b02c30dafb785577a5bff17895b1c28f01b03eb5610b18d5eb86476d68a29747

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b02c30dafb785577a5bff17895b1c28f01b03eb5610b18d5eb86476d68a29747.exe
Size

367KB
MD5

78585791e7296613ebb060a7b190d3e6
SHA1

945146903bd5b5b70ee475ef5844ee33758e4524
SHA256

b02c30dafb785577a5bff17895b1c28f01b03eb5610b18d5eb86476d68a29747
SHA512

c40713c9d6d7cd29e01f0ebe6860fe119d06e47ad2a7baf70e2494fcc3c33f709c2c62ea6d1bbaf85efa6ccdfdc83dc4b4a5942c85fb94e16530bb233c7fc4bd
SSDEEP

6144:VVlJrJ25ctnJfKXqPTX7D7FM6234lKm3mo8Yvi4KsLTFM6234lKm3cM9:VVlhtJCXqP77D7FB24lwR45FB24lqM

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiacacpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajdgcab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gikdkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glhimp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfhndpol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhboolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnonkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fecadghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inebjihf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gihpkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhndpol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hecjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apeknk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Damfao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eghkjdoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fofilp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gikdkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnhdgpii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqppci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pimfpc32.exe

Executes dropped EXE 64 IoCs

pid	Process
5008	Fflohaij.exe
3272	Fnnjmbpm.exe
4416	Gfhndpol.exe
4216	Gemkelcd.exe
944	Gikdkj32.exe
4436	Gbeejp32.exe
1256	Hbhboolf.exe
2168	Hidgai32.exe
4472	Hekgfj32.exe
1132	Hpchib32.exe
1900	Iohejo32.exe
2940	Iojbpo32.exe
2016	Ipjoja32.exe
2164	Lmaamn32.exe
2252	Mnhdgpii.exe
3080	Npbceggm.exe
1784	Omdppiif.exe
4608	Ondljl32.exe
4620	Paeelgnj.exe
3644	Paiogf32.exe
2884	Palklf32.exe
5016	Qmeigg32.exe
348	Qdaniq32.exe
3176	Adcjop32.exe
3056	Aajhndkb.exe
4068	Amcehdod.exe
3204	Bhkfkmmg.exe
3156	Bgpcliao.exe
4940	Bahdob32.exe
3580	Bnoddcef.exe
1724	Cammjakm.exe
4552	Caojpaij.exe
1680	Cpdgqmnb.exe
1248	Cpfcfmlp.exe
2116	Cnjdpaki.exe
2492	Dkndie32.exe
1820	Ddgibkpc.exe
5024	Dnonkq32.exe
4320	Dkcndeen.exe
3164	Damfao32.exe
4396	Dgjoif32.exe
232	Dndgfpbo.exe
1768	Dhikci32.exe
2220	Eqdpgk32.exe
3592	Ekjded32.exe
3668	Eqgmmk32.exe
2708	Enkmfolf.exe
4912	Egcaod32.exe
4308	Ebifmm32.exe
1804	Egened32.exe
1412	Enpfan32.exe
1616	Eghkjdoa.exe
5052	Fqppci32.exe
3416	Foapaa32.exe
1920	Fgmdec32.exe
2432	Fbbicl32.exe
2372	Fofilp32.exe
4676	Fecadghc.exe
5036	Fohfbpgi.exe
1212	Feenjgfq.exe
4816	Gpmomo32.exe
5044	Giecfejd.exe
4252	Gnblnlhl.exe
5012	Gihpkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bailkjga.dll	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Hhimhobl.exe	Hbldphde.exe
File opened for modification	C:\Windows\SysWOW64\Inebjihf.exe	Hihibbjo.exe
File created	C:\Windows\SysWOW64\Dkedonpo.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Aolece32.dll	Fflohaij.exe
File created	C:\Windows\SysWOW64\Ohjckodg.dll	Dpmcmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckidcpjl.exe	Cmedjl32.exe
File opened for modification	C:\Windows\SysWOW64\Egcaod32.exe	Enkmfolf.exe
File created	C:\Windows\SysWOW64\Binfdh32.dll	Ecdbop32.exe
File opened for modification	C:\Windows\SysWOW64\Nbphglbe.exe	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Qbonoghb.exe	Pmbegqjk.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Dndgfpbo.exe	Dgjoif32.exe
File created	C:\Windows\SysWOW64\Hbnckkha.dll	Enkmfolf.exe
File opened for modification	C:\Windows\SysWOW64\Enlcahgh.exe	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Ieagmcmq.exe	Inebjihf.exe
File opened for modification	C:\Windows\SysWOW64\Bhkfkmmg.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Gpmomo32.exe	Feenjgfq.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Cnjdpaki.exe
File opened for modification	C:\Windows\SysWOW64\Gikdkj32.exe	Gemkelcd.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qmeigg32.exe
File opened for modification	C:\Windows\SysWOW64\Adcjop32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Qejpnh32.dll	Iajdgcab.exe
File created	C:\Windows\SysWOW64\Enlcahgh.exe	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Libmeq32.dll	Giecfejd.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Khihgadg.dll	Qjhbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Aiplmq32.exe	Apggckbf.exe
File opened for modification	C:\Windows\SysWOW64\Iehmmb32.exe	Ilphdlqh.exe
File created	C:\Windows\SysWOW64\Lohqnd32.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Ecpfpo32.dll	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Giecfejd.exe	Gpmomo32.exe
File created	C:\Windows\SysWOW64\Mgpilmfi.dll	Glhimp32.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Pimfpc32.exe	Nbphglbe.exe
File opened for modification	C:\Windows\SysWOW64\Bdapehop.exe	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Fjeplijj.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Ejhdfi32.dll	Iohejo32.exe
File opened for modification	C:\Windows\SysWOW64\Enkmfolf.exe	Eqgmmk32.exe
File opened for modification	C:\Windows\SysWOW64\Fqppci32.exe	Eghkjdoa.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Ondljl32.exe
File created	C:\Windows\SysWOW64\Njlmnj32.dll	Hihibbjo.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Nqgnfcmm.dll	Egcaod32.exe
File created	C:\Windows\SysWOW64\Feenjgfq.exe	Fohfbpgi.exe
File created	C:\Windows\SysWOW64\Ojmjcf32.dll	Fnnjmbpm.exe
File created	C:\Windows\SysWOW64\Giljfddl.exe	Glhimp32.exe
File opened for modification	C:\Windows\SysWOW64\Glhimp32.exe	Gndick32.exe
File created	C:\Windows\SysWOW64\Apggckbf.exe	Apeknk32.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fboecfii.exe
File opened for modification	C:\Windows\SysWOW64\Pbhgoh32.exe	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Hhdebqbi.dll	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Iohejo32.exe	Hpchib32.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Gndick32.exe	Gihpkd32.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Cpacqg32.exe
File opened for modification	C:\Windows\SysWOW64\Paiogf32.exe	Paeelgnj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6632	6228	WerFault.exe	232

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b02c30dafb785577a5bff17895b1c28f01b03eb5610b18d5eb86476d68a29747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhdfi32.dll"	Iohejo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Damfao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iajdgcab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnnjmbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iojbpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omdppiif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glhimp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fflohaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekjded32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhfnd32.dll"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjaei32.dll"	Dnonkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Palklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnonkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojfj32.dll"	Hiacacpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eklikcef.dll"	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egened32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hecjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkpla32.dll"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecgicmp.dll"	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eghkjdoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hihibbjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 5008	2636	b02c30dafb785577a5bff17895b1c28f01b03eb5610b18d5eb86476d68a29747.exe	90
PID 2636 wrote to memory of 5008	2636	b02c30dafb785577a5bff17895b1c28f01b03eb5610b18d5eb86476d68a29747.exe	90
PID 2636 wrote to memory of 5008	2636	b02c30dafb785577a5bff17895b1c28f01b03eb5610b18d5eb86476d68a29747.exe	90
PID 5008 wrote to memory of 3272	5008	Fflohaij.exe	91
PID 5008 wrote to memory of 3272	5008	Fflohaij.exe	91
PID 5008 wrote to memory of 3272	5008	Fflohaij.exe	91
PID 3272 wrote to memory of 4416	3272	Fnnjmbpm.exe	92
PID 3272 wrote to memory of 4416	3272	Fnnjmbpm.exe	92
PID 3272 wrote to memory of 4416	3272	Fnnjmbpm.exe	92
PID 4416 wrote to memory of 4216	4416	Gfhndpol.exe	93
PID 4416 wrote to memory of 4216	4416	Gfhndpol.exe	93
PID 4416 wrote to memory of 4216	4416	Gfhndpol.exe	93
PID 4216 wrote to memory of 944	4216	Gemkelcd.exe	94
PID 4216 wrote to memory of 944	4216	Gemkelcd.exe	94
PID 4216 wrote to memory of 944	4216	Gemkelcd.exe	94
PID 944 wrote to memory of 4436	944	Gikdkj32.exe	95
PID 944 wrote to memory of 4436	944	Gikdkj32.exe	95
PID 944 wrote to memory of 4436	944	Gikdkj32.exe	95
PID 4436 wrote to memory of 1256	4436	Gbeejp32.exe	96
PID 4436 wrote to memory of 1256	4436	Gbeejp32.exe	96
PID 4436 wrote to memory of 1256	4436	Gbeejp32.exe	96
PID 1256 wrote to memory of 2168	1256	Hbhboolf.exe	97
PID 1256 wrote to memory of 2168	1256	Hbhboolf.exe	97
PID 1256 wrote to memory of 2168	1256	Hbhboolf.exe	97
PID 2168 wrote to memory of 4472	2168	Hidgai32.exe	98
PID 2168 wrote to memory of 4472	2168	Hidgai32.exe	98
PID 2168 wrote to memory of 4472	2168	Hidgai32.exe	98
PID 4472 wrote to memory of 1132	4472	Hekgfj32.exe	99
PID 4472 wrote to memory of 1132	4472	Hekgfj32.exe	99
PID 4472 wrote to memory of 1132	4472	Hekgfj32.exe	99
PID 1132 wrote to memory of 1900	1132	Hpchib32.exe	100
PID 1132 wrote to memory of 1900	1132	Hpchib32.exe	100
PID 1132 wrote to memory of 1900	1132	Hpchib32.exe	100
PID 1900 wrote to memory of 2940	1900	Iohejo32.exe	101
PID 1900 wrote to memory of 2940	1900	Iohejo32.exe	101
PID 1900 wrote to memory of 2940	1900	Iohejo32.exe	101
PID 2940 wrote to memory of 2016	2940	Iojbpo32.exe	102
PID 2940 wrote to memory of 2016	2940	Iojbpo32.exe	102
PID 2940 wrote to memory of 2016	2940	Iojbpo32.exe	102
PID 2016 wrote to memory of 2164	2016	Ipjoja32.exe	103
PID 2016 wrote to memory of 2164	2016	Ipjoja32.exe	103
PID 2016 wrote to memory of 2164	2016	Ipjoja32.exe	103
PID 2164 wrote to memory of 2252	2164	Lmaamn32.exe	104
PID 2164 wrote to memory of 2252	2164	Lmaamn32.exe	104
PID 2164 wrote to memory of 2252	2164	Lmaamn32.exe	104
PID 2252 wrote to memory of 3080	2252	Mnhdgpii.exe	105
PID 2252 wrote to memory of 3080	2252	Mnhdgpii.exe	105
PID 2252 wrote to memory of 3080	2252	Mnhdgpii.exe	105
PID 3080 wrote to memory of 1784	3080	Npbceggm.exe	106
PID 3080 wrote to memory of 1784	3080	Npbceggm.exe	106
PID 3080 wrote to memory of 1784	3080	Npbceggm.exe	106
PID 1784 wrote to memory of 4608	1784	Omdppiif.exe	107
PID 1784 wrote to memory of 4608	1784	Omdppiif.exe	107
PID 1784 wrote to memory of 4608	1784	Omdppiif.exe	107
PID 4608 wrote to memory of 4620	4608	Ondljl32.exe	108
PID 4608 wrote to memory of 4620	4608	Ondljl32.exe	108
PID 4608 wrote to memory of 4620	4608	Ondljl32.exe	108
PID 4620 wrote to memory of 3644	4620	Paeelgnj.exe	109
PID 4620 wrote to memory of 3644	4620	Paeelgnj.exe	109
PID 4620 wrote to memory of 3644	4620	Paeelgnj.exe	109
PID 3644 wrote to memory of 2884	3644	Paiogf32.exe	110
PID 3644 wrote to memory of 2884	3644	Paiogf32.exe	110
PID 3644 wrote to memory of 2884	3644	Paiogf32.exe	110
PID 2884 wrote to memory of 5016	2884	Palklf32.exe	111

C:\Users\Admin\AppData\Local\Temp\b02c30dafb785577a5bff17895b1c28f01b03eb5610b18d5eb86476d68a29747.exe
"C:\Users\Admin\AppData\Local\Temp\b02c30dafb785577a5bff17895b1c28f01b03eb5610b18d5eb86476d68a29747.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\Fflohaij.exe
  C:\Windows\system32\Fflohaij.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\Fnnjmbpm.exe
    C:\Windows\system32\Fnnjmbpm.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\Gfhndpol.exe
      C:\Windows\system32\Gfhndpol.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        32⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        34⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        40⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        43⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        45⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        50⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        55⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        56⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        57⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        64⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        68⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        69⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        71⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        74⤵
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        75⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        79⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        82⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        83⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        90⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        91⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        94⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        95⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        96⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        97⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        98⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        99⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        101⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        103⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        104⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        105⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        110⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        111⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        116⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        124⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        125⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3956
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        128⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        129⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        130⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        131⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        132⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        134⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        137⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        138⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        139⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        141⤵
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        142⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 412
        143⤵
        Program crash
        
        PID:6632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6228 -ip 6228
1⤵
PID:6504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:7136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
367KB

MD5
e86af4f6a3ff0d2fdb0cfc1e577b2f1d

SHA1
dc5a8abd9bdc9b08148ff2ef00d397bed54a7b45

SHA256
debb8c4b3aeffe84a18ee84d595bb720874a970176c33f5684bd83970a570a7b

SHA512
483c7524e1ba7dca2e808476fbcf1ec1da7b328023f32c01a5a2a6b87f337ac34b4bd3f4b489aa88564845d2113f2d677f6929a474440a1ec20e5d1bc876251d

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
367KB

MD5
3cf532b52239015aa236eef717707189

SHA1
32e2ee803d37bac618ac5e1eee2d072425034ca5

SHA256
eba4c27451859d8925273bd5aed77c6d326f2f1ac2d306d2123a749d1fe74fd8

SHA512
81c22454e2954a8f9aaccb9e071e1bb053da82b74f35ba14a20037358e0de05529bbd5010f54f430304b2de54d07fea8dbef13eef5cd16b2d28ecdc1e7a2d2ec

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
367KB

MD5
8728ddd0aaf85b27a4d017208c8e54d1

SHA1
32dc2a7a69508267bd3c3047a26eb492fda5fbe9

SHA256
7fd77c5e51c4fc30398d69a375ee59f694bad57270a361cb060fd1713c64f734

SHA512
dc8dec7cb3d6a5e9ce705636f88f6b04bbf49cfdbcd4fcc6bb9c6342bbe07e13e3af435bad6c2c01833170cfb8e58eb5754c4dfe9c11a3a177e6a3a665ade3fc

Download Submit
C:\Windows\SysWOW64\Aiplmq32.exe

Filesize
367KB

MD5
b8c106db2ae3aef337a92cd92ff40a7a

SHA1
1cf7f8b2d4bde7337e8769d731b020363b6fe406

SHA256
c495c78f88bb34078e33915ce993b0d0543050150a9662a25a77b6b223006e91

SHA512
13e5f46f7a99225e3d5c32e0ff9439ec47f9d63cdc3491c6bd9bd7f91b55385201b0d3489f0f10ca87cdeaec358191dffa86deb0a3b693f7409ca12efdcd0b35

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
367KB

MD5
9b7a80052a8bcbf79316e1a9dc18127f

SHA1
4aaf37bba598ff9a427ce9ab8761b7e91d05a5a9

SHA256
9d42dfb2f8aa868e7d93d383d68fff891625876938b8825103d9f14f363bc98a

SHA512
a3bd98b56acbc52163ca901e4388ed2aa2852d6da4d3e794f7a49c55f4162a69aeb2f8538d6a43b98c18d9dd10eb3d3e1bdbb3d2172de2d04099c24c373556a3

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
367KB

MD5
1b260ca0bf655e3a693c3e3d2a22cf8b

SHA1
6a623c40fa55efef840854e305d4ac77eb12071d

SHA256
e69804f506a7768f5d692afbfec737316fe1d57650327eae75da5d3f9a10b322

SHA512
e2da606ade60be898564778012008a81235477969e9318cacbd0c1413b88a6bf610e5e6b8dc4ed028f6a0567e5465a096c0380a6e96f3305e090d77f3d3cf3d0

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
367KB

MD5
80d55e1fffdff5c256d9869c11a63173

SHA1
04a9f72c8cad00d4d76317995df6b859277fc922

SHA256
764457d6de45e173ef15db94d611e6796f6fc1dbaf42abda016e49cb9c6a64a7

SHA512
2cbec0fa6e315ed7cd0fa8240c07c62cda5a54d09ff0e753219e0fe479b066bc7a1bc479a6d12a752c070e85abd44081b07792808c9ba349529e29dddd38f7f5

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
367KB

MD5
7821bbc4fb8ee6283e7841ceae588d57

SHA1
d123902fcf524c7f7f1b816e1405701e84fc5618

SHA256
eabef9279b375bd75db74942624c143c09cf5ae10882d28c6ecf3f0d9b4305f1

SHA512
4cbffdcf4623c722ba8ad6cffc6adc7d3eeebfeb0e874cf2427dfb5f4415e7c3a98226ccad6a77d0021cfdff6c3f77dc34075e164a32ea13d1b5dcb19b2dfcad

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
367KB

MD5
e6e00481a2cf1ccb415df06bfd8fbefa

SHA1
67a5e88177fa173d9d56675a2ecc41355a816e95

SHA256
d5de250c2be135a77d8e8d0d43f6331081c0438c9800a4ea48ae7edeb89ca277

SHA512
915fd5114c6eba7523678954c0452c916b1a9d8b7d8a96dec25530240803e24bb65fe0b55c94c0dbde909156269616c773ff7a68ffb90b61ecbc33997a6ef6cd

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
367KB

MD5
fa30123cd2089857e644506e93c92b10

SHA1
6c6c58d15153d5b3817f03862f5b634cea57cdf9

SHA256
5a852ade3b057891c45fa651daae87114798663af06113aa239f2e777121d4aa

SHA512
834593367a65514126c79e7cc8cb704c031adff34db39906e73a9a608330cd9b534350c7e9e4e192e718fa0b451870eb26b7aedaf09e1d7ba34af3ee2cb3329a

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
367KB

MD5
e56d4359f57e4a319d6b30d85669bf9d

SHA1
757680f2cc491c45e4452ccd4422beef204e96fa

SHA256
7eb98775d8bfc28adc1a776b22e6d333c682fca365d1238388588d2703141262

SHA512
ba92bcf5d33681c824dcbb124b4d3606ff2393ae6430cc89aa0624c1815bbf5800c03b6cb7b9253b1f5c8add5b7be42d473bfdb2baad508f28cead218770bb68

Download Submit
C:\Windows\SysWOW64\Caojpaij.exe

Filesize
367KB

MD5
00b0d62528ec922a155e447b3f8a0c1d

SHA1
ca0653fe979ccd8bc8815a8714295fe5ac701260

SHA256
49596498ab203886ec2627db1e31ec373ed5aea5bf1a120f39b0ab5e6add71da

SHA512
be9f2323f8fc992ab6bcebff8e726f707b99b77448dad49d25551d08ae0b44e5b90205364e6041fbaec17a148b9a756d70255e71c8dd958eec6941a166abd956

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
367KB

MD5
50ba1787fdf3055ec054cba777048664

SHA1
5ba851df6e5700cd7289dbf1ba7a0e41a3499422

SHA256
aa668f60a666454c03161659147deac4bafff14ab8a18af38a08156a2fecb368

SHA512
9a54f12826389a1fe758b8c411116e3585a47acec33b030e8f650650523b54de6811f77c07d7f1994094550640fab618e4800e684b697a4b57ef14051aa58921

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
367KB

MD5
3c23f75108243246f352338a7a09dc16

SHA1
025e7e9ddc9fa9c90ea28692329576430f7f9d59

SHA256
7fe9cd21f0460d5f2ad5e72a55571596833e4e3ffdbf9e2f8e01de5f116a301b

SHA512
2527892c18b1dcfe03fafee79f84d6f0daf039af6d584fe52f1d2a612551fd9ca158aab16fd0f27565844dab380d2d03a5ef2bd272eb4fbe364e9dbc3761a1a6

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
367KB

MD5
78913fbc9d89a92b46e03f320f352599

SHA1
1a47d9bb135b57a17e194d997424e1a5a33873a1

SHA256
0733c470b099b8cbe5b919771b4aa4d69d3c892d8bd45c9c3f112657121a5cc5

SHA512
54368582bff9ebae3517a0843b9149c9d8c2fff5babf3cc86fb764c50af3b2f68248c793f6feaeeb7e28ee06de54deaf7e7d6d8a233a79922ab2f9413dcdda41

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
367KB

MD5
bbadda60b5d663c0162a15b2a68c9807

SHA1
b09b540cd44a344307a6d5f9e79ab5b2785e8f19

SHA256
5490d5a1dc77565b2686f1cb02f8ce60a3586e39ba7a25768e5b8f0385aa8f8d

SHA512
0ff3ab1f386bf480156f93aae4812a097e0783ccd2abc7d01bebb858ab8b6ae5f7752e4b63c0e5efdff26abc72ba47a652bb4b8baeb1038f0138a3bbfaab23bc

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
367KB

MD5
6099f18c6f0d8790bed2fdd8a7b547f6

SHA1
942217bf07434d79dfdff63a34b4a75d40d5eeb9

SHA256
a5fa98a8f2334bc4058219f9bf54ba93637695c9d38f593ba49e3af81993c28d

SHA512
4d3e53769d214004ce0d836db33d6ab6e681bd8245adbdbc178c4c4392115f05c5140fec8d4b6ab7ac277537bbdc432eb674a0992d9e8ab01d4d0e038ae5bfdf

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
367KB

MD5
2bec01a350c8eeaff2039eaee3e221a3

SHA1
83feead381516ba9b4543d26b30156b6acd36a44

SHA256
b56a6c88ee33cab02efe0a745876ba04a79308a56be7edd84f982c9d373f0550

SHA512
d6e8753a4a846b2c53558cf7db86ac866a354a55e8fe3998ec0c49dff7157135ed3d302ef15f0f362a48db60897551c1b7809346058a24fe188e11a932c40647

Download Submit
C:\Windows\SysWOW64\Eklikcef.dll

Filesize
7KB

MD5
765257265651e4ad508551dd3600571d

SHA1
09c0627bd6d4b3da4d036e887a7c3b810a994358

SHA256
0c46a4b86dafae0a805dc42cbd02f1c3b50c1e5bcd62b9dd9478f8f8f6f93893

SHA512
2fbdae9ac05db9c3d23263ee55a8bb46d5f45ae1903675c22d507bf0fe475bfae1ee7dd0a450bede97288bba74e43e5f5c6eead568b564eda41e3ca53ca50d8b

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
367KB

MD5
dd7071af4245bfda427b9d023ffecaef

SHA1
0d41f8ee6ca5b7dfb953d284a47db121e96ff2e4

SHA256
3c6b5c009aeda56ea19bb43a9d00ceea4b815348cc291e882708d0d4eea87457

SHA512
6d21ef74175a95eadd96a72a2bc933e99bd8d907615de76436e1910d70823693309768b3498e27bf3f8ede25f443584a05838fd61be6348570ab24b2c4b6f584

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
367KB

MD5
46ecaabcfd25fa31a8037222af6ce10d

SHA1
0cd59136c03720f1b23dadc173df1677b0946351

SHA256
113cba0280b1fe8fd9cdbd636b00195aa232ab9fd87d8e2317ce71d8d7dfc349

SHA512
c25a9cc88edfd9dac6d64072ebd1d526ecf69cc57def79c942095ddd90662594f7288e3102174f48216de1b402a2ffd3825634fbdf76984c1d140b08d2b2ada9

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
367KB

MD5
132f488d33e31cbc6b8d9bc087718158

SHA1
0323588018c8e8810f58d37c151736f15e471bf6

SHA256
efc29d0bbeb25948c3abc571ea97e4400675325e94596796d2c611c5271a26e4

SHA512
3c138a90fe8dedda05fb12895ef363619d668bed1942054ac6e2f95b6f813bdfeaeeb28731403d3e538a1d7e922e8c866860ef831a6b20625767bae1085e181c

Download Submit
C:\Windows\SysWOW64\Fgmdec32.exe

Filesize
367KB

MD5
0dbcbcb318bc08e7be33f2295712bebf

SHA1
6549a3dc694562ccd2c98c385994a76484b2b421

SHA256
7129bdeebc8ec67cea4a678c57ae9379385c5c2f71d0dd1a4c2ad3773c416512

SHA512
57e5e234d96a93f135bb5d1ca63dfda5709fa3c3954efce3a75518725f3a35df9ef48c94e2dee434ef7aece94f1fe2351d99334acc0242493e60273397cd5bf3

Download Submit
C:\Windows\SysWOW64\Fgnjqm32.exe

Filesize
367KB

MD5
f7fcd860a0e5a21ecde5ae3d63c3871d

SHA1
ac8c2b372cad2e145844567822498065a7e4f5ec

SHA256
5de4562e5043bc2b16722b2db5f1f47b04233033b2cc240dd737face1911ae39

SHA512
f593060e90164dab4d97d2f1a38da2a3c67ada76a4df2656c4c27f04002c2988e0028756cb57f069f9d77f48d29b73357fb86ddefac43d202c6407729197add5

Download Submit
C:\Windows\SysWOW64\Fkgillpj.exe

Filesize
367KB

MD5
d032376311dae7a56c745f81a8ca780b

SHA1
14cc10cd38366ff2ff92c623652e1916b7f850dc

SHA256
24c668b77dfdb23cbe4206a20cb718c65127d98ec449bd7a489b0023327612b0

SHA512
4822f4162bbf4e7a585938b64d64ea56a012e6bc3088fbb6815d2d8655476f9ef183991bf92c81c35f342e7ebf3a5e2a5b38f64c5419e6c62314e067cf6945f1

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
367KB

MD5
598975bf2ae9d06205d3bfb72a160001

SHA1
55bc3f64f2a76a6af1df5ee8e5f68a9c293e6b49

SHA256
53b575083b8ef5eb7b74f902201d68b2d7b4b5fa576f4b6e2e77a245a5739c6f

SHA512
822b5ea8526d79786987fea3442951503064a2f10f47093787cdbf209242a9cd5108ee7e7cac7849e5345f1b79dde63d1936aab2e0f19b2f6056fac983d0ebb6

Download Submit
C:\Windows\SysWOW64\Fofilp32.exe

Filesize
367KB

MD5
36ff086a32c4880ea74a225af8b2007d

SHA1
8b4baea517ca975a06ff952aa87524d9e6f6e613

SHA256
4a25206cb3e649b6385d0556b75d055fddc4ee199579f180aee327f08c6fa33a

SHA512
53151c38b155ca581f0f6509d42d12ec1db21e654594ab844d32ef06a301c189e27c723047042590046d0b61e7c6fe1855e3238764e39302ef88023a723b2b67

Download Submit
C:\Windows\SysWOW64\Fqppci32.exe

Filesize
367KB

MD5
7fce20ad7f4f400c6aeb9ebc6d132010

SHA1
55c2f5bb2cd9171d3691088e87f26d4c7b666d5f

SHA256
3c2d781c5b441cffdbf39fec2a18d3fafb06f5d14552ddeeaa24e7f8941cd7d1

SHA512
e51000280b0b4ad7f197a31656ae5ecb9b2af8982af310560b39ca706fd068d10138dbce94135c5e1636974432bd3110d92dc5c4b222b29ed73c7cebef29be89

Download Submit
C:\Windows\SysWOW64\Gbeejp32.exe

Filesize
367KB

MD5
c8454768b27856f151520aa21133ed28

SHA1
37b9ded29160377633d658a8a4a4b40a6fd18648

SHA256
ac910bed57ffc253e0eb0c606f36d5c5de511d95b1d58763421b7a81b5136752

SHA512
50f732cce4cae4153e30723a98c676229393ccaba3d492ee0edb462d2963369f01f7629ee87f47916e6e7ec459931d3bf483e9c3504e3ea42d6fd93172f66df7

Download Submit
C:\Windows\SysWOW64\Gemkelcd.exe

Filesize
367KB

MD5
b60bc62abc4683fb4f81e794007426dc

SHA1
81f4dd1d8ce3f5bccf586e5ec49c49ef809358d3

SHA256
459a2f93c28b995b6a9a851ede97ae25013f94fa1f3aa7908ce542bc62067a8c

SHA512
08d49c358053c032390dde9de31b10a0d1643fe67bb1a1e11bf24d213bcc552e74000c9fcbf6fa23ee3f0c8b71dd0eac1da7181a690bbbe62c80bd2468694a5a

Download Submit
C:\Windows\SysWOW64\Gfhndpol.exe

Filesize
367KB

MD5
a3554cb25f05d44c7e7f056c04000e49

SHA1
29ed1f606c0e29693a242fca303de11957eb1ca2

SHA256
838073428a7c5135c17e792ec794e679c4aa415b4bf46e94462448d65009ff3b

SHA512
0f1754c8ad4d8332bd279aa0ea2fb4dfd91a9fcdbccf22cf6ad8398d86867bce0f2d160b2ce1f7424fb07712bea3492f15851ab5ddffaa2e6b99116f2b280616

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
367KB

MD5
cffcc5de8ebac81b43239e6562459355

SHA1
46d04cf1d62680da3cf0c2502f5e7ea63b814823

SHA256
66676ccb26856f6a8d9885ffe41fea0b61ce79bb2d49e552d58a9c52f93940c6

SHA512
161ec014425fd4b33993aa529f1f35f3a60396ed2848112f0b65ac9207c792c5d9a1d44d1716320ebdf29f6162cbd0b179b653bc16a4aaacdb486f43524afe4d

Download Submit
C:\Windows\SysWOW64\Gndick32.exe

Filesize
367KB

MD5
25e7b19e4e1cc9717aee937bc4dcfdce

SHA1
81035f57efceb6fd428e52e15404134842d50eeb

SHA256
41bf735bf70e6f9812f92077aa95a831ff088fb0806a6cee451177ad12d61c74

SHA512
7295d9534b4b2d49eba201475e0846f6676bcb1c605574fdbbea3a30d8fda80d0c178bf011dfc22984b13f86a76904a88db0f311bba125194b69fb88e6e62fb5

Download Submit
C:\Windows\SysWOW64\Gpmomo32.exe

Filesize
367KB

MD5
e6d79d4566835a2530d5d385b3c5e0e9

SHA1
93eba618cc3c420d73f549840d137d3376c0a3fe

SHA256
6ad495e6d10f93cda89b5521532e29b8c9716ef8425db625b2d2f99692f928fe

SHA512
693ec8d0f65d98ecda46293dc1094590c4cac6a2280dbd95ba7c722774e4a80705a387b626e85e8ca14dd96271e631b9bd1ee1e5b4f198765f32d30e5e5f5742

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
367KB

MD5
2b3cf2ec4c4e44a99a4814e154e75203

SHA1
2a905c438e462d54e696752de97f590f58dcc7e1

SHA256
d654bf96528dd526d9cef51f27e01ba1f9b4d24ebba03c643a8dfe5b0ae84afe

SHA512
72d7fa8cbf9a0d8125b010eaf16b0abb40f0dbdc03a164427fcf65a8679e58638c86212ef0f8830fd06e4aeea7ffaa955f5d737fa7f2be7537f02044c54aa951

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
367KB

MD5
393f6aa2745a51fe8853495250eae875

SHA1
1d5b4a104cfce4e5bf2fe19b2b675b2956e716b4

SHA256
86c8468261c2247ba7a6fadcc5ad162d0b334d6ec7b941a7ce1d11aeea0cd00e

SHA512
9029a01b8bfde31e6f92ff5d05035bce6d6a19be7bed23a451d9c045514f8bc723048de75026be5bb75fd01b5f0da348f6d40184e7b6c4b8b310fc0aef7197b3

Download Submit
C:\Windows\SysWOW64\Hekgfj32.exe

Filesize
367KB

MD5
30130f435451a384a289a69263d3bcb5

SHA1
578977500c7448eb3f70a89503c194c6e9740a71

SHA256
9624843d1cc4bed3815cfc3a98694f82f24d4668498a4a918f4543b9ad42d9a8

SHA512
85c6ee449429f42ddf9e52f361d81a7ebedca7778ea5c4140f5ddfb1d9ae3463592f40c77f142f29f6f0b3e448c9dc82c390f1b35a38c6959efbde8fa15f5718

Download Submit
C:\Windows\SysWOW64\Hidgai32.exe

Filesize
367KB

MD5
6192e18cbf1b0c3cb4760c2544669833

SHA1
e623ca58cbe0d4f9dcab29b281f7b841bea7f864

SHA256
6e94a314e3012ac319b4a9536a272e19f569d7803df7be37431b6851be83ebfd

SHA512
f6c21284f6c0ad27142f8f7ec64770ed3b87aced94509dc2dfd449fc0434654fed76db8e4953fef5ec1d7fca65747a1e7ba55bc992b80351338cd29727336e4c

Download Submit
C:\Windows\SysWOW64\Hnibokbd.exe

Filesize
367KB

MD5
8bf17ca12f8e73dba3f28293cc4b47f0

SHA1
3225b21d68978fef2c4d4452fad9003008bbe818

SHA256
7884618e2bb3f60b984603604b4c0ee31885c3e8e932113f2331bcb378a5f9ae

SHA512
f33a51ada0bd06deb26cb852d9bcd08adb67f6223740b9160d81c3acbcd928f9416787b48f41107222d073658c4a9cafc4f9970f540202a46d0f03ff31957010

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe

Filesize
367KB

MD5
6d496f573e6a0f879bf2b41568eba01c

SHA1
d14d2e8c06eae6c9d15b77a192ad4200583380b4

SHA256
3582ee253736770a75284dbc62fd75d1a45defd3c0ec2b4a7a99e6294d56ee76

SHA512
26c259cb16132d6325bacd5a2038979d8d4ab80c508ca2b9dcdc4429bee8ccad85b0b917c1e07cb1b9ffb2b22c931b42defc794968f6d91a3aa72a354c2144a8

Download Submit
C:\Windows\SysWOW64\Iajdgcab.exe

Filesize
367KB

MD5
669663dc700105776f5a9f4106286630

SHA1
68e18702100195db87b8f24417bbead7586e5daa

SHA256
cdb9d6c0c18d487e70aebd8e0bb16ff6357d7f4e6a18919e6c551441f7fb8226

SHA512
3f9e683288a84738faab91119443535cf4a0944f19d699f48352dca5f71fcb61cd0b2b8491c767cbab7b77ae1870559cab81533962334c664722ec8f244ced00

Download Submit
C:\Windows\SysWOW64\Iohejo32.exe

Filesize
367KB

MD5
c161bd49680622533aca8250607af851

SHA1
4b1b3f68b60ca2f3b85eeb343b9f26337f2405f3

SHA256
b9fe7a6eb2943ebd6d022fcada700bb12797ac9c4e7619a75a90e29cf7e339d3

SHA512
df54c6e97a03537e3abbc7082d3ab27b838b90acf718167a7699f4d4d72363aa6ecb3d8926973726580d3dbef3c69b19d113faf1620878d3649f5d057e94f6ad

Download Submit
C:\Windows\SysWOW64\Iojbpo32.exe

Filesize
367KB

MD5
2d25ff7675688545c7c135ffb30a6fd9

SHA1
fe7acd07a3e00e2d2201be21106d81151efc8e73

SHA256
bfbc7e76d63bc370418ce58764be1ce8e380c4e73b07bec08f61623802dd38d4

SHA512
ec0a8cb697f2350351904fc8cde8f65d9039749e217994291718c800aafa9449bec9831b9116bc618d27f8d8be48d8684deee4ffb49ceba309881021146c9fc1

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
367KB

MD5
26cd2a879e45b4d062a6fcfc75bba15a

SHA1
d4870e984790a7ee9f9f986e16cc5e612d01821e

SHA256
0905624618e1072a3dbd61550eca34c54258ea57d07badd01f0b25d39735cb2e

SHA512
70c517f27d95139bc25582307184d2da890f0c94c3dfbbaaf49dd3c7c1516db49fe229765bc5f4a9a2dc94b0b9f4a7bb5376aa51d5e03ac7a36c0095705e1ffb

Download Submit
C:\Windows\SysWOW64\Lhqefjpo.exe

Filesize
367KB

MD5
b0fbd6e42b57d1a21878fdd2829e5485

SHA1
167d1aacd24927f520de9133cd1a760fdcdb5b0f

SHA256
26045e7b1c2bbf7e20d53f6510678eeb731c53dd23806653cd4483cf3d0f27e0

SHA512
00415d68aa35f3c6adebfa1aa46a8a0c1965ba4a11db5e1faef0e37fc6f56e8703c47249303abf3f66848992d5b2df73da1635ca128bdff0a7fa152790c75bbb

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe

Filesize
367KB

MD5
ca9b420faf0151d250d6f2a8901e1181

SHA1
6673c61293ac69fa95a788bf8e38be8dfba323c8

SHA256
9d194e8754b06d9353dfff2015eda5929aa81f482ee0588bd8273d406271de94

SHA512
a4263e80a22c6f2ea8c807874eb7397d5ffda38fecd2fc54d8c2f3bc7e3c93de8c414dcc11326ca2448ce4378af19fbbf4d4378b1a343573f9f24fc7b0f81d2d

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
367KB

MD5
10b937051448ce1deaaf1155cd18b001

SHA1
b1503303419a9583ff6d1a96f8b45729b0e4372d

SHA256
9a2fbb886937abd959ab47a240770597a5d0449f5813613a4e3e286187eae668

SHA512
958ae07177a171ab12b05705790e0633662f13531344bd9a7b087602b7eb1bba0f051234bba2485dac32aea28775b564f596c84023c29ab773820e3ddd0d7192

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
367KB

MD5
5bfe4f22a17d854121278fed9a276621

SHA1
bc265b3e9c26d3ce0bd26c436befaa122113b924

SHA256
20c1823e4916d98cf69366fb44b4b53ab8f171feffb90cdb66bcafd23b780c82

SHA512
93e29b3a0e612202f48bdf2230f9f97951a7a433ef3e8f6f14d7628186932cd9472eeb8dc39016bb66165ab724f06639b1e3bb8fd7c1ef839e965eb3894f74bd

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
367KB

MD5
19c1905e5c604f51a3743751e5b7ea6b

SHA1
73ab548eedaf394a584bd9c5cf295f68a9fd2379

SHA256
018f17e9c21d5685107c7ed62429d17e609c82cdb11b3422345de538a7f3ff54

SHA512
3bed60d24c7bfcd085efdf5f67b355bf07966ed87600486afb86f58fd2ba05f4970f9ddf9b8aa9ff7b21f95c8da39e1a80c7385beb6c7488a15d12f08f264e41

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
367KB

MD5
41e9cbac004ece295b3aa2ec24c310d3

SHA1
5ea16f58f1a48f2cedce52d21d0f3ed96caad301

SHA256
79018e4fdf03b57a981f71e46ce5fa661537e35d4d9230e8bd8d33cc90c14eff

SHA512
0c9dbe112a3162d6bcede81b98ae11d0e43401b8af8a1bfe1fd5e8fc4b608eece751dfe4876a66955d66d3b6a547ca0dba31d57384d64ac7bcf9f56feb32f5a6

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
367KB

MD5
5a74c07ea5b5ff7846b8034f27734970

SHA1
60c3377210908e7ef38c73f1e418ca1664947baf

SHA256
f8ab36fa7a7f273892bafbadb5baafe80cddd96e25ff536560c3c53ca3fe0985

SHA512
a3d8ffa35a252abb8a8afe771a412d99a5058eda9f31859eaada88bbdff44550f43d4237b65c4f4da1bce41930b6c67b965a673e49104052d028b0411262c9f9

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
367KB

MD5
9f35a41cba1c9584f2ff240e36e7f3ec

SHA1
e9a3bc262e6db0385cf761b43a6ba8770e796d4a

SHA256
1413d0ac5b8003865b69e0b8184b2a4d80911753200e002c76ade15703b77440

SHA512
d2a7c56872ed8c9ec6326e2c10c2168b30a6a7c16b394c796a3d1a73cf21b1b92b9808b2301cf175d9a71b6616594a943632ef46916db50ac3e3005552f90017

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
367KB

MD5
a143a12ed45b992c957bd48fa81044eb

SHA1
52f20d6e14e207d3134ded8810923d6c05300403

SHA256
7a4ad2e6d9d2bc98d5de156d884d7e834195b5554e2dc234f50dae95a9814492

SHA512
e0a67bf67fb7b61a799e9aeab789890ae01f69bea2095b6173aba40178caa00a199e65592f42da0b3b76b18581cb4767f71e0bd486a8bff10ba2458ea6ceba8e

Download Submit
C:\Windows\SysWOW64\Pcbkml32.exe

Filesize
367KB

MD5
88330d2761ef78166c15bbee75bbe675

SHA1
af7bc8ad1719430ac174bd0669171c8e9362646b

SHA256
e35bb00815652daaac12c006fa99002ca5ff04ed65d6d0ea0ecaaebbb556f738

SHA512
f14a35470291fcc4b22bb49da7900681e792488554ae7a31c7923df99d40790f2ba000ff270a6dfc118683166303ec06594e6b1bc91b8a487468a25ecfc8942e

Download Submit
C:\Windows\SysWOW64\Pmbegqjk.exe

Filesize
367KB

MD5
b6ad2067352d78560b5e844542f09e0d

SHA1
26d6583090d19346bf21ae28753cba6171edb96e

SHA256
d90a95dc8f02f2b97ed0d57bfdc781a73e3f6a310f0df7c087d7b22089dc7db0

SHA512
f691272e71e62f471cc112c2d2533d2971f3adf210449fbbb7c1acd3a7fa4cfaf5680199acd9cc839f253e1c4cbe2e11cb5f31911da365b8454a38562a2bba9a

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
367KB

MD5
445656e6dd6b3b3975e8060f49c6f8b1

SHA1
2a9e7d16ea0c17a613cbf25517db7b441dd1fc24

SHA256
bf98bcc531f6abffb9ed8ed5eb71471b145a720cca48bd741252eda534619cfc

SHA512
9963f91c4479dc45395c7ad782d8ae62c667e11371096930230cfc13d49861b1f7e701cb9fa56585e80653aa460983b3d434c419ad5c11dba673d93f26b920b7

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
367KB

MD5
3ba56ea0693a7e5d958ee3c0650f48ef

SHA1
87abbc1f218082d722537cbba3f4610eba8669fc

SHA256
1dd6d725f063c9e477aa71b357f269f0056390e72325948fdd643e47ebfcf4e0

SHA512
6c2d70f3cb25e2dfabbe0c6e979e84bd4238e7250fac3d5871bfbf93ebd3152f3fefd93b2d2ea745a356991cd016cd8b3834f15cc7ac28651cda13375a145ad4

Download Submit
memory/232-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/348-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/436-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/944-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/944-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1256-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1256-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1412-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1456-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1616-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1680-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1768-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1784-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1820-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1900-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2044-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2116-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2144-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2220-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-515-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2432-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2492-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3080-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3156-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3164-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3204-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3272-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3272-553-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3592-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3644-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4068-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4216-567-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4216-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4252-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4308-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4396-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-560-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-581-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4608-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4620-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4700-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5008-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5008-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5024-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5132-521-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5184-528-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5228-534-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5268-540-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5308-547-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5356-554-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5424-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5468-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5512-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5560-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5608-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads