9079ecd80464936fd0acb73e72b12c273957cd374f8af4aa4333d701732821fc

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9079ecd80464936fd0acb73e72b12c273957cd374f8af4aa4333d701732821fc.exe
Size

128KB
MD5

bc6ac6300699cf440c3a1e5d0f2dac09
SHA1

601696044499ba3b1e0d33d2a2c6cb8577f555ff
SHA256

9079ecd80464936fd0acb73e72b12c273957cd374f8af4aa4333d701732821fc
SHA512

48a742c38875bab2659425f2b7ec456f4f8a67c8ab12cd73556aa0ca03a3642a71ad6e1b549b097eba034d88315ed2c0ace3f832935e41f505d0bb4e1317be7b
SSDEEP

1536:wnKrEnPiVkW8AllA4+wntd/x2LF1N7DqQfV5I+GCmBhjFW+JCYTDPSkGF9:KSEncCKHCF1wQ9bGCmBJFWpoPSkGF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhibni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpladg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchiaqjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlegeemh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bakqfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cimhckeo.exe

Executes dropped EXE 64 IoCs

pid	Process
1704	Aahdqp32.exe
3624	Bpidngil.exe
4480	Bbhqjchp.exe
1136	Bakqfp32.exe
112	Bibigmpl.exe
2964	Bpladg32.exe
5036	Bammlomg.exe
1224	Bidemmnj.exe
4920	Blbaihmn.exe
2444	Boanecla.exe
4148	Bekfan32.exe
4048	Bhibni32.exe
4720	Bockjc32.exe
2292	Baaggo32.exe
2040	Biiohl32.exe
3556	Bpcgdfaa.exe
4608	Bbacqape.exe
4540	Beppmmoi.exe
3032	Chnlihnl.exe
1376	Cohdebfi.exe
2240	Cccpfa32.exe
1696	Cimhckeo.exe
4760	Cpgqpe32.exe
4464	Caimgncj.exe
4848	Chbedh32.exe
1864	Cpjmee32.exe
224	Cchiaqjm.exe
4932	Cefemliq.exe
4404	Chebighd.exe
1964	Ccjfgphj.exe
3136	Ceibclgn.exe
2892	Chgoogfa.exe
1816	Coagla32.exe
2540	Ccmclp32.exe
4452	Cekohk32.exe
2672	Dlegeemh.exe
3228	Doccaall.exe
872	Dabpnlkp.exe
440	Diihojkb.exe
1668	Dlgdkeje.exe
1256	Dofpgqji.exe
4196	Dephckaf.exe
3776	Dhnepfpj.exe
3604	Dpemacql.exe
1924	Dcdimopp.exe
3140	Dcfebonm.exe
4004	Daifnk32.exe
4496	Dhcnke32.exe
4460	Dpjflb32.exe
1972	Domfgpca.exe
2352	Ejbkehcg.exe
3508	Elagacbk.exe
3980	Eoocmoao.exe
1128	Ejegjh32.exe
1600	Ehhgfdho.exe
3152	Ejgdpg32.exe
1628	Ehjdldfl.exe
2340	Eqalmafo.exe
1528	Ecphimfb.exe
3296	Ebbidj32.exe
2816	Ejjqeg32.exe
3148	Elhmablc.exe
4484	Eqciba32.exe
4852	Ejlmkgkl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ejgdpg32.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Gmagda32.dll	Bibigmpl.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Cimhckeo.exe	Cccpfa32.exe
File created	C:\Windows\SysWOW64\Gdibmd32.dll	Biiohl32.exe
File created	C:\Windows\SysWOW64\Cfjbmnlq.dll	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Fgjnbc32.dll	Bidemmnj.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Boanecla.exe	Blbaihmn.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Fbgbpihg.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Omlami32.dll	Dlgdkeje.exe
File created	C:\Windows\SysWOW64\Ejegjh32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Aodldljj.dll	Cpjmee32.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jgegko32.dll	Diihojkb.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Cpjmee32.exe	Chbedh32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Dcdimopp.exe	Dpemacql.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7552	7352	WerFault.exe	333

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdibmd32.dll"	Biiohl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpidngil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpemacql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blbaihmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chnlihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bakqfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dabpnlkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppmkg32.dll"	Bhibni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1704	2852	9079ecd80464936fd0acb73e72b12c273957cd374f8af4aa4333d701732821fc.exe	86
PID 2852 wrote to memory of 1704	2852	9079ecd80464936fd0acb73e72b12c273957cd374f8af4aa4333d701732821fc.exe	86
PID 2852 wrote to memory of 1704	2852	9079ecd80464936fd0acb73e72b12c273957cd374f8af4aa4333d701732821fc.exe	86
PID 1704 wrote to memory of 3624	1704	Aahdqp32.exe	87
PID 1704 wrote to memory of 3624	1704	Aahdqp32.exe	87
PID 1704 wrote to memory of 3624	1704	Aahdqp32.exe	87
PID 3624 wrote to memory of 4480	3624	Bpidngil.exe	88
PID 3624 wrote to memory of 4480	3624	Bpidngil.exe	88
PID 3624 wrote to memory of 4480	3624	Bpidngil.exe	88
PID 4480 wrote to memory of 1136	4480	Bbhqjchp.exe	89
PID 4480 wrote to memory of 1136	4480	Bbhqjchp.exe	89
PID 4480 wrote to memory of 1136	4480	Bbhqjchp.exe	89
PID 1136 wrote to memory of 112	1136	Bakqfp32.exe	90
PID 1136 wrote to memory of 112	1136	Bakqfp32.exe	90
PID 1136 wrote to memory of 112	1136	Bakqfp32.exe	90
PID 112 wrote to memory of 2964	112	Bibigmpl.exe	91
PID 112 wrote to memory of 2964	112	Bibigmpl.exe	91
PID 112 wrote to memory of 2964	112	Bibigmpl.exe	91
PID 2964 wrote to memory of 5036	2964	Bpladg32.exe	92
PID 2964 wrote to memory of 5036	2964	Bpladg32.exe	92
PID 2964 wrote to memory of 5036	2964	Bpladg32.exe	92
PID 5036 wrote to memory of 1224	5036	Bammlomg.exe	93
PID 5036 wrote to memory of 1224	5036	Bammlomg.exe	93
PID 5036 wrote to memory of 1224	5036	Bammlomg.exe	93
PID 1224 wrote to memory of 4920	1224	Bidemmnj.exe	94
PID 1224 wrote to memory of 4920	1224	Bidemmnj.exe	94
PID 1224 wrote to memory of 4920	1224	Bidemmnj.exe	94
PID 4920 wrote to memory of 2444	4920	Blbaihmn.exe	95
PID 4920 wrote to memory of 2444	4920	Blbaihmn.exe	95
PID 4920 wrote to memory of 2444	4920	Blbaihmn.exe	95
PID 2444 wrote to memory of 4148	2444	Boanecla.exe	96
PID 2444 wrote to memory of 4148	2444	Boanecla.exe	96
PID 2444 wrote to memory of 4148	2444	Boanecla.exe	96
PID 4148 wrote to memory of 4048	4148	Bekfan32.exe	97
PID 4148 wrote to memory of 4048	4148	Bekfan32.exe	97
PID 4148 wrote to memory of 4048	4148	Bekfan32.exe	97
PID 4048 wrote to memory of 4720	4048	Bhibni32.exe	98
PID 4048 wrote to memory of 4720	4048	Bhibni32.exe	98
PID 4048 wrote to memory of 4720	4048	Bhibni32.exe	98
PID 4720 wrote to memory of 2292	4720	Bockjc32.exe	99
PID 4720 wrote to memory of 2292	4720	Bockjc32.exe	99
PID 4720 wrote to memory of 2292	4720	Bockjc32.exe	99
PID 2292 wrote to memory of 2040	2292	Baaggo32.exe	100
PID 2292 wrote to memory of 2040	2292	Baaggo32.exe	100
PID 2292 wrote to memory of 2040	2292	Baaggo32.exe	100
PID 2040 wrote to memory of 3556	2040	Biiohl32.exe	101
PID 2040 wrote to memory of 3556	2040	Biiohl32.exe	101
PID 2040 wrote to memory of 3556	2040	Biiohl32.exe	101
PID 3556 wrote to memory of 4608	3556	Bpcgdfaa.exe	102
PID 3556 wrote to memory of 4608	3556	Bpcgdfaa.exe	102
PID 3556 wrote to memory of 4608	3556	Bpcgdfaa.exe	102
PID 4608 wrote to memory of 4540	4608	Bbacqape.exe	103
PID 4608 wrote to memory of 4540	4608	Bbacqape.exe	103
PID 4608 wrote to memory of 4540	4608	Bbacqape.exe	103
PID 4540 wrote to memory of 3032	4540	Beppmmoi.exe	105
PID 4540 wrote to memory of 3032	4540	Beppmmoi.exe	105
PID 4540 wrote to memory of 3032	4540	Beppmmoi.exe	105
PID 3032 wrote to memory of 1376	3032	Chnlihnl.exe	106
PID 3032 wrote to memory of 1376	3032	Chnlihnl.exe	106
PID 3032 wrote to memory of 1376	3032	Chnlihnl.exe	106
PID 1376 wrote to memory of 2240	1376	Cohdebfi.exe	107
PID 1376 wrote to memory of 2240	1376	Cohdebfi.exe	107
PID 1376 wrote to memory of 2240	1376	Cohdebfi.exe	107
PID 2240 wrote to memory of 1696	2240	Cccpfa32.exe	108

C:\Users\Admin\AppData\Local\Temp\9079ecd80464936fd0acb73e72b12c273957cd374f8af4aa4333d701732821fc.exe
"C:\Users\Admin\AppData\Local\Temp\9079ecd80464936fd0acb73e72b12c273957cd374f8af4aa4333d701732821fc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\Aahdqp32.exe
  C:\Windows\system32\Aahdqp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\Bpidngil.exe
    C:\Windows\system32\Bpidngil.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\SysWOW64\Bbhqjchp.exe
      C:\Windows\system32\Bbhqjchp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\SysWOW64\Bakqfp32.exe
        
        C:\Windows\system32\Bakqfp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
      - C:\Windows\SysWOW64\Bibigmpl.exe
        
        C:\Windows\system32\Bibigmpl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Bpladg32.exe
        
        C:\Windows\system32\Bpladg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Bammlomg.exe
        
        C:\Windows\system32\Bammlomg.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Bidemmnj.exe
        
        C:\Windows\system32\Bidemmnj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Blbaihmn.exe
        
        C:\Windows\system32\Blbaihmn.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Boanecla.exe
        
        C:\Windows\system32\Boanecla.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Bekfan32.exe
        
        C:\Windows\system32\Bekfan32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        24⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        25⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        29⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        30⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        31⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        32⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        33⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        34⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        35⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        36⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        38⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        42⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        44⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        46⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        47⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        48⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        53⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        61⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        62⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        63⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        64⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        67⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1404
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2432
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        71⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        72⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        73⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        74⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        75⤵
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        76⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        77⤵
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        78⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4976
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        84⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        85⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        87⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        88⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        89⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        90⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        92⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        95⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        97⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        98⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        99⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        101⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        103⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        106⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        107⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        108⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        114⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        115⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        116⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        117⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        118⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        119⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        123⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        124⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        126⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        129⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        130⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        132⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        133⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        134⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        135⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        137⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        138⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        140⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        142⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        143⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        147⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        148⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        152⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        153⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        154⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        155⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        156⤵
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        157⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7020
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        160⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        163⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        167⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        168⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        171⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6856
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        173⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        174⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        175⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        176⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        177⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        178⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        179⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        180⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        182⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        183⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        185⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        186⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        188⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6776
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        191⤵
        Modifies registry class
        
        PID:7180
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        193⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        194⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7356
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        196⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        197⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        198⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        199⤵
        Drops file in System32 directory
        
        PID:7520
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        200⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        201⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        202⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7636
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7680
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7720
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        205⤵
        Modifies registry class
        
        PID:7768
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7808
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        207⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        208⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        209⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        210⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        211⤵
        Modifies registry class
        
        PID:8012
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        212⤵
        Drops file in System32 directory
        
        PID:8052
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        213⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        214⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        215⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        216⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        218⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        219⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        220⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        222⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        223⤵
        Modifies registry class
        
        PID:7716
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        224⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        225⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        226⤵
        Drops file in System32 directory
        
        PID:7920
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        227⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        228⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        229⤵
        Drops file in System32 directory
        
        PID:8128
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        230⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        231⤵
        Modifies registry class
        
        PID:7252
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        232⤵
        Modifies registry class
        
        PID:7420
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        233⤵
        Drops file in System32 directory
        
        PID:7528
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7632
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7712
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        236⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7968
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8036
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        239⤵
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        240⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 408
        241⤵
        Program crash
        
        PID:7552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7352 -ip 7352
1⤵
PID:7428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aahdqp32.exe

Filesize
128KB

MD5
4b653b37e4ddf9626b2d4909d302d1ab

SHA1
ad47a7c17e5b65a947d59205ac1508f1e606211b

SHA256
c118ad44ce2a8d92241d3c231a897edef9485dd84a59c7a63df6f7063c92e249

SHA512
e8e743777138c1a44a74a7fb120f26821c2736ecf21a9be4afce4eb8f9d76108126e7a5ff609cfee5988793771f50f5dc233209f81a21a2679ed7550bae21a6d

Download Submit
C:\Windows\SysWOW64\Baaggo32.exe

Filesize
128KB

MD5
8c401d84ee7f8bfccd17a9956f13ea64

SHA1
61b61b4f9739ac859152464d7a590344a2cbd3dc

SHA256
170e86f4d8d40dd512b99ad114d8883c54f6d641790066557c6ffdfc10635fe8

SHA512
cefdcbf9c4da1be0f27bfee4dd549560314c57339c8afea475024c94849bb07496821a81bbeeadb711d3590621bd02dc6067d0e7533ea7973f6425e876575f9e

Download Submit
C:\Windows\SysWOW64\Bakqfp32.exe

Filesize
128KB

MD5
fac3fd9e3656d0fca1194c9543f7970f

SHA1
f4bcb993757e0c41207502aab24a5dc0d8f11191

SHA256
8eea6e3003f72455705ba614c155629bae8c9dc1fba4bed465616d512a9f3eac

SHA512
ae6e00ad32201db1af95add207d6753799b76673ab8eda6c0e0746e73e52741d1f0b841b8de699977cb346e737761459445d7f10421b1598a43a7e49c22820cf

Download Submit
C:\Windows\SysWOW64\Bammlomg.exe

Filesize
128KB

MD5
1a44937dbaed0c53aebfea1fee20501d

SHA1
ba22ff7f4b9135324c1ab1d41eafac0724c414a5

SHA256
9da55f31f8a2be4f1b7fdfc5fecdad835aec118aaf902700498566bfa8cf2246

SHA512
4e1831874e47183b54561e539347024818fdb60b2d94226f8c076faa8503cfd755a9c44413b8ad69e677ab8537aab86cd5ea52aa49e0b38949b433e4afe0305d

Download Submit
C:\Windows\SysWOW64\Bbacqape.exe

Filesize
128KB

MD5
c8934f09f6becf6d58dd2d1bb2369afe

SHA1
8d8dfa748530db36e486e63c8c201c9ed003bdd5

SHA256
76dbb9802178dd7c8a7bb5b0e9180273908b84678140d0f658ec37de746661b2

SHA512
192e20bae8a8f45897ab048ee038e0b32ab66af6ea260ff1fa659668ca04cf70adf4c1a1302347dd667d5d46b106d8445b8cc27f31eb00ffbdf2284c6eb1170f

Download Submit
C:\Windows\SysWOW64\Bbhqjchp.exe

Filesize
128KB

MD5
298f079f3a730eaf3e2c63e6d80119e2

SHA1
b5f935153448253805b525cb11b773b7299f7cd3

SHA256
f96744e23eaabfc27dcae22d08339f8d3aff226e8f3110a6a389b8092985d9cf

SHA512
70e1ee5a63311c632211c478df1ae2ada675b3442cfbab769fcb174b159922d434f5548b288592c92907f655ab25db5ccb569155500521ec0dc7934ab1e2f3c7

Download Submit
C:\Windows\SysWOW64\Bekfan32.exe

Filesize
128KB

MD5
5d8c7e726945bb209ec0191717452ab1

SHA1
d9cd55c0600c94067995e91675d143451a7fc0bc

SHA256
e7e377a1766033d4da2ae90bf69d1f27526d22ef760f7fcf28d17f8918751f7a

SHA512
cb13e2fe96651265d307f2eb6d9b691431286c5183debc312487d82277d234cc6ed69f7abc3b0e912d25eca676b921cfff007f83d9b417c9d562b127c4555e3d

Download Submit
C:\Windows\SysWOW64\Beppmmoi.exe

Filesize
128KB

MD5
601a5812c2718181e579a782b06fae4e

SHA1
5dbfd335ec543559a6019583ad969795a3693a8b

SHA256
745b7dbeca78b6436f50f3a0a66d8893b88ea3a4186cb80f0f274fb4d0bdba61

SHA512
8d6e4b579c132a2dc883beea53a6a73462389f5789940872d863d7456e35f1facb0949ccdea4484f4d6787a8d12082a202f72e7b52f9eeaebcf4ae5bd7174b3f

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
128KB

MD5
f9cdc972981229e646e8bce5f296c0e8

SHA1
d54cac4bdb0c73b6646b088544c07921af587714

SHA256
7dc16b5891750fc4f0e890c9a2f69d8fa54cd67357c2081adab6d03c8f0ed1d2

SHA512
e38e168cc09240aedb7548a34ac0f78027e7139ecc541b6807881880ab619d3f592a3cfd8c4998978e64cf1c6a130c24c762d6175751bb15634c3beb910a542f

Download Submit
C:\Windows\SysWOW64\Bibigmpl.exe

Filesize
128KB

MD5
edde884940fea7391f8722b86efd79d9

SHA1
53ab5799860fbd1689cd3fd8270752ee280d3a97

SHA256
41fdd7f8857852ee8eb817b78f219947ac20ef8c0ab83bf01afca40023d2d58b

SHA512
b3a8a34063d472dff43e8abe5a2acbae56fd6a73b4c79114cb101f8736b0cb2bd0c5e1ca10d3e91ab314206b93e9ecb569f31d54c9062f408e3ff769b8f917a9

Download Submit
C:\Windows\SysWOW64\Bidemmnj.exe

Filesize
128KB

MD5
fca3141dedd0c68591094c14652df387

SHA1
0b57b281bf81a71d4259eba37b30e2525880e546

SHA256
63f4cc9286744e0911002b18c11eea69c65ce05c7af7f57915ee3b206d98b67b

SHA512
6e0ca7187641cbea89c5a406f8edcf72bb8b32f6950e6c284772a789277be77e554e884a2af36759e687787ec222f229e86cf15d282c8170d60f862afb328822

Download Submit
C:\Windows\SysWOW64\Biiohl32.exe

Filesize
128KB

MD5
8bd060bcf04efbd6ce3a7e031b8624aa

SHA1
369560d823272cf09e794e321bcbb62c5dd7688b

SHA256
a1b8e3fb72086cc4699045cc363be74634810d498afb0ba6aec9010a68f15f8a

SHA512
a6f77dcdd3ee6818a01b0eeaf1448131a96436421588a4ddcd7fcad831f2aa47e63257b46ee49fcd417d127dc567411b1d2d86bf535cd7d50961acfd05035d43

Download Submit
C:\Windows\SysWOW64\Blbaihmn.exe

Filesize
128KB

MD5
9480a253eff764eb1b5e32e4e739143f

SHA1
3729cb3baefbe3228cc61f5f9f8b8c3c54f2572f

SHA256
109751d3bbff3846fb8740c105b21c1cbbeb1f28696e8524c00f32b9a8a7c165

SHA512
64eff315315d97eb12f23f3c1a967bcbeed9edb7564fc079abb8b2452892ff64113670600bebcd74e181a3e7cba51e5ecab0ca04778bf4bed711381a7242a382

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
128KB

MD5
d6be93a5af2ce27dcf9bfb6c812e95c4

SHA1
e596c2a96dcb926a2e8713e79230db8cd6009516

SHA256
2b05bc095671e005a74cd654fda507c18ff902f74750ce38236f63f76ed8d482

SHA512
49c307b2f38cebac72d74826d80c2fcd5a9d1be2c3adb58b6f76ab8d9e20153ef1406f38e975b31131aadc1a70324bb231fa16a2ec2e2f940b0e3eb4cad7e377

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
128KB

MD5
9f6b8231bef7b0d2af0f27e1739e7206

SHA1
c5f17d6c9aa1b781623388ae56cc2f6210d6f238

SHA256
b942cab05afd87f6bb7d35f0572db2812c2547286cb3c42d73dafcb15c3a4aeb

SHA512
200f3ab2fcc3abac60c7df4a4e45f3056f659d80cb15b5e8e90afff0d71629090375cb9b6245d733876315b0be5dcf8c2468f1f3270270b2410c59af63e3031b

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
128KB

MD5
bf0ed8cd9c8932f85ec5d6bfae814450

SHA1
f4ca524abfce1f0b260fbd81402e47257e8d0ada

SHA256
e9e3c5fea8970d784e3d487666566047c670596fd18a6dcf41ec078fd0255fbb

SHA512
927b0b9f780b8d5b5cc9cb457bd975e0ababf70c2246ff04087f26617de4f8cb7edff30fd5b1d9694a740d2171d521676d19b5171d5157651be1bb2849f1e014

Download Submit
C:\Windows\SysWOW64\Bpidngil.exe

Filesize
128KB

MD5
613e349f45b953d147a19000783d2916

SHA1
8bfbc3b4da1a09d483d239ec8e386c004b2e68b1

SHA256
2962bae2843057b74f7a3ff4efd7552e7dc88e1afe2dcd8cae3703ddae9df8a7

SHA512
729635cf0750403c2901aee7f363fddeee504647de1d6af9936157cd7cd956e081cebcda686f1a5a649a922ee1411ccca4d109f43aa597c3dda9c3c2fdfffd4e

Download Submit
C:\Windows\SysWOW64\Bpladg32.exe

Filesize
128KB

MD5
28c798a8b64b5811b1b910440bcb1e49

SHA1
6c8357b183873e5b41c7205bddb3d5b341da2faf

SHA256
1295cc49153866f6a3a0fb95b08be1181dbe0219cb7c5a9546fa0ab281256cca

SHA512
c600b767f7f7ec22cfff3f6746efb15bc5dabe3b07fdfb313cfaca1f853f238e3568d2e6d779667451b32c675c6ca1901882f4e784d00514d56141565b84ce92

Download Submit
C:\Windows\SysWOW64\Caimgncj.exe

Filesize
128KB

MD5
1946dac984529fc8860ae5c147b457e4

SHA1
00b5fe02da14897aac5144128b54f61a6156525f

SHA256
7fe15a6b67be5b3a5e8f494cc52c9de9b14cdda7985c40b525e21d24e5d244e6

SHA512
272d971ad984010e94b64dc746a7354a0af5f9a318dfc88d25d9ba335f666972a3623dce568e0768b6d842b5a268128a8a4377a3f15fe628c354d72ad1b0a31d

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
128KB

MD5
4e30ef52bd58655a0a80241ae6795fa7

SHA1
a1bdc96a0c0001b29c1a69bf46e4521d65d1a5f3

SHA256
5d26cfb0bbc00d5db8777428aac02e0ad716d100245ce63baa382ab501721eaa

SHA512
939273c8d89dfcfdb5b78817e5dbe65941a04d949671c7b43f370cec868cfa9bafafb62d51b718eecd7f39e06928f958e3af8f3190e516d426ec20b77cc57f78

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
128KB

MD5
524cf480f6f011bd5d807d9e4a8843d1

SHA1
5d8501bbb7ad397f316903b14b54fa46359ecd43

SHA256
8819eb9b62e16336cf8028dc036e438a5d80f7df18d22ab9c607265bdaabd172

SHA512
da553fa42fd0779bf3c06d2635714515c2c07cbbcd89a996fc9b7ea6ac620ce85d74820139235dd72540e2ef2fbd479cb2d5b8dfcd620249cf2e3dea7123774a

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
128KB

MD5
1edf8e74a2ce360008c7c718f3341c5f

SHA1
23e047bdbf4521759ca5654eec0d2f69fc505435

SHA256
8c286fe73fe389fd5b0e12c9373f6e0f39d0b7e335ee4e1fe0b86a97baac861c

SHA512
297ce19923be8c8f167e05938e9a68062e33ca522dd5e6cb5046dbb3f6aba100937b878b7fdae28e0d10c3c34fcfa9cf3ba551dece6ce3235f732232d7a40050

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
128KB

MD5
10e0baffc0bb6a8919f73c6512286297

SHA1
5ee4f8f9774583ddab9ee2c30dae1f6d1f623127

SHA256
839f6ae5b90faab21ac1210ec7c38ab92b4c87c244116367dfbc2ea7057b6b93

SHA512
efe272c561414d16e4191eb7ddd2496453c10a74ceb0965e006365cc4e60ebb9067f302146cd1b284cc28be99294d79e7c3cc5e601bc1441bb795a791bf90d42

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
128KB

MD5
dd49def78f3b64b127426e04f9f0efb4

SHA1
f11a989424a4f74e992f58ba9c3afeec22655148

SHA256
052768bb9c5849f5191c296ee672daa509241a1099360aa105c3a77bdc90abf1

SHA512
4cd10c2bb147d5e2186d77716b2900f2d0943dc2be3d9fa6df736d061edb1d164b361695f1056fd9bd65567e49b914ab9981749dc8b92ee6a586698c0bd94599

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
128KB

MD5
4fb9f2c259aca149c301d1337620efb1

SHA1
061d0c2177eb1f915dbcaa01649e2c01cd564896

SHA256
a2b35b7cb1bbcdf0d5677ed66df29e79d2d4c7d9f81e1ff0a60c34d92fa43871

SHA512
b5745b28110353b0eebc182610c407710148765a6ec5fcfcda32c7723d5b5d4810ce1e18cd2264779213c195fca98ce16b0a5c49c8641c1a3b4ef9d0a19589e0

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
128KB

MD5
fa6f5d9a835951499888cd493edcbb65

SHA1
10fb8ca1154aab32406f6ace02745dc73da392e8

SHA256
53c537187a4534ea555cd38ee410f0c5722a2bb6c733308837ad4899cf99225c

SHA512
64eb2de21c0f42bf8f773fe3325824031f4f563750bb83c149de0930361a71638f90abd09fc4d349505cb7fcba74f7f5b1f3b4c17ac666f610553c0874d3e598

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
128KB

MD5
ce6fa7cff595d9f603efe2313ed7983c

SHA1
864bb3030cee4d1a25db4035502b10d4bd41c521

SHA256
6dd619c2f67afb09744d96b6dc01f2f9bee5b4cda729069a35204c0457174e24

SHA512
0b9f24552b8cf79c9c69e97512b6e7cd06566353562cda0dc41aaeb06acdd253f750b889ba20dc7e56ef04c76d765eb58408efb1709a678915294bc0829fd528

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
128KB

MD5
d74311e531200f8307cbcd4a01803817

SHA1
20967c879bab23d91359bf2d036667a24942e997

SHA256
43b2b9d6900fadf133ba81ec0783384da22e67076de90c3f97a2846b91946484

SHA512
5ecdb251a95a6fd080a869c0ff731dc60fef98f9fa45e12add13026ee188ea28204df12012ec3262657a24cc44f1a0daf7154f54d1937837110eaf3a77666b99

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
128KB

MD5
d2de5e612dc5f2ec245451e4214f8f83

SHA1
489a102900f3ba7278e6bd1c5c9cecabd9b4ad3e

SHA256
6047f4ddb074dcf75ccf969140ae2c66d12a2955bbf0b1f85ef4d9d5f1e7fc2c

SHA512
0dec409b73b53080b072806e2229713b1315ac2edaf66dbc90597f1d2ce95b3cf49ac7d3fa9c2c148dad2d9d233bec8e5af8c9eb3de2732b07332bb19207fc09

Download Submit
C:\Windows\SysWOW64\Cohdebfi.exe

Filesize
128KB

MD5
3a2e57e9eadceb2df594223026d1a32e

SHA1
0dc4e0505f272009a2b7c6dd6a6e13b64caeb41e

SHA256
a5a6a1b417ac2ef522b9af42bbeabab16a5d9ddfc9a98e0c05066070e36dde91

SHA512
3232dc34d28f4f3dd879cfc4863c5bc3abb515c64c903b9e1585e093974984248950bb921a70f21172aba6ac71acf7d7e12b6ee5b139c8f72151601b92f39003

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
128KB

MD5
1ee9a96a99688e8de349b6938ca0c183

SHA1
c21523ccc6e7b152d6f623e6e1499485a9ce6c96

SHA256
01e1571ddcb3c0b1b61f238c9413c9ea1385819343e115ac6e8d0d241a7f2933

SHA512
840fb1c284c58b0a8a8e02de6880188e2ac3198cd67251fc54cb363ef70ae7574e4b7547f09aaf5eeed5ad782ba536a0bd9e145b21d30b281bad6d07d2bb7049

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
128KB

MD5
0dee351b41777f5ecc143521e88ed650

SHA1
a7e05b9e5c4f0cc0e1c236e3a8712d858ae5e6dd

SHA256
7cc16394cb60d7ce2cad587e1684592ba9be87f37dda188e245736c97c77c16f

SHA512
63be1360e0af8539fd013e01c756f82673442025d371789eed6d3d11e1c30bf40b08a6e6b7c791e38d29cc1aa6f48c05c3cabf0f32af36c940de44ddcac3c80c

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
128KB

MD5
63f63d25e6d2e3efcd0e176f32bd018e

SHA1
c5b8ade22a44d100485d5d60cd8a68121bb7fb37

SHA256
dac4a79a9045bbad3a11693d7a85ba925ce64935b7e9e0f10339cbecd091277f

SHA512
87b22a01af4cc31ace15101ae272b3aa75eae88773b7180e0fbcc7d75cc7f78d30fbca73a852fbddc252f65210637d12c880f7fa2714ad9bf4f12ba831430aa2

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
64KB

MD5
0c7252cc96dfa161ba262ae3d646223a

SHA1
e03e761541ba791415f7feaff4ac522265202397

SHA256
88306cfb513cfc264a05d767b774fe2c4e38495cb741e604727b401b39ea3291

SHA512
236618ab6de936fc84b30a19aad0c990c0b820ecf48c64958a410678114b280fd127f8456efc4c810369389924904220177c91081970854292c3aae1d3956e39

Download Submit
memory/112-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/224-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/440-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1136-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1256-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1600-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1668-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1696-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-213-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1924-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2892-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3032-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3136-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3148-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3152-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3228-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3508-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3604-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3776-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4148-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4196-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4452-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4608-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4848-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4932-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads