89bdb8de63735186cf74faef4bd9f0c4b20ad7cd2f06f656f03a70d6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\Bllbaa32.exe
  C:\Windows\system32\Bllbaa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\Cnfaohbj.exe
    C:\Windows\system32\Cnfaohbj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\SysWOW64\Dokgdkeh.exe
      C:\Windows\system32\Dokgdkeh.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3340
      - C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        28⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        29⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        31⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        39⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        41⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        47⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        48⤵
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        54⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        60⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        62⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        65⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        66⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3428
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1940
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1128
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        71⤵
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3700
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4468
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4492
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        81⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        83⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        84⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        85⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        86⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        87⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        88⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        89⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        90⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        91⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        96⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        97⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        99⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        101⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        103⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        106⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        107⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        110⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        111⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        112⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        113⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        115⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        117⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        119⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        123⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        124⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        125⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        127⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        128⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        129⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        130⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        132⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        133⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        137⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        138⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        141⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        147⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        148⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        150⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 408
        151⤵
        Program crash
        
        PID:6652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6432 -ip 6432
1⤵
PID:6536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:6820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
52KB

MD5
2c75f9e938e933e04a52cd8bd22f9370

SHA1
86b015c7bd357ed1ecaadf60495a567146b7de3c

SHA256
c1d91a275f650243cf5a51af229e4f34d97303c2a4d6a943d335ef2aa9530583

SHA512
b534290c06cb5d0f278bbf72489189d0c8b934352642f1dbee5a3b4a2d082f7843a4d32f78125641e6c65caaac30f813919389a0c6f4ca1d4dbf73426b5c14ee

Download Submit
C:\Windows\SysWOW64\Bllbaa32.exe

Filesize
52KB

MD5
2a27d7fe44b6d156d6963181b8831143

SHA1
bcd075415ec49ef0ed4731d3c455006b2171434a

SHA256
25a347141bbdb84f3e782b38eeb5ec2de2554c0ade9668df968b374888932bd2

SHA512
295f95c5456d9f696c60d6b87a9a3dd0c739b22d329b32021499ca0a3331d204c1b86da764b2373a510ec42a5c4a14a753d6c93165e3be4f23bf111af1f27678

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
52KB

MD5
95b337309923f50d8558407008d4755b

SHA1
4132bd7106c150419ee99f5d5ebefef8a215a26e

SHA256
d1a1c8d76aca8832544cc2c3f75cd3f939b2b022083e6ddccba34ba171ac3a0b

SHA512
24edb66a7f12253f32471693e44c5a4425036fd1169ee09469a675d0d34a45bf7f6afc405ee6d06d8b26729904fe615892dc9d46e625c01be0fa5f4b92b2972e

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
52KB

MD5
a169eca504bc79465abc00188e1f74d2

SHA1
970661b7cc3e2bfa4934e03e3081c27a0301869b

SHA256
9064f799a26b9519f262fef34cc3996cb54269a6a6a818e930784c0d58a3f355

SHA512
0b9a462cf751705d9a68b9388606fdcff175558228cd6024d97143390cb500f5e700818355f8f4002e06ff3929ec71b3a3da1aae6e22f3eea5a5b19db34aacf5

Download Submit
C:\Windows\SysWOW64\Cnfaohbj.exe

Filesize
52KB

MD5
0ad7989cc98305a3a1070eeb110ba724

SHA1
3277c45e7b9d74aeab710328f333687622ce68b1

SHA256
e900eb935e0f5c850e52fcef05dc9a0837104f6cb4fd211477400792bd3f0d41

SHA512
dca0b8c1f3814a5bf50d39de24f1e4fd3e6ab7eb397a6c5e917426429d5079dc090851b27edebcd78e6ab72193ce0dc5829aa153a98b9e1a5614d6fca83090a8

Download Submit
C:\Windows\SysWOW64\Digehphc.exe

Filesize
52KB

MD5
327556abbcaf70aab5b2250a51257f7c

SHA1
7444e1f3d680c91bf6d06b16b9405c5c8315b347

SHA256
bb602c872f6bc8c202caaecb82ff721179359c126ae3ef3f2b535d6c37e7ef7b

SHA512
b910b50b4071d315938b887109b3860a981016716eecdc19203c17cadb4d91a6b2daa9d7c1b8dd77fcd9758d46fd906d6298956c16a8dc5529894cb39fbc73fe

Download Submit
C:\Windows\SysWOW64\Djegekil.exe

Filesize
52KB

MD5
3340dc68231d57c53a4c60ead28e2f1e

SHA1
3a1ce6e6a30c688ab197c7e1544e5bc134367347

SHA256
4199d67b610ae3c7e09db79aeaaf448d9a77d345fb787c5ffabb801d88cade44

SHA512
5b02ff4c2804a568a9678d867276f443dfe1bec6762e05d67f2938c1520b599c770c399ea00b7650821d9ddb4f6be2514bc80246f3b3c14e91fcfff80795e837

Download Submit
C:\Windows\SysWOW64\Dokgdkeh.exe

Filesize
52KB

MD5
3f645dd3dde0f6de2a946865e83af511

SHA1
909963afed7ac90183e89faeb6961e6ceb618009

SHA256
ce6666af7ebf190934bd1ec513a64f5103b02b7fecc8bb1872458e6bac2d4fe9

SHA512
5f2bee4045e65012d8e5ac7dc8f34185144d2c0fe040f4af8e03af235e48fbcc2c197ea5317ce9c1ef7f6cefe8548020c8e8867021808eb6699f8b73cf642d61

Download Submit
C:\Windows\SysWOW64\Eifaim32.exe

Filesize
52KB

MD5
f31c655a930a83bf57558b1c429c0470

SHA1
5ec6c632b80c242748382158db6997ed866271b2

SHA256
f9a26027a8889e5f3002e770ab535758a3db7beef9c1cf0fc725c90d73bbae3c

SHA512
d209f3f88122748feb2413212a3fd964159abf5638fb6f8953ca2e041198f0f75a2a116f6659ec71c1b8854c7fdf5ad5676b63edd97da8df28039d9c5ece9c83

Download Submit
C:\Windows\SysWOW64\Eiokinbk.exe

Filesize
52KB

MD5
c92cc6e868a1f8be69f81136903ab357

SHA1
15a7353f59a834c3fc0107f4745a3e348eb017e1

SHA256
81f57a762522b73a71e72818c2c97f790723a732a0f1d617e61cd2874b5fe2ff

SHA512
43e0cb7f52976799b4eefd980b3f459fd34ba29d5738fc8dcdfdab820046bf37b7b81ebf4d8d70570740bd3fa157c6e9922e5f4c147f171210f7949054f0187a

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
52KB

MD5
41d9d40e6b9cbd7723d9693f5f61eda7

SHA1
23ccd774184083ca506b5df1812d602d277b865a

SHA256
ec296fcaf22e9e5b16120f18524d53c59cd58bf42cea27dbb9922765452b9331

SHA512
9847b21019c7f37bac9fe64f750567eea319ee902ba09613969fb32ae55b5e85c98758951e5bd3afc2c4a978c27283966b3a3fdd9bc8152a5e6ca03654200e8e

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
52KB

MD5
4cd6ed701736f1a1e4812f2546e3cfd6

SHA1
7a75b5ccddac58ad608d3db1446daca4b56219a7

SHA256
1b61a3b7eb7363f9433ba880771cf5d88f6edeaf53d6091dd4d35f6d0c2e7453

SHA512
af1951dcc6506ae2914a00da898023e36b092ffa3329b8417e1656605e059bb1c50f7d79179a4252fffe0d23d617be9b70ab314d9387166a4507bbfd1f6bcc58

Download Submit
C:\Windows\SysWOW64\Glkmmefl.exe

Filesize
52KB

MD5
0b26325f3bacc1979e6d7698d8fa42bd

SHA1
4ebd98de7b619beda3db8a9fadb25d5416048741

SHA256
9e57ebe94a82cc059ab5cb03033ecb2a4648ecc9baa2fdf4bb315f20fd61e5c0

SHA512
827d1ddf51028ddc4b3d50d6b9ab2b5ea6b7dccd56f90e1ea5709744409b5b7c6428c1c4880f317ef65c5dd105c97b8163bfd965b03c904f45262c4604afbdcf

Download Submit
C:\Windows\SysWOW64\Hlepcdoa.exe

Filesize
52KB

MD5
857d052bcbf5d9fb5b9d68b2806d0899

SHA1
a3906fa4783f0dc7c59f1148d6192c127915ee61

SHA256
a9f78b217b6b5e355c35bdb60a6142f658116b3c51275afdabf8461a35a0565e

SHA512
fa742abb68da0b55657a0f1ca268135a499c0c737744715f7f44342869c4bc9b252abfdee2e47e63fd92a9d7fd2c403708ed566b0f07848bd0c3d50a5223dbe9

Download Submit
C:\Windows\SysWOW64\Hplbickp.exe

Filesize
52KB

MD5
580ec7e01a5819ceec1a23e55d3399d4

SHA1
cbacdb245bf56b94593414085c50c3750aa1fba1

SHA256
f61d2e2b099bf6a69a1d5e1c7d01b4ad13d77b2e1a6e7d556c4df3ef929578ee

SHA512
2b0798288054a1a8222b22ad30c46e16a12818b72ec633d8509dad3bae5319bb1a2766b13ccd8436f5a163d59f6eb7bba712297023921b614a0122dc7cdeaaeb

Download Submit
C:\Windows\SysWOW64\Iikmbh32.exe

Filesize
52KB

MD5
48ea9f022069f715209680327e4b451f

SHA1
c6b62abd7301d53c2e3b994d8bd499cc7a31a80b

SHA256
33db77bf4849f1907c911a579bfa1e9b994b6803d017ab8e7c48e03bd5df534e

SHA512
bd7542d5bf0247a1cd4bd6ee806e360787af31bc6836c59925db3542de11cf3f3398cddb8b15cef8c8bc47a02747ef242ab1ac1982bef90a71a00133b8a5ed98

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
52KB

MD5
a49207cbb9eeb6d690a5736e7e9f28d2

SHA1
832e84c1c1940c6c3b783c055a73a6b71140d1f8

SHA256
35b3aec38b5ffde1f648fece4be8efdc3b7faeb61b12559265032f294919105e

SHA512
52aae8ae475d6bf58a5392171c1c0be00c1d64cf960ca8dd681e941f1cae8a792e22247c70477eb703a1100814cb589210dadd0b4488822094d69e32bc01d586

Download Submit
C:\Windows\SysWOW64\Ipbaol32.exe

Filesize
52KB

MD5
7d6d47c39d9c1ee14c446b1288be6e5c

SHA1
f0a019f28d66f7188bfb5b7bd0f85f3d193ac3bb

SHA256
d4bbf68f86ac2d9ba42a0d8c67f675b360c047dbe26149c749447bade97deced

SHA512
6487e31b281e4e4ba2525786b691d3f112f8f8821acd9af7b36d0d2e12f9899de57a98063341a0fb9e5884c084f6c741a8af867db0983dc83c7c44901102e344

Download Submit
C:\Windows\SysWOW64\Jebfng32.exe

Filesize
52KB

MD5
71832f6cf467cc53417ff0506aaefb3f

SHA1
c2bc5360e8cc9a7a4e7c739b2a3581c577efda98

SHA256
7427acb65d27a2b76daa8d69e4d190df8eb13407f20b96213af78aafbadde37a

SHA512
69271bc8c3ff901daac1d1138de1bdc79bc19c58c1dda760a3252db144bbd8a6eeb42b167ba753db643b666d4aaeca58be9208e3785a7eea8c45acf26eab9f42

Download Submit
C:\Windows\SysWOW64\Jepjhg32.exe

Filesize
52KB

MD5
ababee16d5e43737ed1a0c6964320490

SHA1
11f772250ddb8e3803673fa9fc4c87cc7118586a

SHA256
051be0074842f91d202e6f5ccce8f82f4fd6e6bb7e0bcb1d2a86475267253045

SHA512
5e74dae65d3bfcbec46a799b4de998051f83a67d995bebad737a716c8ab619115db1337268ee0cb632ee6596874ae28ff6c12f1c99622cd3c030852c6a3bc06c

Download Submit
C:\Windows\SysWOW64\Jnlkedai.exe

Filesize
52KB

MD5
243ab05b40a6c79c59a3491f9237ad73

SHA1
19178651b86dbee0e52d7ebaedbb39d68ca62b25

SHA256
ce12440bfff64514d443f26c375270b7cc4f204d306d262ec015de3b48005f1e

SHA512
6eaae3d3efc7eb1088dab3f3d4cf73ef4b8e59a24206acb11d08075b742e3ec74f714766056a2f8200272a09884d6be206577bd9bde60fa333080f3680219281

Download Submit
C:\Windows\SysWOW64\Joahqn32.exe

Filesize
52KB

MD5
843f8c3c67785e7e155403d724f9e5e1

SHA1
a084f19815556c141c3b8e6d34bcfcdf38e06fe1

SHA256
88c2d6ea86e62db400c56e1617a06bdbab1b94f2feee754b3820170b70d2fcaa

SHA512
745c36f4c143966a8b52e0134683d9b93e29079d4c91205355e5393c12f90b81547a7fb86eccc75f2e852c014545af02a6b92e85dcf1cb494737186e2b71b804

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
52KB

MD5
1fad0800bfc0c8e84feaf385aa1da896

SHA1
eb223a343d5130ae4b1e7d8d36eb49f6f97bc361

SHA256
3400fa7b587e5f9fb1ccfdbd533d1b9e24afbfba61335559fd1cf16f9511d6e0

SHA512
e9bc41568d598c44518b3057f95974937cfd705ddc34b7fba83f087e3c37ab4754a5a6c705f08f822979d03947e16ec2445210ea8aa231e77d8f7503d96071f6

Download Submit
C:\Windows\SysWOW64\Kcoccc32.exe

Filesize
52KB

MD5
f75c1a246feaccd1c1e21e9f7ce73083

SHA1
efc9c180d001838eb4633e98f90164d507b54a67

SHA256
3314e89c7cff63d589a9a1dee1a5a1c2973e8faac864a825de774ad03f70ab68

SHA512
96d53e184123a3d517cf59dd3af3b5e02568d054024091b658a9647a2c7e0eda82a7004722e5abf4194b1a71b3ba9496958c2c13d6b6d43ef528c09a66f1a965

Download Submit
C:\Windows\SysWOW64\Keimof32.exe

Filesize
52KB

MD5
6d64a671c571b7d1105ab0e6411c458b

SHA1
979282a78130a3f931348cc664602e56257795a1

SHA256
9c424203e03759ccecd7b114b829b8721b251aef57c81c03b4afd692b66aadfd

SHA512
de61dfa4ea06e2ea9aa34df205c291af4225896e025f26d13d3fd8db82317924d7ed486980980af766cb0ec2b56806cb24a55c6d89d4b1f99a64d4c11483080b

Download Submit
C:\Windows\SysWOW64\Kheekkjl.exe

Filesize
52KB

MD5
702cd441fbb91b765cb9ae26d3196a68

SHA1
ee8f21a830821ce480dce97aeaecab838fe00901

SHA256
9842ea7198dd55cfd07ed661cda72bfdd8ca170704537285acd3cc5486df7901

SHA512
35c540f2f3a3b39278654d10ec784ec76427af83fdc1dd410be99d4e0e687cb00e249f4960078255455433dbfc55d7aa05724b46dd46d3dac9266adf399af9b9

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
52KB

MD5
af60f04ad138f940b05b72e9e007850b

SHA1
2a1d071160c8d2ee7d3839e52225bc29d8cee635

SHA256
d73a66f28b3b5c3ac85d978284bdd94c08840340cc5d20070751ecb6686b8db7

SHA512
9f6cd6a3be4464e9b5d0d1335079c1acf474f98f5df4ac8863da58a659a8b64d2da97c686918c7f2a79b5942803e1565ad51a8104cdb802871a268109013a192

Download Submit
C:\Windows\SysWOW64\Lgbloglj.exe

Filesize
52KB

MD5
133f5473a6215785e9e0d515674dca3b

SHA1
b544dbaac3cc84b8579910294c16769cf785a774

SHA256
b6f32ab0a0c41fb5f09b3c07007896df5d5e21063f293902d667242d32f2a857

SHA512
79ee9abdeed9da712a2b1aa4b99f4dc855b9b46d5239bec7d55d4c9ea3c354b5d5180afecdbc4e5c0b51f217df6d051f4e11c27708a3916b79bd336ae67afff1

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
52KB

MD5
8d7f823b0eaabc406876975733be5915

SHA1
2a37ecacd33eb7a8050ad88f68ad21b4177e322d

SHA256
bd78a2790e989792f4596a95f01b8155c0b5ff4ab9a7560b132ed4c62f08a31f

SHA512
7113ce45d14b27bd6ff9600cb8b24c6fc39322152f705fbbb10295ac46e149601efe2f12b4532bc1f428256745b021efee45622d3e652380bc1bf415b6e412a7

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
52KB

MD5
6dffc190fae5415580e485e392d9979d

SHA1
a7790e44bc59c4bc3439cac378b5779156a425e5

SHA256
a8059cd9d4733d76eed2cdd968db8b1ce4c9173f46ebe44677be2895d241292e

SHA512
5e5bc816d903f91287318184c2be340e5875a367346a4e9873801ebdb8fd92c4296ac5f23c9dbc6c77deebab3bbf8180c6ce1b2a4c1e3def334bb171421f6329

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
52KB

MD5
412d14fc2c45db4484bffcf79bad1924

SHA1
3c6cd91ff9df00c124237459b71412303a8dc3b7

SHA256
5662381987ea4a6baf1f94a081610ba4d5157764718e164877496f203bde360c

SHA512
da770b671bc93da40187485066c720638b165916d562b1e8a11139b6557e363a7664dcfd84fa8552bf480109ecbc0163de2fdb496d97f4fe4fc0dac929eb6160

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
52KB

MD5
143b34b421fa11f5b94254cbe112c07c

SHA1
edd18ad42f75573763b5e8c319e799fc030fe38e

SHA256
2162f1b9c66d0cebd81e9c478a3d714033f34168c9657f6c6e4f3f346dbafba7

SHA512
5c5e865e1b8768cdec0cfccb9b80025a80049e697768c02bfa54b2a822a556a8cf370c85b46676d1fe494ecfed69bd4a1baf769512d057c8e2b9e28af4490e7e

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
52KB

MD5
a61baa93ee72253184f0e4a356d5a6d3

SHA1
3bf509ce18d77b423ec98a44521a6cf5519c9114

SHA256
06356571c925d542dd67a7e2b7bd95dade88a630ea2236d5d831fc76658a1727

SHA512
d8cb1afe9c20969391b338c65e58ce6fbb896909225658ca86420c9b9d84afec6734ead372a1d414f76a49988d5897fac7e62f11d6bf0551803e2c58f586d13a

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
52KB

MD5
c8a6d7c6bc940d39badd7443bf3b36ae

SHA1
56d848dcdda12913e5c06318a3099e0137d7329f

SHA256
da1d0a5e1dfb474298f7c3ee8cb27121efdbd233da89b3a2dd41f593e2afe770

SHA512
ab918bcafbbb6d53333eb3c5a1d028ef932ecab1807c3b074db5c1f7fc665c213bdc8711665e80e464f83d7c608b5003e572d40938847c4b75150884ad91143b

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
52KB

MD5
6514fac0ce994b60f91a658cef96d46f

SHA1
4374be4573200c3048139e1f5183cd51f7192258

SHA256
b5340ff1dc19c3cdd72cb5fe57826af63a9a359c673d69f3b2d5a3e90aa5ba70

SHA512
859d18075b146d4852302e731744ec311be85477035a07c8077c60b95ed722e383d5c0c4baaacd0d041dddb4f267ae9ae2e1d4ee35b0851aaf2f3f024a2c2ed2

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
52KB

MD5
ba0d639f115915783843479fa00adb54

SHA1
f8d41ec2ad6a7c2689459b545d71dcba94a19daa

SHA256
bec2687ddd7179013603bfb1c662b17b899b882686b1b478571c1131bba04641

SHA512
987a0af1236a43d40fc4275af332b50530944996fff6759360545bd62dab493d5b5a8178a5ec39b2f6ac6670ef1900bfcda69ff2d99c85348b689edc9c1e0242

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
52KB

MD5
c7e592710047cd1794d0e20fdac2ce13

SHA1
c53efbc26cea13621385f9303db99efad4a7b070

SHA256
56aa4708377e1aeffdcf4835502fb797c80721952afc3d138a03e2d2704233bf

SHA512
425c18dab5223c07e3501ce9bdad48bd01e537e1336475acd134258420a57c573ba3589262da8857b75680ec1b8deafd3cece7fb02b8d47540300e31cca78aa5

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
52KB

MD5
e645949849360e09967f8debc01b30ff

SHA1
0446324008b454791aefb0b1829926352c3abf3d

SHA256
d79cd931e178974c3663677694c7b0e8263d30df815346d3f11b0ae9a1b148c1

SHA512
30589cd225a0f3ac9c3fa43b8d6f9d7ad79fb0612840543cdffbffc0c561109c2bdf8f0efe5e9dbf6ec7015104f78497c67d16b757c5c6113a3bb488efd97cb4

Download Submit
C:\Windows\SysWOW64\Piapkbeg.exe

Filesize
52KB

MD5
b720028bc75bccb8fbfc2223c87da256

SHA1
98fbdd35bc11d8d9682a000df8133aba364279fc

SHA256
7e33a28d7548827436af8a40f4679c69e063c4b37c6c71bab1e186745f1d41bc

SHA512
f70c42f439ac14941ecd90f8084a64e9a8a7c4d0fda566336ff30ef0eaf25f17296a73fa0e315c6b5d516525fe2e2be221e0d09973e88f529fe439615e1bfb16

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
52KB

MD5
745a6e5a3da7f416ee86445c36630c10

SHA1
f1a612d931cd62f596d8f2eda122cc0ac9ffe900

SHA256
a8679a771440d234cff93ee02e4e3c8a141bc8e02144d34b50bd0baa60a082ce

SHA512
3a69a87829ba4f6ab19ed69d8bd3dc594f37ab953ac599aab58d98878ca170716575d2eb1847ccb4a883d2027d40d16c3b87aaed3d2a0136682b9cf71b256e88

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
52KB

MD5
53b7821bc99337c82ed85c72040775b7

SHA1
f1aff032a99bb5ab9e8c76a49b13f2507b8b43fe

SHA256
f58714f61c1e85d0524610e46b02ec44752d9618f50b4bf39895e5a8085f1042

SHA512
58e098ae78d065cc6bf2d18078ff44ee44705cffc7677292517652657257db21522243f1b1bef7336fe741d544a7823b8eafdb18808b7cbd6a686a18cfa581f3

Download Submit
memory/368-193-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/368-675-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/404-458-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/404-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/488-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/488-413-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/552-357-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/744-342-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1160-72-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1160-445-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1164-553-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1164-120-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1188-375-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1204-685-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1204-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1336-419-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1372-143-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1372-586-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1468-388-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1548-439-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1600-95-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1600-495-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1652-394-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1652-47-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1660-732-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1660-248-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1676-87-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1676-477-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1780-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1780-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2316-275-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2344-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2344-311-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2420-395-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2496-451-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2520-318-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2532-325-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2540-337-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2540-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2676-427-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2728-593-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2728-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2940-382-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2952-712-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2952-233-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2960-401-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3084-127-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3084-560-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3156-420-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3252-619-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3252-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3312-175-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3312-644-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3328-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3328-691-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3340-31-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3340-356-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3408-433-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3412-269-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3460-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3460-567-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3464-281-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3672-293-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3708-331-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3784-651-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3784-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3800-39-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3800-369-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3964-350-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3992-103-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3992-515-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4292-299-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4376-684-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4376-201-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4440-344-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4444-534-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4444-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4480-376-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4568-407-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4588-312-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4608-452-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4612-713-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4612-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4704-612-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4704-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4712-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4712-324-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4732-63-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4732-426-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4844-287-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4848-305-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4928-263-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4952-363-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4964-257-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5104-700-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5104-224-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5616-1052-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5636-1056-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5656-1053-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5824-1054-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/6244-1049-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/6348-1047-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads