4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 21:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c.exe
Size

156KB
MD5

74954118040832d568c02d4d50f20fd4
SHA1

b82a59e71557da5e72918ce0549031eecf2eb596
SHA256

4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c
SHA512

a45ddb2b2fba8645b0dd9361073a436fb45ccb38e9c8378304f6417a206d0c8c124a4a1850b9bab68ff38c89c816ada2738e56b7ad74c9a521e3070d4b086d8c
SSDEEP

3072:ltFhgfn9HagzPt7ch0NJ9IDlRxyhTbhgu+tAcrbFAJc+RsUiM:l/hGzt60NsDshsrtMsC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhboolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glhimp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgphpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edeeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmhijd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnegbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnknafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfjkjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hedafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqjbddpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egohdegl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igfclkdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnnccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jppnpjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihbponja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajaelc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe

Executes dropped EXE 64 IoCs

pid	Process
1708	Ffnknafg.exe
3444	Fpimlfke.exe
2172	Fpkibf32.exe
1996	Gidnkkpc.exe
4048	Gfjkjo32.exe
4928	Gmdcfidg.exe
2152	Glipgf32.exe
1596	Gimqajgh.exe
220	Hedafk32.exe
3708	Hbhboolf.exe
4408	Hffken32.exe
1076	Hifcgion.exe
1424	Hpchib32.exe
4984	Ibcaknbi.exe
1684	Iomoenej.exe
3888	Igfclkdj.exe
2532	Lgdidgjg.exe
2812	Mnegbp32.exe
3272	Mgnlkfal.exe
3052	Mgphpe32.exe
4840	Mfeeabda.exe
2348	Mfhbga32.exe
4108	Nfjola32.exe
4372	Nncccnol.exe
4644	Nadleilm.exe
972	Npiiffqe.exe
4364	Oaifpi32.exe
3420	Ompfej32.exe
3524	Onapdl32.exe
2100	Ofmdio32.exe
1292	Opeiadfg.exe
4428	Pccahbmn.exe
4888	Pagbaglh.exe
2976	Pmnbfhal.exe
4628	Pjbcplpe.exe
3732	Pdjgha32.exe
4920	Pnplfj32.exe
2256	Qfkqjmdg.exe
4508	Qdoacabq.exe
3100	Qacameaj.exe
636	Aphnnafb.exe
4388	Amlogfel.exe
2504	Agdcpkll.exe
2644	Amqhbe32.exe
3572	Aopemh32.exe
2856	Bobabg32.exe
1772	Bdojjo32.exe
1336	Boenhgdd.exe
2412	Bdagpnbk.exe
4244	Bogkmgba.exe
1248	Bphgeo32.exe
5068	Bhblllfo.exe
4772	Cdimqm32.exe
1960	Cammjakm.exe
2004	Cgifbhid.exe
452	Cglbhhga.exe
2252	Cdpcal32.exe
4348	Coegoe32.exe
3364	Cgqlcg32.exe
732	Dpiplm32.exe
2876	Dojqjdbl.exe
1120	Dolmodpi.exe
2832	Dggbcf32.exe
4168	Egohdegl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ffnknafg.exe	4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c.exe
File created	C:\Windows\SysWOW64\Epoaed32.dll	Dolmodpi.exe
File created	C:\Windows\SysWOW64\Nmhijd32.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Eiacog32.dll	Jaonbc32.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Lhgkgijg.exe
File opened for modification	C:\Windows\SysWOW64\Mjnnbk32.exe	Mljmhflh.exe
File opened for modification	C:\Windows\SysWOW64\Nbebbk32.exe	Nmhijd32.exe
File created	C:\Windows\SysWOW64\Mldjbclh.dll	Hlblcn32.exe
File created	C:\Windows\SysWOW64\Kocgbend.exe	Khiofk32.exe
File opened for modification	C:\Windows\SysWOW64\Legben32.exe	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Fohfbpgi.exe	Fbdehlip.exe
File created	C:\Windows\SysWOW64\Gmefoohh.dll	Feenjgfq.exe
File created	C:\Windows\SysWOW64\Ebdpoomj.dll	Ojcpdg32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgkan32.exe	Ommceclc.exe
File created	C:\Windows\SysWOW64\Defgao32.dll	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Aphnnafb.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Jppnpjel.exe	Jaonbc32.exe
File created	C:\Windows\SysWOW64\Nfihbk32.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Khgbqkhj.exe	Kcjjhdjb.exe
File opened for modification	C:\Windows\SysWOW64\Oihmedma.exe	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Lljdai32.exe	Kcapicdj.exe
File created	C:\Windows\SysWOW64\Onapdl32.exe	Ompfej32.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Ijcomn32.dll	Loacdc32.exe
File created	C:\Windows\SysWOW64\Mlljnf32.exe	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Aknhkd32.dll	Fpkibf32.exe
File created	C:\Windows\SysWOW64\Jjjojj32.dll	Nfjola32.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Jaonbc32.exe	Jlbejloe.exe
File opened for modification	C:\Windows\SysWOW64\Johggfha.exe	Jeocna32.exe
File created	C:\Windows\SysWOW64\Mjpjgj32.exe	Mcfbkpab.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Gaagdbfm.dll	Onapdl32.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Ocoick32.dll	Gbnhoj32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcikejg.exe	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Ajaelc32.exe	Aaiqcnhg.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Biepfnpi.dll	Ihbponja.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jeocna32.exe
File opened for modification	C:\Windows\SysWOW64\Fpimlfke.exe	Ffnknafg.exe
File created	C:\Windows\SysWOW64\Coegoe32.exe	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Pbhgoh32.exe	Pafkgphl.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Eegcnaoo.dll	Edeeci32.exe
File opened for modification	C:\Windows\SysWOW64\Nfnamjhk.exe	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Cajjjk32.exe
File opened for modification	C:\Windows\SysWOW64\Hpchib32.exe	Hifcgion.exe
File created	C:\Windows\SysWOW64\Lmnbjama.dll	Pjbcplpe.exe
File opened for modification	C:\Windows\SysWOW64\Mljmhflh.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Fkfcqb32.exe	Fbmohmoh.exe
File created	C:\Windows\SysWOW64\Lipgdi32.dll	Gnnccl32.exe
File created	C:\Windows\SysWOW64\Ajdbac32.exe	Adjjeieh.exe
File opened for modification	C:\Windows\SysWOW64\Onapdl32.exe	Ompfej32.exe
File created	C:\Windows\SysWOW64\Pnplfj32.exe	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Cepjip32.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Bobabg32.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Bdojjo32.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Begfqa32.dll	Eqncnj32.exe
File opened for modification	C:\Windows\SysWOW64\Feenjgfq.exe	Fohfbpgi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5568	7088	WerFault.exe	287

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkfcqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhjomjk.dll"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hedafk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hifcgion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaokcqj.dll"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkoiaif.dll"	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edeeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalceb32.dll"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oondonie.dll"	Eohmkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimngjie.dll"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgdqf32.dll"	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfjkjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll"	Jppnpjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggbcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giecfejd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaifpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ompfej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glhimp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaagldf.dll"	4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll"	Kocgbend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofljo32.dll"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkeml32.dll"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnknop32.dll"	Joekag32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 1708	8	4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c.exe	89
PID 8 wrote to memory of 1708	8	4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c.exe	89
PID 8 wrote to memory of 1708	8	4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c.exe	89
PID 1708 wrote to memory of 3444	1708	Ffnknafg.exe	90
PID 1708 wrote to memory of 3444	1708	Ffnknafg.exe	90
PID 1708 wrote to memory of 3444	1708	Ffnknafg.exe	90
PID 3444 wrote to memory of 2172	3444	Fpimlfke.exe	91
PID 3444 wrote to memory of 2172	3444	Fpimlfke.exe	91
PID 3444 wrote to memory of 2172	3444	Fpimlfke.exe	91
PID 2172 wrote to memory of 1996	2172	Fpkibf32.exe	92
PID 2172 wrote to memory of 1996	2172	Fpkibf32.exe	92
PID 2172 wrote to memory of 1996	2172	Fpkibf32.exe	92
PID 1996 wrote to memory of 4048	1996	Gidnkkpc.exe	93
PID 1996 wrote to memory of 4048	1996	Gidnkkpc.exe	93
PID 1996 wrote to memory of 4048	1996	Gidnkkpc.exe	93
PID 4048 wrote to memory of 4928	4048	Gfjkjo32.exe	94
PID 4048 wrote to memory of 4928	4048	Gfjkjo32.exe	94
PID 4048 wrote to memory of 4928	4048	Gfjkjo32.exe	94
PID 4928 wrote to memory of 2152	4928	Gmdcfidg.exe	95
PID 4928 wrote to memory of 2152	4928	Gmdcfidg.exe	95
PID 4928 wrote to memory of 2152	4928	Gmdcfidg.exe	95
PID 2152 wrote to memory of 1596	2152	Glipgf32.exe	96
PID 2152 wrote to memory of 1596	2152	Glipgf32.exe	96
PID 2152 wrote to memory of 1596	2152	Glipgf32.exe	96
PID 1596 wrote to memory of 220	1596	Gimqajgh.exe	97
PID 1596 wrote to memory of 220	1596	Gimqajgh.exe	97
PID 1596 wrote to memory of 220	1596	Gimqajgh.exe	97
PID 220 wrote to memory of 3708	220	Hedafk32.exe	98
PID 220 wrote to memory of 3708	220	Hedafk32.exe	98
PID 220 wrote to memory of 3708	220	Hedafk32.exe	98
PID 3708 wrote to memory of 4408	3708	Hbhboolf.exe	99
PID 3708 wrote to memory of 4408	3708	Hbhboolf.exe	99
PID 3708 wrote to memory of 4408	3708	Hbhboolf.exe	99
PID 4408 wrote to memory of 1076	4408	Hffken32.exe	100
PID 4408 wrote to memory of 1076	4408	Hffken32.exe	100
PID 4408 wrote to memory of 1076	4408	Hffken32.exe	100
PID 1076 wrote to memory of 1424	1076	Hifcgion.exe	101
PID 1076 wrote to memory of 1424	1076	Hifcgion.exe	101
PID 1076 wrote to memory of 1424	1076	Hifcgion.exe	101
PID 1424 wrote to memory of 4984	1424	Hpchib32.exe	102
PID 1424 wrote to memory of 4984	1424	Hpchib32.exe	102
PID 1424 wrote to memory of 4984	1424	Hpchib32.exe	102
PID 4984 wrote to memory of 1684	4984	Ibcaknbi.exe	103
PID 4984 wrote to memory of 1684	4984	Ibcaknbi.exe	103
PID 4984 wrote to memory of 1684	4984	Ibcaknbi.exe	103
PID 1684 wrote to memory of 3888	1684	Iomoenej.exe	104
PID 1684 wrote to memory of 3888	1684	Iomoenej.exe	104
PID 1684 wrote to memory of 3888	1684	Iomoenej.exe	104
PID 3888 wrote to memory of 2532	3888	Igfclkdj.exe	105
PID 3888 wrote to memory of 2532	3888	Igfclkdj.exe	105
PID 3888 wrote to memory of 2532	3888	Igfclkdj.exe	105
PID 2532 wrote to memory of 2812	2532	Lgdidgjg.exe	106
PID 2532 wrote to memory of 2812	2532	Lgdidgjg.exe	106
PID 2532 wrote to memory of 2812	2532	Lgdidgjg.exe	106
PID 2812 wrote to memory of 3272	2812	Mnegbp32.exe	107
PID 2812 wrote to memory of 3272	2812	Mnegbp32.exe	107
PID 2812 wrote to memory of 3272	2812	Mnegbp32.exe	107
PID 3272 wrote to memory of 3052	3272	Mgnlkfal.exe	108
PID 3272 wrote to memory of 3052	3272	Mgnlkfal.exe	108
PID 3272 wrote to memory of 3052	3272	Mgnlkfal.exe	108
PID 3052 wrote to memory of 4840	3052	Mgphpe32.exe	109
PID 3052 wrote to memory of 4840	3052	Mgphpe32.exe	109
PID 3052 wrote to memory of 4840	3052	Mgphpe32.exe	109
PID 4840 wrote to memory of 2348	4840	Mfeeabda.exe	110

C:\Users\Admin\AppData\Local\Temp\4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c.exe
"C:\Users\Admin\AppData\Local\Temp\4393f53641b1ef00971c1f7e0da83e728ba9daeb9789a27b5fe3bfe0243b634c.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\SysWOW64\Ffnknafg.exe
  C:\Windows\system32\Ffnknafg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\Fpimlfke.exe
    C:\Windows\system32\Fpimlfke.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\SysWOW64\Fpkibf32.exe
      C:\Windows\system32\Fpkibf32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        27⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        31⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        34⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        39⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        42⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        43⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        45⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        48⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        49⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        50⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        52⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        53⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        56⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        66⤵
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        68⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        69⤵
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        70⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        72⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        73⤵
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        74⤵
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        76⤵
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        77⤵
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        82⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        83⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        85⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        86⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        88⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        89⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        90⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        91⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        92⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        94⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        95⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        96⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        98⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        100⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        101⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        106⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        109⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        110⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        111⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        112⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        114⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        115⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        117⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        118⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        120⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        121⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        122⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        123⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        124⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        126⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        129⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        130⤵
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        131⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        132⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        133⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        136⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        140⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        141⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        142⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        145⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        147⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        149⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        150⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        151⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        156⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        157⤵
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        158⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        159⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        161⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        162⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        163⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        164⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        165⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        166⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        167⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        168⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        170⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        173⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        177⤵
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        178⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        179⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        180⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        181⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        182⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        183⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        184⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        185⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        186⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        187⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        188⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        190⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        191⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        192⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        193⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        194⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        197⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        198⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 400
        199⤵
        Program crash
        
        PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7088 -ip 7088
1⤵
PID:6380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:7792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
156KB

MD5
87fe69a1b2e3814d1b196976884b3aeb

SHA1
c3f110012b2507fca0de57d1455ef9d45c565891

SHA256
13707a95a4efc480867504726743a0d266eececec965d096ddef8ea4232fae0d

SHA512
f75f3ff38e43fb116e4252f4e0981504c7ba467c44bd050444af0f991e082f3f53d25a7d831da77a75e65a75f38716899463f686153f2b47e37785ea63250f7d

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
156KB

MD5
9d7224a8f0430e91b47af237e757ea88

SHA1
44ecd7801692be4d920a155f94743f09413dd350

SHA256
3e2eef8708bba39232639dcb5a66b5ceff1676c72cb589800b3d168ad3848abd

SHA512
c452b2979d4ef7c4df58a1eda653c23ce38b5ce772b8e7dd39e271dbc944695576ec75052cc5229ebb5cbaf7f7b3bfd737f61f199703e4f20d074ed1f5e7a9fd

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
156KB

MD5
39b143f6bf67fd6cd3004e2f5752cc7b

SHA1
14cb0eb8ce6a6e0357b8fc897730c790dd320199

SHA256
a83b8ee20617f7ee2e41e926f1197fa65e5427686be0c1038d9aa9a808cde460

SHA512
218c976615cac35740b9d72a21a3359415fd9d932ebce6c8b146f3eb5758e276617914d656c13d3e35960607b8c1a13ae21801902f1d40cf90049648128844c7

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
156KB

MD5
74e24a10a0052c119d727a5184ead697

SHA1
c19f465d88292ca40df0d66e9aee31a9726381b4

SHA256
7f24153592c40adf30e323fe5c2aaada8d906a458091e2a8addf568024a6cab3

SHA512
e5b1dc081dae6934b10fea1845d922160f3b0b13cab65f884401ade51413612c2bfb0a40b7a38d5b24207fc166870c66faacadefe4ff0c2871c477817ef2f2ff

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
64KB

MD5
1501c8900985780253ae1d0899f67a00

SHA1
744d079da67250b21346f86ad455717a409b10ad

SHA256
1e6476322b6b58130de4e1aeb38dff7f6fef048130645fae9ea63c12794ca850

SHA512
9d9c101f84e55b252f012740cb4768f0049b7253721c4c753880e1999f8e5468a6f721088a7afa405fef9f5036fa335d88eb93576fcb559b082c91240e852012

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
156KB

MD5
f99671160e3698f9da492e09b9482c76

SHA1
03e9b0a9896341d4ceaaffdebfa16527e5191e71

SHA256
9e4a630f4c4bc6648d751f9e387bedee99ef117a7d758f1ce6e2a7d348df840f

SHA512
bfa368db90b3d2af7e6ced81706c685d682bcfb84a10188b0f10c1263ec947494044038d68a4e86432173122e5552dbe61b9fd468cf466f885c9c4754603cd3d

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
156KB

MD5
5d941628d161225a2e74ab21c5ceffd7

SHA1
889db2214f23b19e7c3727eb2648e0c9805fb0df

SHA256
70acacc7a8f85cc92a2eaca36c8178a606e3f55b5550c74dc6720d143c3ad36a

SHA512
c512bcaa21e1cd4aa313e82ce1fb2bcc62de4b37386def7befd66107141d9569685dbf224f3635dae25881e1270b997f0639ba9b7fe18192536e34205fcb0c53

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
156KB

MD5
d16af640f0d946534134ff5bbef5427d

SHA1
5ad134719b8d47344dd0ef15a39a6a0925573010

SHA256
cd3620245aa4defb95e923feb88ebc70c284477e2b2d9eebf6d76748d97d6a47

SHA512
3860dabbddf33260eb6953890549cd39c498b2f41ba40034993fa5439adabeae5c4a4bd250d72ee1ed3e01b1016ffd57ae42cba18bc457798da330ab31b6c603

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
64KB

MD5
65691e194032485e4d22912e64da4713

SHA1
a933d2028756c67345519ae14f04540caeba4f5e

SHA256
5a4c6a24771a18610739cae0e0c9f24d3cd7c2077f7958f08a6a1f3fdabb7f89

SHA512
b3bcd921db84e9d5cf21a7cbd40f19b69105724fec0c13cb27da8f036ac5ab6be40df53a481ee72b181464fcb17a64d436307ddbcfd96a04fc0e3c7f58d466ac

Download Submit
C:\Windows\SysWOW64\Egohdegl.exe

Filesize
156KB

MD5
c210353a04e8c65ecf4e8a49d7dc820f

SHA1
6fb0013bd721e78a5227f0c4b302622d70e6255d

SHA256
477c8054f6fcbe002021c52231cae9aecfe65396e7c18678172cd398429b6343

SHA512
6c16b3a61116e706b6f77141939be240b3c4a5bb4dc2fbf08913451884305968ced9a7bf63051d8e6e3445a20a866f55947ece1381cd4dfd315df596a9a8b1f7

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe

Filesize
156KB

MD5
a3cf5fe06a06438485fa564a8fd37418

SHA1
ff2f10a047c383c78b4f1e90d61d1dc52674ea7e

SHA256
a084484c93645df319db84f90d3e2547cb10cc1cc90cc1fbd2088640a50655ae

SHA512
0a366c352cf54336dd5ad2e5bba71e2205f976d0cbb74c5f99f613393a63c2d97eb7f92db1fe290a254b54e93abeddd692e28caeb09d0bbcb7267bc627f2480f

Download Submit
C:\Windows\SysWOW64\Foclgq32.exe

Filesize
156KB

MD5
6c59965a9c2a2ba568f1c759b33ee8d9

SHA1
39818c9244d3d217458e4622af5539702eed3508

SHA256
f9057f40ff64aad162796c4d6a46826ba3ea74e235672a0849d95f3b2b8068ff

SHA512
eef64b81135a6f9588a70c0c7df261be95e86d8789aa91f8acef451fbbafc346e8e74b2ee428687a2acff4479a5beb69e809de875a84a8a69ca37b52c49d5739

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
156KB

MD5
efd06c882eb8f98ad0e24b773cf251d6

SHA1
a12fdedeea2f456e826041c73f3568dd4fbccc2a

SHA256
32d119a55d6ab6cc826d26b49dae035bd948c0d36e13e0ede95389099e638391

SHA512
3d33c8c13f0643c351aad4571cfae52e33aca3822c9d55ad2ad31ef1f70597a17de5edd4f4c6ff0c894cd863f2a74da14f29d126bc2d74a03a62132368d651f3

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
156KB

MD5
865619e70d98ea130bb0dc54a7a07d53

SHA1
205fa7334d12da69d9186ab4a9ce3d40ec0bf993

SHA256
34b87ad158f45e47cefa12ca06e0b6d38fece18292add13eb276a3bfa51f6216

SHA512
6b91d247b64f27f38b8ff2a41207d657086432522be93e3d39bf6a357b6448868adb0af5894dc97fde1e8190e79d94c0f82e0ff72017e03f6dafbe20dec27eb6

Download Submit
C:\Windows\SysWOW64\Gfjkjo32.exe

Filesize
156KB

MD5
9fcdc3e0effb455add75cee483668f90

SHA1
cd4e2dc412a1f87080f8056cce085bb08fcefba1

SHA256
a007d0e439e33b67470a5a5381394653e0c0ce6bd8594a09172468fc421e97a9

SHA512
3b8c09b7f3347b467028fabe29e51d591081badba1b208e07008b90bf916b0ea1e0ca7b365652fe85e1c92b5b6a5654be9402d3524cbd99bc7ded87e96eb735c

Download Submit
C:\Windows\SysWOW64\Gidnkkpc.exe

Filesize
156KB

MD5
b9334ee6ffc3e6ce9115afeb0dd07bda

SHA1
b1390b43281b288cd49a6ac850a826fe631c4d9f

SHA256
4dfb39e74c6439a53939e25e7986157dc849211c666f389b6ee7c10ce8a26100

SHA512
e0d245a934395562a4efba57fb0961d90fd22d673e7a2dd6eb95dbfa6d10af118c117f3fcb265471935e783e8415a969e11d9bef3fc8f45513a7666ee309b783

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe

Filesize
156KB

MD5
5d4f2d916f58d438de23e38944bd80b4

SHA1
bdfe95f01c7f613aea50f8b04b7086d76c4378c5

SHA256
c13bca5ddabdec7c001d827e0a3ca4397e05042564ab9a7a5c52947148287203

SHA512
4265a340bbc513c5d469abfee65b897d856cb14b06fe6302e807fa69b59c25eb0df41e0c2347b2309a25b6f4249d3c251e5b481b6d2693d0b25947126a935f7d

Download Submit
C:\Windows\SysWOW64\Glipgf32.exe

Filesize
156KB

MD5
ed7c0d73515ac8cb4b34946fa6ce720f

SHA1
c8380b41509c6381ac176cfca669925d56ab3937

SHA256
a0f8ae30d1ea70ff7a62f0c06ebbc833593932f04c344457df381eb2b58ced33

SHA512
9a5e5c5b37eacbe9863644056601c4b8bb970b1cd47632411e7db26e6eecdd7d7009fcf4f5522d6e577476575d60dfe4ac49850cb9a49bf42cad0d7ff8cd75ec

Download Submit
C:\Windows\SysWOW64\Gmdcfidg.exe

Filesize
156KB

MD5
026e5a03a8b37d743815220670ba7259

SHA1
b0792bf4165d3c8378e4c459201471330a51ee45

SHA256
12c0667d48d7ec1979e42e2c5e673007662fc1af2a504937b7fc172771db38f8

SHA512
c8d814183d3f738fbd5956acd80cf5642cd35ae0615fbef1e0b9c342edb9881793f1ee1e039b46b6fcc5eb86d69a09cc1841dd1efee01d14bf2568af566b9b74

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
156KB

MD5
219c3a9b18afbefa4d131c422bb03680

SHA1
edb60ee82aa639ebbfc0aee260281d8ca5f13702

SHA256
89a3e77538ffb53180784c37476af410b47f716c378f8ebd07b78f800cf93e38

SHA512
5e5211c72cbdec738be81efff5fce1e1c4a7152614625b6016e4229b82575f0e11815de23b0e823164f94249d8f6efa75ab9db308fd9a749d2db93b8f01b455e

Download Submit
C:\Windows\SysWOW64\Hedafk32.exe

Filesize
156KB

MD5
c006a21797167f484045631eea46f057

SHA1
81763cce3369571ff5f2ba122d1cb7bbc921793c

SHA256
7aed43f4cad6256d82c12f4b2ea8a060798f8562a4ef3e8169e978609472edcb

SHA512
3282064da326896bfbd77505abd0056d061fbb37196597edbf1060353248ef25f29e635daf132d37edec17b76257e22f803baf3a348f776717dcbac9f0b1acec

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
156KB

MD5
7aaeb79ede76a7b1ed3f6347b90356ec

SHA1
e4bd49054eeb9407bac5e2727f45f27c1e34f079

SHA256
93b1b6f818c6c99b141d310aece8e8e2d9ddba1f99a7b8d379f5cfea16eac016

SHA512
ca9f76db0905bfa4c2010210e606dfcac6cbe04c5bacb284c91069417630308aa82f0a8b20104840e382a2c685bafebe772c1146c4f6b98e888acb937b42401d

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
156KB

MD5
941f8ff0fe9a458505553106b796a36b

SHA1
e4ef1b237ea059c68f8d39fce2d030707f4b26df

SHA256
4be14902de1e956ea7b8ae557b4c3de5e9820e02109e5e3cf93e040c4c95e2e2

SHA512
fb336d758d5e32ca63126bffb463e0a31c2b5c75a6e61c7c29a7a282ab7db399d539cf01b701b0fea742bb629ebd267f238b2731da85887530546f9a2f7e7ca3

Download Submit
C:\Windows\SysWOW64\Hihibbjo.exe

Filesize
156KB

MD5
84c3f82e10b0ef52cfe8cfcde9b7fbff

SHA1
b42e341025b22dcba9e96d1591c48d6213a5d209

SHA256
a17fdb2c4b10f16d5ed8e2c03836dc0512e8af8e4382f751c21f2fc48ab2b65c

SHA512
7b75f749b7cc54d147c1475d77c1522ad2922fb27f4c3a6baf6b27dcb3b2bac0870f6901657214e0140aa712c031bd70bdb774cd348acf35a22ee4778e772a16

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe

Filesize
156KB

MD5
7f082e030a21cfe9fd3fc92505cb0e28

SHA1
cb57b4fac75bddc4f481707687caaa6046f90f77

SHA256
59192101f924bea4ad8d8b8c457397587d2156dffb83929b07599e7b6ae50887

SHA512
934a6d88b970edd3603c49093db10ed63abed3569f6cb6770d291b149f1f6edb8c5a69060f52500c9670bb64fb6e64e459c9bbd78a17b28995213a29874df419

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
156KB

MD5
e7a178fb289eceacc3d25f1d3ab7d6f1

SHA1
e19c38d667a0156064b5d156fa1e45b4615b1ba5

SHA256
b627089a86b0696c8db6759905898b032c10b8da1fb787630136ebe155e18357

SHA512
6f7a86c8b7ce5a621b524812708d8c7839bce22d93a0a91f6201012d8e73ad4a7aa90890362e93e4dd43957048f568b878db305e403240a3bfff1fa02990110b

Download Submit
C:\Windows\SysWOW64\Igfclkdj.exe

Filesize
156KB

MD5
f17230bf66c3b27d07284b43d7fc3a13

SHA1
d9b81e160abd2b2924d8229fcc87486f1efe44e2

SHA256
2996873cb6cfd2836be1d51f9e916605dde622115024150040e7902f077c2f29

SHA512
bca877a60c99459cffb2d302bcbcd9d2b0624c623368862cc780fd3a5ab68c2eb07d38ba6a03973418a6eb2253becb266140c54812c044860b0fdbb027c43af4

Download Submit
C:\Windows\SysWOW64\Iomoenej.exe

Filesize
156KB

MD5
dde6452b6ae39cee76198ad51ae88633

SHA1
daa70fb5a341431b4e725f7b0be448a0bbce9563

SHA256
756963118ff10d9fd12cd94a2b34077f36543286b3d220535f723b30605717a6

SHA512
fd784bbfdb09d2b455e8dfd67d21b23cadaf27a2c0a6efa941d2a7537f740ca34a952b8ae0d7c623fbeee88ca3d0f0f27bd3508ef15aef464c54194cb3d9f0af

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
156KB

MD5
c7d55960ae2945731db37964858234b2

SHA1
dfd92972dba8c982ca6e692a9146dcabef26053e

SHA256
28333929844a0c0071907ebb22e90ec90d1e5636ad96133f16d5953eb6d11e81

SHA512
7e2dd160a1bf9f4b1e2e222424fdfcb96b147ec35f378d5027a008629321deebfdd74e15507debc128c4498f17b10227a71bca716238d211b3893522738f237c

Download Submit
C:\Windows\SysWOW64\Jppnpjel.exe

Filesize
156KB

MD5
96c981f7c3151b36839a081d0da6a0d2

SHA1
cc42522a56298bb9eb518220cbaa843acfa45e60

SHA256
972b4bd4c0e8e14736c6d02c6bb4835529503f067b3b912e328a95e7091e25dd

SHA512
20e297a150f851740ca5ed7d421bee33adad3da592d666e613fec4d8a8087371ff967eebab53bc782005b3ff00826fc7492893cef7d3faa856fddd11810b0b6f

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
156KB

MD5
c9d99b5eb0619779d34a9acdcd7c78e2

SHA1
7c5088b96d22a100e7c0c2d3d720161b6f0d4b16

SHA256
3cc0ec51062d46885360d99cf79ac6d51faeb234eea65044cdcbcc73d90fbb0f

SHA512
9f53b196c36e219b4c266fdbd8aaef44cbbd5f92a6acc9df59a3eba734f2636d33f0dd59a3422f113353158b0badc82730f577487bc3c1dc9bdbb4b4e489a787

Download Submit
C:\Windows\SysWOW64\Lgdidgjg.exe

Filesize
156KB

MD5
a92446b68cea366f2df0a214b868465e

SHA1
e97e4b3ea77dfc3e6ec8f90163e34fa3c2c26f87

SHA256
5b22eee6818146297d28186829b239ca95ee7a9ff2b46c964d4c62b3a0d6c38d

SHA512
f9fa1e096bf54739482cbe5e06e1c0d3db4217caec30c1174518558a353ade5ce4807d33adbff6165a5ba66ce3c2187888e9545606dd844a6d860164964eec3f

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
156KB

MD5
cf643b8aaf762064198b538f45c17d7e

SHA1
d7e767bc200ede18f56df9709adfd7376ba2c23f

SHA256
cd81d936e366ed5b8c805b6aab4a9d47108308ec813b97a6dbe4ae40ea3316b3

SHA512
cdee45cab29b7e83d0a7c664f34253764faeb8f9c699213eae2fb5e3753a418a08d5cbf6c1f33e1b3461f887d6ba109bfa6054ec11524053ac3b41f6c3e7a759

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
156KB

MD5
e83754693a352d1faecd14d321da499b

SHA1
60950b447e248efbe01262e8add8b6d21cc94cca

SHA256
c2c3481b4c3f72a9781cf2e1de296ab6f272051279d455e15c396a5915d68b0b

SHA512
420714855e105d54a9201ab4c1e6673cf00b44c36fb6841a601a839291e1e44e4145f0db4f1c7a898321cdab7d185d882be13802776e16976a83cdf369c158cc

Download Submit
C:\Windows\SysWOW64\Mgnlkfal.exe

Filesize
156KB

MD5
e3b798c2db0eda9ea535de3c57702fd6

SHA1
015f41e1932cc4f34f54eb4f403cc01db5d8c542

SHA256
52bf74cd1799d4cc8a966948dab606ed9ba6525398a0e6ab2240564668138f0f

SHA512
7c40824e5432281c7b66cf657e8d78094ce0a0500837f6b8ad8c8c06d58fe39e3335a79819713c970d397906a9acca86911ef40ffe6ee695dba4ed9746cb3a54

Download Submit
C:\Windows\SysWOW64\Mgphpe32.exe

Filesize
156KB

MD5
9738213fc1c849c2a89737f41a234574

SHA1
059bc12dada6046fca629d3670b679acf0e5ecb9

SHA256
c197990b8de6bec3656536be40076a5fb2a9f128279b0cfe9f3806f95ef98c78

SHA512
46c12a3dae75a31840c34f8c84329e213c30b6d217528599000bf1f087b1d57cbec6996db4e948616b0b55326aeeb3a8d2544a705e5c7cb69c1ed756485dd91e

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
156KB

MD5
55774bafee1aedc5e245a30c5de502d3

SHA1
802788f7b24e540c0ea3aed5cdcc8ccaed24fcbe

SHA256
710a22e205ec4de9a9ebc5575d71a2a878ca586b4b6c1d3493c30291acac0351

SHA512
fbc4039a82a6426956b6e952fb1ca9c9af8c2801d1606e4e1eadcca7af4900234f792793e724e2168f474c6a0dfdc30cb728754dfe7f683ba247b867546551a7

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
156KB

MD5
c0e5551f2164825d350405c7a90fa649

SHA1
e10ff49ffb85043edfdffbafe75e452bcf4006e6

SHA256
231d541522d34f0436122342481eaa3ea2aab9cd5a61badc903a7ddf8d8de307

SHA512
81eaa2963929ba2aa2d80554cc2837e57aace3a51cf602b0d3440e7bbd29a44ad912ac9d88d07579ab2096ea46d2143dbdf9e2385394b59c49c21ee691d985bd

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
156KB

MD5
e4f1e64a431adbe89d5e5bbec7e208ac

SHA1
61c46aade1a3bdb602d02cb8c045244b5873e8d1

SHA256
784b758e6cdc479a7f1bb00d1a228370e9fe496df476909bb85ebc066ea8ff61

SHA512
282323f0fde2f949009b308d0bcfa69a2b869617e1811d9a142ff84380261308e54637932d4bfc282d250d56ead51c4240904429684c50f2f5992f9869807336

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
156KB

MD5
0f7aa911910bf1f0ab68e7703625e8ec

SHA1
5e53967b897182810fba06c6b813047163dc0a77

SHA256
82904f436cd89274a9b1a5f5dc003c58776ce3031e55967e165e142fe5d8ab8a

SHA512
43f9d9fb3ff29845d7b67c12cd4570960af3b8522dce2e5445234d1c27fc8d520a3e5d1f9538361a7917fbdf6d5529015703342708090b642035a589a3c76077

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
156KB

MD5
7f0eab6a4d0da851496e0f70b0695d21

SHA1
22e3fcc66be4e25dde0896f337f4a57108c2173e

SHA256
9808832ba9355c3da1ce8bcb0e11ed6297179f6fe68044881cbbd34888a49569

SHA512
76e3bda3585bc4753ca915cded21d0a8538f98de3283c0061a41cbff795d60449dd44f38530e5c3189a2dcd5110191ff806c6372097673d4a70b0f0a66f79b25

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
156KB

MD5
1e3f762d8e6b2cd0f7182de697c15bcb

SHA1
988c78b8c51538b8edfd5602dfa30a300e3c63df

SHA256
e5a5c1abb80ea11a49ed97148eb6fcd0d1af12c2af0913404e2a63bb9d08d54e

SHA512
eb53c4dd3b133310e801a8da079202012c3b6e22e7f9d1b64a865884a01b90aa23124e980e02eef0d83da32b561d4031c665ab5f4de9d2e5546836ccff510072

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
156KB

MD5
a5342159567b6f1b35ed354178bdd655

SHA1
faf460df1f87cd569dcbf858d735f11dc17971d2

SHA256
8d43485f5341c3f73720d827ceddd2fde371dfbcefce8b9ea5a9a722e5d8d41f

SHA512
99832b3f7f1f3d9e308160d90acbb69e80586cb2a7cb0723eae7346d06439b085a6ba3f5a4b55d6f4d76270d4b787890e44281aa8d007554d47b0c211620b0be

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
156KB

MD5
c3d53ab3368dd737efcdaf5d709d6eda

SHA1
d823da93aa30e01a756a44ab62caad01976c6206

SHA256
38042a037506588eb85d97c262a4a8c31f8bbc7d7d16e4acb23a8872ba3d88dd

SHA512
840cc0caacbe8b97533ada97de5823ab1646faa8db7c576e487c6f4f624d3108ce8f37d7060746a3660f13e86f4434a79ebd1f8912666f7d24e62f49095c1039

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
156KB

MD5
d7816cd1a7352f2124db31c547836b61

SHA1
cd34d06118c724a9c0b2351c57c085b54c04c54e

SHA256
dcdce128f94e056e8b7380f1d9b3356e36c3b1c2b549a29a46569eeed889e1c7

SHA512
f8310948c4083182a49c4700e02b672bee553a74cb339f580eb110ab2fa89019bfbcf889266642d7cc7c046a7aef0205f4f6135c86b32a5c08c17ea020c3676e

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
156KB

MD5
95def0ce9e8ddb7c26f6ea491ea2a1e2

SHA1
324329d8213faafeb35f994a0ebac703bef184de

SHA256
fe92a63492691caa7988de133adf37ec487a497a1df40dbf8b07788c626ad0c0

SHA512
06fa4bd6e3d3e59a744d280fa065d871120657b0425053ad976dc5aec71562d0ac746474362fe5d141a938b11e71f8c40fbef86118d42e73f8e859c0d70af2c3

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
156KB

MD5
cb3f48464005461daebdf3ad30f07330

SHA1
95f5296de7fc8f62acf291457c45c6b87a1fa9b0

SHA256
5673a3759d5ec947efb19f907a7fd074574b980ce2a3fcd7b7d21189bfb06440

SHA512
245af45ac40e77c87906c33bef330551d5bda5acc06e340ac2693f82a935137d2e8512bc6bac07330fa11032360d345c8f785214559264e8d6bb0c1e4322ef18

Download Submit
memory/8-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/8-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/8-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/636-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1248-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1336-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3272-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3524-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4108-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads