486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb.exe
Size

92KB
MD5

381c02f12c996a0f221e3c4add00d8ca
SHA1

74980778ab03a1acde9139d58eef7c386ee61396
SHA256

486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb
SHA512

c05f6bbe51445980360775b06fdf6b65af21259baa58e88e14ed4afac11c66d04fbc64c6e408f64a5c1917e61b4a61850c74e5c56c0500e63a540325a48b232a
SSDEEP

1536:ScGTfj6CDRs4D5CpzrlnEa6639G8pxbcEy1IvBNAzGLJbaj2MaLjXq+66DFUABA2:VGTfjqboIv7bzMaLj6+JB8M3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hldiinke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nblolm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fndpmndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilfennic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbbicl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apggckbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blnoga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hffken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lancko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhnikc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blnoga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimqajgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimogakj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnpphljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jenmcggo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clchbqoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlmchoan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfjkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpochfji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adndoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndeii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmhgmmbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceefd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnpphljo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Felbnn32.exe

Executes dropped EXE 64 IoCs

pid	Process
1980	Ahbjoe32.exe
3668	Anaomkdb.exe
3200	Akepfpcl.exe
4172	Adndoe32.exe
4740	Blgifbil.exe
3232	Bhnikc32.exe
4964	Bhpfqcln.exe
4992	Blnoga32.exe
820	Bheplb32.exe
2928	Clchbqoo.exe
900	Cndeii32.exe
1136	Eicedn32.exe
1596	Felbnn32.exe
1900	Fmfgek32.exe
4500	Flkdfh32.exe
4756	Fmkqpkla.exe
4108	Flpmagqi.exe
1372	Gpnfge32.exe
4684	Gifkpknp.exe
1204	Gfjkjo32.exe
1232	Gpbpbecj.exe
4412	Glipgf32.exe
1040	Gimqajgh.exe
2604	Hfaajnfb.exe
408	Hibjli32.exe
4368	Hffken32.exe
1916	Hmbphg32.exe
1700	Imgicgca.exe
3564	Iinjhh32.exe
5032	Ibfnqmpf.exe
3856	Ilnbicff.exe
3156	Iefgbh32.exe
4696	Ickglm32.exe
2620	Ilcldb32.exe
3816	Jmbhoeid.exe
708	Jenmcggo.exe
2256	Jngbjd32.exe
1988	Jllokajf.exe
468	Komhll32.exe
924	Kckqbj32.exe
4620	Kfnfjehl.exe
2992	Lfbped32.exe
3804	Llmhaold.exe
1752	Lnldla32.exe
3872	Ljceqb32.exe
4952	Lopmii32.exe
3976	Lnangaoa.exe
4160	Modgdicm.exe
376	Mmhgmmbf.exe
1420	Mokmdh32.exe
3264	Mgeakekd.exe
4444	Nfjola32.exe
4308	Nmipdk32.exe
692	Nmkmjjaa.exe
4100	Nceefd32.exe
2880	Omnjojpo.exe
3604	Ogcnmc32.exe
2204	Ompfej32.exe
4628	Ogekbb32.exe
452	Ojfcdnjc.exe
4252	Opclldhj.exe
5024	Omgmeigd.exe
4264	Pfoann32.exe
4364	Ppgegd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aqmiic32.dll	Hmbphg32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gggmgk32.exe
File created	C:\Windows\SysWOW64\Fgijpe32.dll	Baegibae.exe
File created	C:\Windows\SysWOW64\Iafkld32.exe	Ilibdmgp.exe
File created	C:\Windows\SysWOW64\Mgeakekd.exe	Mokmdh32.exe
File opened for modification	C:\Windows\SysWOW64\Fjeplijj.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Hpoejj32.dll	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Ompfej32.exe	Ogcnmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cnaaib32.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Jaajhb32.exe	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Bgnpek32.dll	Lebijnak.exe
File created	C:\Windows\SysWOW64\Oiikeffm.dll	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Hkhcdb32.dll	Heegad32.exe
File created	C:\Windows\SysWOW64\Cjehdpem.dll	Hnnljj32.exe
File created	C:\Windows\SysWOW64\Fndpmndl.exe	Fnbcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Kcoccc32.exe	Khiofk32.exe
File opened for modification	C:\Windows\SysWOW64\Jllokajf.exe	Jngbjd32.exe
File created	C:\Windows\SysWOW64\Cnocia32.dll	Mmhgmmbf.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Eojiqb32.exe	Enhpao32.exe
File opened for modification	C:\Windows\SysWOW64\Gbbajjlp.exe	Gijmad32.exe
File opened for modification	C:\Windows\SysWOW64\Fmkqpkla.exe	Flkdfh32.exe
File created	C:\Windows\SysWOW64\Llmhaold.exe	Lfbped32.exe
File created	C:\Windows\SysWOW64\Ppgegd32.exe	Pfoann32.exe
File opened for modification	C:\Windows\SysWOW64\Fniihmpf.exe	Fbbicl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnldla32.exe	Llmhaold.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Khiofk32.exe	Kcmfnd32.exe
File created	C:\Windows\SysWOW64\Kmhjapnj.dll	Hibjli32.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Mlbmonhi.dll	Fdnhih32.exe
File opened for modification	C:\Windows\SysWOW64\Jaajhb32.exe	Jppnpjel.exe
File opened for modification	C:\Windows\SysWOW64\Kbhmbdle.exe	Kiphjo32.exe
File opened for modification	C:\Windows\SysWOW64\Mfnhfm32.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Ackekpfe.dll	Anaomkdb.exe
File created	C:\Windows\SysWOW64\Gimqajgh.exe	Glipgf32.exe
File opened for modification	C:\Windows\SysWOW64\Hmbphg32.exe	Hffken32.exe
File created	C:\Windows\SysWOW64\Eopjfnlo.dll	Pfoann32.exe
File created	C:\Windows\SysWOW64\Cgpfqchb.dll	Joekag32.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Lfgnho32.dll	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Dnhpfk32.dll	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Jlgfga32.dll	Kcjjhdjb.exe
File opened for modification	C:\Windows\SysWOW64\Lojmcdgl.exe	Lebijnak.exe
File opened for modification	C:\Windows\SysWOW64\Mpapnfhg.exe	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Nblolm32.exe
File created	C:\Windows\SysWOW64\Idkobdie.dll	Kcmfnd32.exe
File created	C:\Windows\SysWOW64\Mfnhfm32.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Npakijcp.dll	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Ojqcnhkl.exe
File opened for modification	C:\Windows\SysWOW64\Gpnfge32.exe	Flpmagqi.exe
File created	C:\Windows\SysWOW64\Qfoaecol.dll	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Jppnpjel.exe	Jekjcaef.exe
File opened for modification	C:\Windows\SysWOW64\Jhplpl32.exe	Johggfha.exe
File opened for modification	C:\Windows\SysWOW64\Bapgdm32.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Dohnnkjk.dll	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Bhnbgoib.dll	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Gpnfge32.exe	Flpmagqi.exe
File created	C:\Windows\SysWOW64\Lopmii32.exe	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Pfhmjf32.exe	Pcbkml32.exe
File opened for modification	C:\Windows\SysWOW64\Blgifbil.exe	Adndoe32.exe
File created	C:\Windows\SysWOW64\Aggpfkjj.exe	Agdcpkll.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7484	6424	WerFault.exe	286

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akepfpcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll"	Hlmchoan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kheekkjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjiib32.dll"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmfgek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmbphg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akepfpcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilnbicff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lopmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll"	Ggfglb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmfgek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll"	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll"	Eicedn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fndpmndl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhphpicg.dll"	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoemi32.dll"	Felbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnjancb.dll"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhjomjk.dll"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnbme32.dll"	Gfjkjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllokajf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegcnaoo.dll"	Enhpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll"	Johggfha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdding32.dll"	Fndpmndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndhqgbm.dll"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkoafbld.dll"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnkfmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpochfji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnblldi.dll"	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnnljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbjnhape.dll"	Haodle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll"	Gimqajgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojfcdnjc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1980	824	486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb.exe	90
PID 824 wrote to memory of 1980	824	486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb.exe	90
PID 824 wrote to memory of 1980	824	486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb.exe	90
PID 1980 wrote to memory of 3668	1980	Ahbjoe32.exe	91
PID 1980 wrote to memory of 3668	1980	Ahbjoe32.exe	91
PID 1980 wrote to memory of 3668	1980	Ahbjoe32.exe	91
PID 3668 wrote to memory of 3200	3668	Anaomkdb.exe	92
PID 3668 wrote to memory of 3200	3668	Anaomkdb.exe	92
PID 3668 wrote to memory of 3200	3668	Anaomkdb.exe	92
PID 3200 wrote to memory of 4172	3200	Akepfpcl.exe	93
PID 3200 wrote to memory of 4172	3200	Akepfpcl.exe	93
PID 3200 wrote to memory of 4172	3200	Akepfpcl.exe	93
PID 4172 wrote to memory of 4740	4172	Adndoe32.exe	94
PID 4172 wrote to memory of 4740	4172	Adndoe32.exe	94
PID 4172 wrote to memory of 4740	4172	Adndoe32.exe	94
PID 4740 wrote to memory of 3232	4740	Blgifbil.exe	95
PID 4740 wrote to memory of 3232	4740	Blgifbil.exe	95
PID 4740 wrote to memory of 3232	4740	Blgifbil.exe	95
PID 3232 wrote to memory of 4964	3232	Bhnikc32.exe	96
PID 3232 wrote to memory of 4964	3232	Bhnikc32.exe	96
PID 3232 wrote to memory of 4964	3232	Bhnikc32.exe	96
PID 4964 wrote to memory of 4992	4964	Bhpfqcln.exe	97
PID 4964 wrote to memory of 4992	4964	Bhpfqcln.exe	97
PID 4964 wrote to memory of 4992	4964	Bhpfqcln.exe	97
PID 4992 wrote to memory of 820	4992	Blnoga32.exe	98
PID 4992 wrote to memory of 820	4992	Blnoga32.exe	98
PID 4992 wrote to memory of 820	4992	Blnoga32.exe	98
PID 820 wrote to memory of 2928	820	Bheplb32.exe	99
PID 820 wrote to memory of 2928	820	Bheplb32.exe	99
PID 820 wrote to memory of 2928	820	Bheplb32.exe	99
PID 2928 wrote to memory of 900	2928	Clchbqoo.exe	100
PID 2928 wrote to memory of 900	2928	Clchbqoo.exe	100
PID 2928 wrote to memory of 900	2928	Clchbqoo.exe	100
PID 900 wrote to memory of 1136	900	Cndeii32.exe	101
PID 900 wrote to memory of 1136	900	Cndeii32.exe	101
PID 900 wrote to memory of 1136	900	Cndeii32.exe	101
PID 1136 wrote to memory of 1596	1136	Eicedn32.exe	102
PID 1136 wrote to memory of 1596	1136	Eicedn32.exe	102
PID 1136 wrote to memory of 1596	1136	Eicedn32.exe	102
PID 1596 wrote to memory of 1900	1596	Felbnn32.exe	103
PID 1596 wrote to memory of 1900	1596	Felbnn32.exe	103
PID 1596 wrote to memory of 1900	1596	Felbnn32.exe	103
PID 1900 wrote to memory of 4500	1900	Fmfgek32.exe	104
PID 1900 wrote to memory of 4500	1900	Fmfgek32.exe	104
PID 1900 wrote to memory of 4500	1900	Fmfgek32.exe	104
PID 4500 wrote to memory of 4756	4500	Flkdfh32.exe	105
PID 4500 wrote to memory of 4756	4500	Flkdfh32.exe	105
PID 4500 wrote to memory of 4756	4500	Flkdfh32.exe	105
PID 4756 wrote to memory of 4108	4756	Fmkqpkla.exe	106
PID 4756 wrote to memory of 4108	4756	Fmkqpkla.exe	106
PID 4756 wrote to memory of 4108	4756	Fmkqpkla.exe	106
PID 4108 wrote to memory of 1372	4108	Flpmagqi.exe	107
PID 4108 wrote to memory of 1372	4108	Flpmagqi.exe	107
PID 4108 wrote to memory of 1372	4108	Flpmagqi.exe	107
PID 1372 wrote to memory of 4684	1372	Gpnfge32.exe	108
PID 1372 wrote to memory of 4684	1372	Gpnfge32.exe	108
PID 1372 wrote to memory of 4684	1372	Gpnfge32.exe	108
PID 4684 wrote to memory of 1204	4684	Gifkpknp.exe	109
PID 4684 wrote to memory of 1204	4684	Gifkpknp.exe	109
PID 4684 wrote to memory of 1204	4684	Gifkpknp.exe	109
PID 1204 wrote to memory of 1232	1204	Gfjkjo32.exe	110
PID 1204 wrote to memory of 1232	1204	Gfjkjo32.exe	110
PID 1204 wrote to memory of 1232	1204	Gfjkjo32.exe	110
PID 1232 wrote to memory of 4412	1232	Gpbpbecj.exe	111

C:\Users\Admin\AppData\Local\Temp\486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb.exe
"C:\Users\Admin\AppData\Local\Temp\486f95bf640c205b08f8191ab554573cece30138a9fa943ab6dfcec52e2c9dcb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Ahbjoe32.exe
  C:\Windows\system32\Ahbjoe32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Anaomkdb.exe
    C:\Windows\system32\Anaomkdb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\SysWOW64\Akepfpcl.exe
      C:\Windows\system32\Akepfpcl.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4172
      - C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Bhpfqcln.exe
        
        C:\Windows\system32\Bhpfqcln.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        25⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        29⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        30⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        31⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        33⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        36⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:708
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        40⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        41⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        42⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        45⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        49⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        52⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        54⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        57⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        59⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        62⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        63⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        65⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        66⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        67⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:788
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        69⤵
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        70⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        71⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        73⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        74⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        76⤵
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        77⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4988
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        80⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        81⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        82⤵
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        83⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        84⤵
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        86⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        88⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        89⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        90⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        91⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        93⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        100⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        101⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        102⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        103⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        104⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        106⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        107⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        109⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        110⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        115⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        118⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        120⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        121⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        122⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        123⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        125⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        126⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        127⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        129⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        131⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        133⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        134⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        137⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        138⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        139⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        142⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        143⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        144⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        145⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        147⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        148⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3536
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        156⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        159⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        160⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        162⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        163⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        164⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        166⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        168⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        169⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        170⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        172⤵
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6340
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        177⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        178⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        184⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        186⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        187⤵
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        188⤵
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        191⤵
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        192⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        193⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        194⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        195⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 400
        196⤵
        Program crash
        
        PID:7484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6424 -ip 6424
1⤵
PID:7236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:7776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adndoe32.exe

Filesize
92KB

MD5
1c96fa21977eef127ee7d3682162d2e0

SHA1
286a0d94404c59ad8f3043db2e21dfad14140933

SHA256
b190fdc1d9f08d2fff0a8b8e0d28fe7427e7849eb1372ff77f38c913663838df

SHA512
b8ff9590fd8d1305c3eaedea7a55967884b6bcd9a78a55ebacb23d70c83cfd0ad76be15c7bd56d1a770399be7eda8a7db7a3a758100c3197e8ba1e12965ed38b

Download Submit
C:\Windows\SysWOW64\Ahbjoe32.exe

Filesize
92KB

MD5
5e0fb0b459ccfca3387d12298f0f834c

SHA1
c8304982d4f4612fa747e0f34906b3ed2345e4c4

SHA256
0b30b5b91914c3cad30fa1094c3027af38b79886d94d787a76ec4e8d18eec20d

SHA512
22b8020b602ac8fe72922405edd79866b3953b2cf39284dacd2f10a569e9cada2bb3c050cbb11bf5716de185af98a131f16ee4060f7da53dbbb74428097567c6

Download Submit
C:\Windows\SysWOW64\Akepfpcl.exe

Filesize
92KB

MD5
4ab79c345e6a21c6c19598616ee8edb3

SHA1
bb6edef56a3c35fd0552053758b2d9cdc2cf3100

SHA256
a0c61aba115325a359b4769e89e190261858156f5af7e44aa1986eeb2bfca9a7

SHA512
4687644e4eda7b2e87ddad18d78e28b93d3a67634c5e0ab54bbc80bb78512374ed5d98b5808c36f37a57fdf59af5ea9004ad104d8a92e706bbaa0b86a442c045

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
92KB

MD5
6794a9e4ac0c86d3d8f52b662fa5d844

SHA1
9eea39ad7c74cae240b2cf87ba8b46c9e34ec133

SHA256
3768a8ef034aefbf774215ce314e1f55906346faef01e5a1d9a05bc0b739529a

SHA512
5f23024d0ccd7112be880e777f7f1ada96c494e49f789745197e4b027f510eeb9d26311ae9b9b389084bd5238d5f61fbaf8883fb41af5bebbb758842157e99ac

Download Submit
C:\Windows\SysWOW64\Bheplb32.exe

Filesize
92KB

MD5
23f0d2166448ea7909928602d33da161

SHA1
b056b7246ec70e0af26c8aa4eb03baa3e87dd634

SHA256
782fd93439f4d5d34349a309ce48d3ad33b69f4b19e601921d43b721b8389cc2

SHA512
250aadaf08325279af4f63147f25872f78a259fe087df8d4d2f5a34ce7fbdef86885da419c5ee3c2f8174ac194a97cdb111fd45e9481db76511bde65046ad060

Download Submit
C:\Windows\SysWOW64\Bhnikc32.exe

Filesize
92KB

MD5
3c694c8d8e9888b9bad140ababa327cf

SHA1
9527ec1d14086f6d7bee4894c6a2d419d0959dab

SHA256
8a75cb7e179e17f0a36bacb31acacb570b1e1251a246979ab2ceec1279865f15

SHA512
81bd18f1f531e399566160952479740d97b36d136869ad6f526d4e20cabfdaa4afec9c4f0cf809a2ca0cbd9d80db6f425740b6205cf40e5e652fb3a81f650ce3

Download Submit
C:\Windows\SysWOW64\Bhpfqcln.exe

Filesize
92KB

MD5
92d19f083777db80b0d730550f674082

SHA1
28b91c6867fd8c61a862afef1511cf31a2275b63

SHA256
16e6f40595a874574b70f3f3afd8664d88548220fb0bf654f070affee3753b0b

SHA512
0e65ef7f98ce0f7be49f0a8f0857a2f7aabc6aa36a4268a307c724aa91e8a466ae5e01d41fd1b6904f14cf5e336316c86e345c052260f9d9fa450bcda27f62b5

Download Submit
C:\Windows\SysWOW64\Blgifbil.exe

Filesize
92KB

MD5
724074b6cc41575dea41bf068f3151b1

SHA1
6ef7131cd8069cedc671487d23b508f16a87a1cf

SHA256
f275a743d14c92f6e06c12b25886aac1c71a2d09e8a2efb071bdbdca6dd69b2a

SHA512
475f8f1e292a7c894261c26266f7a3766756cc77e7e6f96af42dc638e3112a0376604e03d18db3729da47f216f2b5e189ef0f7efc3bbfb3a674b200205fd8958

Download Submit
C:\Windows\SysWOW64\Blnoga32.exe

Filesize
92KB

MD5
080a6fa5d2bf136e6c5e969d4633fac2

SHA1
e8279280fbf617af755ee89e680ddfefc0136b1e

SHA256
a1a292c429019986df8140d1e8dedd3e211b0529ecd3d7ab74b1709d0ad44425

SHA512
b15dd01063649a919e0a97e98628b8c917e0ad47c03f11c080011fc19cada3f8b6fe199cc284669c0d81cc5254002712ace48b7d2d13ae2bd83d534c364593c1

Download Submit
C:\Windows\SysWOW64\Clchbqoo.exe

Filesize
92KB

MD5
7934cd0e5cd4ec93a276a10a879578fa

SHA1
bc958d1f21c58606dab30925269ae435a289d8b2

SHA256
3095123eaa9a68b2a789463b445dd0b533d5643eab40428e96c603dfa6d1a97f

SHA512
c1064bda0e5ea92f015fd5ea7673a955deebfe9827bd25cfad4ac1b946c840532d345e245fa789f30d1de2c843e06500871dbbbb7d967c9fe1401e9083a5cecd

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
92KB

MD5
9aca736f25c8672ae804c18cb1549b92

SHA1
d2c117aa9a137a2fed6e8f9e748124715863a98e

SHA256
d5f02951b74a2c8bb21b939ea5293f84cfacb3bef10f11218f19531ca7d83b49

SHA512
882c3f465a1378b8e8218c1136778262245c5e2410de2b9c47c2c29a2f123e6c6e783bd491d02dd6895168b812395911bdfc234d9b6ad441e521c5309ff231bc

Download Submit
C:\Windows\SysWOW64\Cndeii32.exe

Filesize
92KB

MD5
c8a07b48b94bbcd496ee1504eb45dff5

SHA1
c4b7a730c4c26573c375779b3d027b7cd0bf647f

SHA256
dc7882cc832897ec56fb43ec6c92863bf2a6cf543b16ef6e9c6f67d07dc16d23

SHA512
37156e3a4ac2f6f041681a7a82384d2ece852a03c6dd3fe32cb17b23d87ef23ab8ddefae79860fc8a1343e911a1937857f6ee6a3e1bdc8735cbadd9534e45eaf

Download Submit
C:\Windows\SysWOW64\Eicedn32.exe

Filesize
92KB

MD5
981a8968e8bc1dafbe41b2bcd03f69b1

SHA1
c03d92a3964310a6ad9c65756728c360abbfef13

SHA256
8fb157f531ce12d8b314320bcae9bc5da61e53830f39771f3a68c041ec06b22b

SHA512
65acd6cf0179e83e7e7497ee0709ca9c526729e46923d88d3d4877d5a82c8b09561c78c52a2a3f1520d08b203d3adeec1942556b5452a29086dca376ca5b24b7

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
92KB

MD5
e43900136a319360fad4f4ff0584fa7b

SHA1
2be3ca5ebbd7f18ebac54c6bfa3a3ddfe2d24971

SHA256
816053b26f7f9d2d976f587839800cdf8e5094e84c986ef50c64d6c8c641525f

SHA512
1d85ceff666b37bd4d4916d8d3fbc4a3b76ea1afaf827bfa35e8e07a9e9d0eada6915812f5bbca754a5a98dbb68be68bfc6974fa637b6a1649802f2bd32648b1

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
92KB

MD5
3d796c3a42f90d03fa80ed6ea7f53ba7

SHA1
f9d8ed9d858b0036cf9aef0aa9bada7a595f5a61

SHA256
9f3be48743c3ce1386b49d0f0f9a21363d02e5f0e1728191b30483106f2b75b0

SHA512
72c631180b0cf5b3a2c0dd8d551da6eb58f4a95458c135aa516e11a5d554a31193be6ba2e3babfcb5d8d8aa4bd06c2614ee80be1d45fadf29087ba1d6f9950f9

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
92KB

MD5
704243b2adc9b07293c7f68180c0ef8a

SHA1
222602e2e760527369ca337e4511cf7aae9cdf2c

SHA256
826eff727f08db815b959998f8a1318b386d7f4e4477e0bf2d6dd907dccae601

SHA512
8199757639e2925979ca16f4f293046c7f61284b2eee8e62285d87c4829fbb1983587b654e8007ebe651cb642383e5de8d1a2dea24c2dbbaa50441c5526cc8f6

Download Submit
C:\Windows\SysWOW64\Fmfgek32.exe

Filesize
92KB

MD5
b8369a2818fabf08407653e88e7fa64c

SHA1
23af849052f55bf3a65a013fc79771b6acdbabfa

SHA256
74378d62feda020510b6fdf4120de4a1adacfb89109f98c65c5d983b8bb9be9a

SHA512
aff202085eb9c341c2c91f262a6142e886b594dcc6ecfbdc6e89ec03e265e6b2d4b42b534f4620b67ff4a519f20f4d40df1fe7ce92e4a1974a2313caff71a14a

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
92KB

MD5
1fd3967c5ca73253ce6cef83551a330f

SHA1
4a11691607d70d5dafe92637fb04181e980476aa

SHA256
1c31e2433fe4b9927a7a7e7f66da3e983dc0f61001179afc3e33e5dc1f47a7dc

SHA512
9323f971229dc92ca5d78a5d8f01e4d65ff6a808c80643d9b6859e5fbf991096ea5c64a4a96b8487d7ea2fae34dfa7b732f1af8fb8d3d089474b601a98ca104f

Download Submit
C:\Windows\SysWOW64\Gfjkjo32.exe

Filesize
92KB

MD5
d7b3b6aae2070a70bfa02ec83d2e2f79

SHA1
dd9600807bd61b9eb671d9d1161f64dd2f62a257

SHA256
228fd916371ce7888d3b6f4d24eec0182f3cb500cf03b56f519446efb24de6aa

SHA512
7ca0172a1f56afda555cc12ef52622821a9f881ce660f55289a5855d7b8868255cf6c44bcde21ba126b7eab9be7b7194cc103b2e631bcb9ab959cb4716e30a7f

Download Submit
C:\Windows\SysWOW64\Gifkpknp.exe

Filesize
92KB

MD5
64cde320eda55310990245a0cd643434

SHA1
82c997e23512960bde3620c691f81233b0c1a6d2

SHA256
3f16e91663c7f2bb5f7d725a04da00ad24cec76220b3aeb927fe8e0b4d63a39f

SHA512
f2398bee9433ef2ef7b0d3dabdd4479dd65fc2a6e06e22393617df4e2a0c7ff65d45df745e4d89cb5e6dc3852550ee054d36637ac4b63ea43a1c5d0ec236ec74

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe

Filesize
92KB

MD5
5e42767754e419e0c9158a9d03a56560

SHA1
9791b471eda61da2a52e6e8f5fd885a90b2a8e03

SHA256
c9cfe97224787bf6e955273fb739b5b200ba29f32cd84c0cac06f3e81de9f3fd

SHA512
9dd250b4bc1f00063219565faadce9a669a8d9218d1d329195c7426401f626b95241ee25110060468046acc869e8011459ce06afeec74e55e9f009cb0c693060

Download Submit
C:\Windows\SysWOW64\Glipgf32.exe

Filesize
92KB

MD5
a7fedfec0ec95185929f821efeffeac8

SHA1
9bc77ddf91b920a37b7ac1f0b4fcaebad5c7f867

SHA256
8044dc34516fb8567f8dad5595886533cf0c481c92d13a9afc357363a66bb337

SHA512
e7428ce8907f25df879696e70e9f68d74ec0861f9abd159ee81db5f842ace1939b8c5f73080a99f1abcd922c9df6fc5a4ceeb9b4c3d7c64cbe861f1b7287bc38

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
92KB

MD5
199388c26532baa0927cb1a1fc5c9d16

SHA1
cd09136072714565b207e2144382bbdc02610178

SHA256
d24f37189d07600fabd2e13eda395141375eb21670c75ad0019f5978c6cdd450

SHA512
f0b469e6e0d73cc3975bf6ec5cdb8b6497f1a0e0dbcddd62e4a39931f76e83bdf3e0ce0d1f2663af0889d15b0f193e05819d8c56a7f98dc82ed80793359e7fc2

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
92KB

MD5
78b4c868015e675cd15deefd9711eeee

SHA1
02f287bac17e256c6999c257d81712b0ffa8709b

SHA256
547dda3d9c01cb75e99f478e99ffd4ec774730a229dc680e1085b4ec06c10437

SHA512
703b04f8a01d5b8bf6b09a5db8cdb90e908fd838d9e372847575e79e24defb104e617859fbdc889fd0042264f5467bc8b1c4bbdc87a5718ece9d5872ab32bd20

Download Submit
C:\Windows\SysWOW64\Hfaajnfb.exe

Filesize
92KB

MD5
cfa378a3bb7b9fe3a64457737c9b17c3

SHA1
0e355923d2e4702d8b2467337ee91b195106e8d5

SHA256
efa7c04f172a2bc14c8da938bde21507d007f9aedfc4de95f0d01ea69d42971f

SHA512
fdaf94c5b33c382e6038938cfd7d42bf78e73fcb7420c3a774277d71c901b71f4a7a0c054045ad0a0a74ca2caa31c10d2e17229a1c62c6db92a59259ec0eb110

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
92KB

MD5
fc8a60607a2d2bcbbb11da8592c90122

SHA1
9c28c526d8d16a6ce86e40f8783d5efa2e3105c3

SHA256
bf7a4de4a45bd7b7a276696021269194a58a5e48bc1ec50be281f8650ca01801

SHA512
332fd25d86b26cb27f3c3693f9af2691810031c02cedd6cd8577b70c478bce7483ce7a925e88f03f87319ece60853a515e37d2a8e6cf7f97bd960bfd834d8ec1

Download Submit
C:\Windows\SysWOW64\Hibjli32.exe

Filesize
92KB

MD5
09106511eaa8c42cb8acbbb83c0a3899

SHA1
4e3d3962175bcd8f0305cd079afc01c6673586e9

SHA256
cdfd60d9b3ea2ecd51522fe957ed6a586e6d807e8d46a67ea6c9c41bb7a124e9

SHA512
c64d329364aaf52882c752c95cf3fd5a9895139db44fc2e0ace1e68d40ebdd40f90069ecd10d8123ca498d459dd3adf23cdc0f3273437b7b8443e4995b8ee48b

Download Submit
C:\Windows\SysWOW64\Hmbphg32.exe

Filesize
92KB

MD5
ed4b5bf905d23d9f7f41e8fa3171d87f

SHA1
1a1d00b42cfaadd4dab864e99d7bb9cfe52b530e

SHA256
993e351b8844d773110587e3914630f7ff613882f9dfe1eeba816c3cf38af64f

SHA512
5ed8055b661b4af3d1c9093b426de7aee5a7d175bb22288c6ee5ee3ec9fc15aaaadf8a0249c86b27f9c9b7ca59855f4ca65dc5f5d83ada6675a145042d447624

Download Submit
C:\Windows\SysWOW64\Ibfnqmpf.exe

Filesize
92KB

MD5
d1ff954bdb093ce4450c04dcb40bb75d

SHA1
2de1237ebb5ee32f7fb294336c45504a0b1f5f6a

SHA256
b800fa6cbbb771013853eb73cce67cec180d2f66aba1382cf975e23c01a5f3db

SHA512
c75bcb3b20811d1c9539e220e6cefec87df0394264b6850bb3630defa59c448902d3a7f6b2f598c5946132dc7091f944fc02168d64d113ceb8b0a31172379bf6

Download Submit
C:\Windows\SysWOW64\Iefgbh32.exe

Filesize
92KB

MD5
6fd87d685a7718dfdb8d0e0e95a4df84

SHA1
60ea87e82daa7474746de8689861b385a03a8e52

SHA256
902feecbfcd7377781850a909544badb1c2addc90ab90738791f719aac36f67a

SHA512
9701cbaaa50e285ec52cf7fc747123e900169481251d1531285a7082f0ac0a0b4e878dc8d7eff8cccc58f2bfb13fecd5f2687ad6c6761d210a019ea3295075bf

Download Submit
C:\Windows\SysWOW64\Iinjhh32.exe

Filesize
92KB

MD5
c8560c1091eec6f2fcd60ebae19a580e

SHA1
711519ac4659009e54ba584ad59b3a94f8af2f13

SHA256
9d27e557481f419cbff528898e406eded05c44d83e885b2f070fae24d315d8f4

SHA512
9ec4884fb69177e3627ed47b1b55f129f112258a2a315803743e0b309cf336a6e4aff3c174dd0f004a90793811764bfbcbdefb450fb71e57879570be228615b5

Download Submit
C:\Windows\SysWOW64\Ilnbicff.exe

Filesize
92KB

MD5
4d008540f6d2267cbf628fe823d80965

SHA1
b77787cafeb10b6d4991df5e4ecdbb55e1c39ec9

SHA256
258a443c9c57a7dde120878627c724c3c133adc22b78f501f196957bf5e72d09

SHA512
2d10236270632715cd854cc967f2d7e382a7135f4b78dc3a8a23d190138f268150f94356a3348f5efcb561f2b378ceaa091f905c25ebfc688f8f441f550bb5aa

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
92KB

MD5
7f99f583571b3f9bd94767bd39edcf77

SHA1
c7601c84522edf44b9760643809f75665d86dee8

SHA256
4414726e0dc6efa8266a3273389ca08b30ac74f2075df8fdfddc3b4cf77d0314

SHA512
d893222acf44c37ab87ac18358021a337f142f80dbb9ce8c5a278042bf03e861ac044e3f20e5bfc0cc3fc9af55bd1e262af8dfaaf3fa502c7eb05d701fd07aea

Download Submit
C:\Windows\SysWOW64\Jaajhb32.exe

Filesize
92KB

MD5
ce463f078c8846523b5892288515e60f

SHA1
3ceeb8e357cee11c0c5f281ce275c320733799a5

SHA256
e2ca49362befe0fec76371c43087d833288fd410fa5186650f459b41f7e454fc

SHA512
c99d0af13ac24e8f406d619d1e172344bfb3f65659731cd647dc85dbdf2e196e51fc7b55e879a121431e7666a366e62ef5430e0dd0c498572d9f1aef30b158eb

Download Submit
C:\Windows\SysWOW64\Kfnfjehl.exe

Filesize
92KB

MD5
4fc8fa2502466b211f424920dff9b0f8

SHA1
a540c2bd39825843ec91942dd136b2f781e11a7b

SHA256
a6923a39e50d3c2d0a12db62d1f7e34aeb5fd9a8266d257cfb09f0b8a934d6de

SHA512
c52671f00f87e61933230a81ede7edaf06e17706fdfbae628a27b69b18dba68376b695a9f2de39c40bee33fb7522ac18da625bed78f557afa78b55bcbd07d41e

Download Submit
C:\Windows\SysWOW64\Llmhaold.exe

Filesize
92KB

MD5
a343df3441022a4423251777e95649ed

SHA1
0d52a1508b324bc2d5f2f7e72c7cf6004ea8901b

SHA256
c0208ceab5c7729ff83813262e327f9b9842a95b6ac99dd01b3eb85f07650c42

SHA512
8382fc0bc06103c8630d6982ef0c8b68df9dcc064b7f815bca6beaeae4e11b73919c2158c23bd90c04e099adf33feefc2ff07cf0a4c29ff4027f0144f0e26a54

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
92KB

MD5
6335e89bfb7137a3cb1a8e94eb981d7e

SHA1
f60d770a3adc61eab4bba76c3112afed204dfc31

SHA256
90e3ae57d4ed99b0611e7dee03c441a439ff00cacf8f3ee6efa1badb6749350e

SHA512
2cdd93c9ef4827f9223dbf029027bde386e5451aa9f3e68a0e8bc113f7fb477972bc8d26f92d81df58c741b4ee34e3ac767bb04a52254540223a8bd9496d04d6

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
92KB

MD5
d881859731c5af0c4427562da203510c

SHA1
26883e452640b81510e60e6be8d1efc793c14e77

SHA256
3c2ef1e1929b0863a42f390b4bc4f6146c1677b6dc66ea33efcf4f6871783a9c

SHA512
9582a79d87647cafb78833cac8c935d8e7f795dd9ff8ddb07626636094e9db9cba85a91b237dea5e93acf32cc2c6d50172a897c0e19ad2bc0e3e8cfa450d1cba

Download Submit
C:\Windows\SysWOW64\Nblolm32.exe

Filesize
92KB

MD5
c7bb6baea73d4be97e82854cdc0d1e25

SHA1
2c2c1f4475cf1195272a6e0ca4408bee48ec8c9f

SHA256
f53dd5fcb0ef23d7fe70b6da993a767c3a272d43533d23f40d33cf38003e58ab

SHA512
2d33edba40b141d7127be4728e8b92e320b02e38e724861805bc564d5bbb5553f54c2b84c743f1692df245b007f336bebb385e8c5ab395a62ca2ee1da4d7a6e8

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
92KB

MD5
8264da231ebd2b50825586c19ffe269d

SHA1
05bd1f04c1b9db8e6a3ad24141ddb32dd0b861f3

SHA256
e60ce6f50ee8dbbe47bb773818e4430fdd458d057a4a4cb23b6aacb039293988

SHA512
cdd4e47c885b676b26dd6d93c22540fdede47831b297b781e080e85a7e3a7bb30ef8072e64031fcd4995e598f9188f4100a059c4f96280e72c5bf349a95f649d

Download Submit
memory/376-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/468-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/708-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/824-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/824-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/824-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/900-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/924-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1040-186-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1136-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1204-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1232-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1372-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1420-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1752-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1900-114-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2880-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2928-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3156-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3200-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3232-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3264-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3564-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3604-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3804-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3816-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3856-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3872-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3976-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4252-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4308-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4620-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4628-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4684-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4696-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4740-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4992-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5032-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads