84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da

Analysis

max time kernel
90s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 02:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da.exe
Size

80KB
MD5

51eb5498151a63be306a366eeff176e0
SHA1

5688fc3503b6471b18ce0ed13aa9eaa123472206
SHA256

84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da
SHA512

7ea671e710ea9b91d5a6dc7a1eef8a1f55152861b457db02d13fde8fd3f05fcd1a803ba597b063977cef64fd1f10b90cf67bd6e4fb92f3f0bba2f1cc9774965c
SSDEEP

1536:KYaXsCEGGw+A1YE5hDuEwHgP2LGS5DUHRbPa9b6i+sIk:ZacJGr+guGUGS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe

Executes dropped EXE 64 IoCs

pid	Process
2176	Pdmpje32.exe
2964	Pgllfp32.exe
4760	Pjjhbl32.exe
2732	Pnfdcjkg.exe
3940	Pgnilpah.exe
4504	Pfaigm32.exe
1008	Qnhahj32.exe
3888	Qqfmde32.exe
4100	Qceiaa32.exe
3632	Qfcfml32.exe
4328	Qjoankoi.exe
372	Qmmnjfnl.exe
2136	Qddfkd32.exe
3244	Qcgffqei.exe
2256	Qgcbgo32.exe
3660	Ajanck32.exe
4920	Anmjcieo.exe
3188	Ampkof32.exe
2400	Adgbpc32.exe
4020	Acjclpcf.exe
3260	Ageolo32.exe
2364	Ajckij32.exe
1832	Ambgef32.exe
5056	Aqncedbp.exe
1504	Aeiofcji.exe
1592	Agglboim.exe
2056	Aminee32.exe
4404	Aadifclh.exe
64	Accfbokl.exe
3532	Agoabn32.exe
5100	Bfabnjjp.exe
3976	Bjmnoi32.exe
3692	Bnhjohkb.exe
2308	Bagflcje.exe
2976	Bebblb32.exe
3800	Bcebhoii.exe
532	Bfdodjhm.exe
3196	Bnkgeg32.exe
3504	Bmngqdpj.exe
2152	Baicac32.exe
536	Beeoaapl.exe
4868	Bgcknmop.exe
2612	Bjagjhnc.exe
1216	Bnmcjg32.exe
4104	Bmpcfdmg.exe
1900	Balpgb32.exe
1396	Bcjlcn32.exe
2132	Bgehcmmm.exe
4456	Bjddphlq.exe
1488	Bnpppgdj.exe
3228	Bmbplc32.exe
896	Banllbdn.exe
1784	Beihma32.exe
1040	Bhhdil32.exe
244	Bfkedibe.exe
4244	Bmemac32.exe
2984	Bapiabak.exe
3368	Belebq32.exe
3312	Bcoenmao.exe
5036	Cfmajipb.exe
2864	Cjinkg32.exe
3784	Cmgjgcgo.exe
2428	Cabfga32.exe
2656	Cdabcm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6108	5980	WerFault.exe	198

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2176	3040	84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da.exe	84
PID 3040 wrote to memory of 2176	3040	84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da.exe	84
PID 3040 wrote to memory of 2176	3040	84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da.exe	84
PID 2176 wrote to memory of 2964	2176	Pdmpje32.exe	85
PID 2176 wrote to memory of 2964	2176	Pdmpje32.exe	85
PID 2176 wrote to memory of 2964	2176	Pdmpje32.exe	85
PID 2964 wrote to memory of 4760	2964	Pgllfp32.exe	86
PID 2964 wrote to memory of 4760	2964	Pgllfp32.exe	86
PID 2964 wrote to memory of 4760	2964	Pgllfp32.exe	86
PID 4760 wrote to memory of 2732	4760	Pjjhbl32.exe	87
PID 4760 wrote to memory of 2732	4760	Pjjhbl32.exe	87
PID 4760 wrote to memory of 2732	4760	Pjjhbl32.exe	87
PID 2732 wrote to memory of 3940	2732	Pnfdcjkg.exe	88
PID 2732 wrote to memory of 3940	2732	Pnfdcjkg.exe	88
PID 2732 wrote to memory of 3940	2732	Pnfdcjkg.exe	88
PID 3940 wrote to memory of 4504	3940	Pgnilpah.exe	89
PID 3940 wrote to memory of 4504	3940	Pgnilpah.exe	89
PID 3940 wrote to memory of 4504	3940	Pgnilpah.exe	89
PID 4504 wrote to memory of 1008	4504	Pfaigm32.exe	91
PID 4504 wrote to memory of 1008	4504	Pfaigm32.exe	91
PID 4504 wrote to memory of 1008	4504	Pfaigm32.exe	91
PID 1008 wrote to memory of 3888	1008	Qnhahj32.exe	92
PID 1008 wrote to memory of 3888	1008	Qnhahj32.exe	92
PID 1008 wrote to memory of 3888	1008	Qnhahj32.exe	92
PID 3888 wrote to memory of 4100	3888	Qqfmde32.exe	94
PID 3888 wrote to memory of 4100	3888	Qqfmde32.exe	94
PID 3888 wrote to memory of 4100	3888	Qqfmde32.exe	94
PID 4100 wrote to memory of 3632	4100	Qceiaa32.exe	95
PID 4100 wrote to memory of 3632	4100	Qceiaa32.exe	95
PID 4100 wrote to memory of 3632	4100	Qceiaa32.exe	95
PID 3632 wrote to memory of 4328	3632	Qfcfml32.exe	96
PID 3632 wrote to memory of 4328	3632	Qfcfml32.exe	96
PID 3632 wrote to memory of 4328	3632	Qfcfml32.exe	96
PID 4328 wrote to memory of 372	4328	Qjoankoi.exe	98
PID 4328 wrote to memory of 372	4328	Qjoankoi.exe	98
PID 4328 wrote to memory of 372	4328	Qjoankoi.exe	98
PID 372 wrote to memory of 2136	372	Qmmnjfnl.exe	99
PID 372 wrote to memory of 2136	372	Qmmnjfnl.exe	99
PID 372 wrote to memory of 2136	372	Qmmnjfnl.exe	99
PID 2136 wrote to memory of 3244	2136	Qddfkd32.exe	100
PID 2136 wrote to memory of 3244	2136	Qddfkd32.exe	100
PID 2136 wrote to memory of 3244	2136	Qddfkd32.exe	100
PID 3244 wrote to memory of 2256	3244	Qcgffqei.exe	101
PID 3244 wrote to memory of 2256	3244	Qcgffqei.exe	101
PID 3244 wrote to memory of 2256	3244	Qcgffqei.exe	101
PID 2256 wrote to memory of 3660	2256	Qgcbgo32.exe	102
PID 2256 wrote to memory of 3660	2256	Qgcbgo32.exe	102
PID 2256 wrote to memory of 3660	2256	Qgcbgo32.exe	102
PID 3660 wrote to memory of 4920	3660	Ajanck32.exe	103
PID 3660 wrote to memory of 4920	3660	Ajanck32.exe	103
PID 3660 wrote to memory of 4920	3660	Ajanck32.exe	103
PID 4920 wrote to memory of 3188	4920	Anmjcieo.exe	104
PID 4920 wrote to memory of 3188	4920	Anmjcieo.exe	104
PID 4920 wrote to memory of 3188	4920	Anmjcieo.exe	104
PID 3188 wrote to memory of 2400	3188	Ampkof32.exe	105
PID 3188 wrote to memory of 2400	3188	Ampkof32.exe	105
PID 3188 wrote to memory of 2400	3188	Ampkof32.exe	105
PID 2400 wrote to memory of 4020	2400	Adgbpc32.exe	106
PID 2400 wrote to memory of 4020	2400	Adgbpc32.exe	106
PID 2400 wrote to memory of 4020	2400	Adgbpc32.exe	106
PID 4020 wrote to memory of 3260	4020	Acjclpcf.exe	107
PID 4020 wrote to memory of 3260	4020	Acjclpcf.exe	107
PID 4020 wrote to memory of 3260	4020	Acjclpcf.exe	107
PID 3260 wrote to memory of 2364	3260	Ageolo32.exe	108

C:\Users\Admin\AppData\Local\Temp\84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da.exe
"C:\Users\Admin\AppData\Local\Temp\84001810301456cab7bafecc53485fba662e9a5010ba6db8b2a20f2316c884da.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\Pdmpje32.exe
  C:\Windows\system32\Pdmpje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\Pgllfp32.exe
    C:\Windows\system32\Pgllfp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\Pjjhbl32.exe
      C:\Windows\system32\Pjjhbl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        33⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        41⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        46⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        56⤵
        Executes dropped EXE
        
        PID:244
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4560
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3512
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        71⤵
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1232
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4040
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        75⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        76⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        84⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        87⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        88⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        94⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        95⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        96⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        97⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        99⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        101⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        102⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        103⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4388
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        108⤵
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        109⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        111⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        113⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 212
        114⤵
        Program crash
        
        PID:6108

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5980 -ip 5980
1⤵
PID:6060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
80KB

MD5
de4d1883253a533a8c577ca157e52169

SHA1
ee5a0442a0da6984acbf0b8a28f3140cbe7e93ef

SHA256
3b09d4eb90a027581d5ed22c818fe47da1ab0da42ce8fe73f17c649409c74ff6

SHA512
9f985fa254b2b274cc22d39443c616aad409a6c9beb7cde95b7722dbc196686b32676c105a46e73cfc344b7f85c32c4a6ee5ca354ea82c5d5758de15e4ee8ae0

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
80KB

MD5
d974a81fc0ae1b9518857d61bd259de6

SHA1
822f9006eea7d7596e6929bcaf6564610467bc19

SHA256
90dae1fd627857a01ae2b2f972192a516316d75e42aec4d1d329ab98b400c879

SHA512
c1c28251a44c997192e5f48508be17597d532f9eb6e8e7cdb9ddb0396c652fb385affb7f7199551775cef498d59e52b014376b20f832bcd93d3b4b5b63f9581a

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
80KB

MD5
9007df187dbd4c9e64423f86b55e0e52

SHA1
b47568ce61304acdb8fb551f662bbb456e8fac5c

SHA256
e1e83ed3d16f3ee2edad7820b82e66168c6f96542e818e74936dbb248280773f

SHA512
0b7fa42cfe089e5d513ac42a3926dcb7b86763dd8cc219a7978a0ad8d8c790d8f8ef68dc89aedd925952c632a4d902a1f99d4d6aef87fe5ecae58dff1571d920

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
80KB

MD5
0a53a3337fb12fbd5b191941deba9b53

SHA1
b05efa5ced517efc51ea83abcd1e23af82c4e063

SHA256
9e7ea0542875ea2f3ee2a6fd2faf36fc1647221f5214d8e68fc3fc63e1da0824

SHA512
efe3efdd3894a02c1210b5c70d27cd5ca762425180c5775f719d1647661addef994874c31155c4db36156c1ac4ad03c67c0aabb48aa3c7fcd2deac97b36e29aa

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
80KB

MD5
6866449e96bfa67c0e0659604f1b282f

SHA1
a2e7117acfeed287dd9b18a86948b632ddcb69cc

SHA256
663a25aba5162534c186685b55422ae2cb504ef89df0902379621a12d2bfcbb4

SHA512
93fb6c6e4c95c13d76b07065ae5af730ded38fd3318f32891a91f9a4fc1cc3c2154aea7390d269e828dd5f697c64982e7aeb15e3f3db020153c8daa2511df0bf

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
80KB

MD5
db768b71c96264a6e93fcc1be94e52af

SHA1
762c0c82ba4c6369326e4e4d481e01038ce49c80

SHA256
a4afe6bc3d3ab24e531e94330d6a3661e3fc451329b32bc13c14ec52b055ba65

SHA512
533fb34c3739e9b046a2c4cabe59a53622a7c58b6f1402104b981f9f25e76853e030e7a8544da1957fe86c5a6a217cf7590b8169f915581a0bd71e11c8739363

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
80KB

MD5
57f5013e429be5a53486e3e6f6268adb

SHA1
3e4bd4e72f2b57f1d6ed9bdcfec95b61ff184d94

SHA256
604c3974026c6c2aaf52af7be01481a60f692ab4ba30f7f1ba31f592115e043d

SHA512
369ee91a7ee3ed880773bedb86e5a36003748afe897f19c1677838cd60ed0d5035f56b5f9e8b6f00fbae9b1dfb55b3f5f6d34316f45c1c92a9972d5e99699e38

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
80KB

MD5
4bad13b5c17ee1c653cd7c2dda848986

SHA1
a176f05bac7516fedac3bf8ca29b3b69cb130484

SHA256
9293296920f76ebb87767d3260f7e87235c2f394bcb5208368483e81e0a06777

SHA512
e8fcef28d2b497bba2615e42d762497b215a49c7678885cf4a15b28356347439e87db62febfa9df15553f1410c465d4dbc40b054cd820506d1ac11cf7bd4f73b

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
80KB

MD5
b31a5a3679a503fd0d390708542b7569

SHA1
5116e095382c288c559d541e2fee19735187245b

SHA256
f2a45bd42af27186293e6d0f84f23820e0d0787193d174b0c49b5fb7e0dd40e6

SHA512
4cdf2c88819111fe10951ad8b70f7c0aaeac4ddcda5fd58cfca77b907eba3a34ec5ac293fc523d32c73e4be7397cbd48a8092b13681c7b5df79e054d02abd29e

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
80KB

MD5
66233d19b01548d366a70a73c1cfd6fd

SHA1
812ec9a0f3381171d017d6c1f0bfa4271da291be

SHA256
3cb7eccee340bedb821c1372e610ebb9eb86f5f2db117f03e33b4c903166c74d

SHA512
122610598a4d505d9ed7b54294cc14a2ee19821df319c9ee5b890e07ad9f04d83071c06b099099ec85a467130bbfdd5d9b49629705e07c5a2779649acdb7402f

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
80KB

MD5
1b0ff662149ee3389297fafc88b64bf0

SHA1
9df84c3690c4f18058c593ab43bc9a0c34f88606

SHA256
ed80666b6de64256adb1f1eb035ee99972338e4e68f7af5493f33a57bedec6c6

SHA512
4d72b4fa748931df3bbf10ce6d6f0e999cb02257e86c767e1fbad739a9938c41bf913353b24a207df5c78398da842447a95895f372f1b26559706578c1a992f7

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
80KB

MD5
fc67a258f2394f7c455a600f8a33585a

SHA1
1a687382d87bd7fb31640666470ef21e2ed10563

SHA256
2a6d2ecaa4e3d8337359ac6ea4c6288a4e8f1864d1c709a8f3060cd33bfb5f75

SHA512
1a41d2e0053151b27055b3eb680b33fef26d1e8188b4cb78de85894359d316949cd64055afd1aa5b4a0cdf2cc59022f6a2bfcc47fd0019e9e06e8898bfbe531b

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
80KB

MD5
00d64b2f1c87037d3f6e8c07e2c46b4b

SHA1
79e9fd70c77877b7f1dd8a3080f92892b6fe678c

SHA256
5f0d9874fc43495261ee910bf6f1cf3b089d0aab053e0e99e96988cdb633a061

SHA512
1fd2aab2edf0407f712a26fc27b9acd2b94b1c744fe5feb1015ed0b0b57a876f8a76cc2e8a321a8431ffc64e100e5f8b5e32da2b7b16b23225c405026828bcca

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
80KB

MD5
404f9643ee7acc55b8f7f004346f7998

SHA1
c76aad72b3e4948d8b7286edeeee6481b0fda311

SHA256
5dff3de4dd451bb8da332751672a750e6455f42af2e6d1cbacba9299d4e67255

SHA512
1d76ece986b48f967c3ec09973daf794762938c55e9c44906116de57c287c408e512fe0b93bcb636ab0843159d7e777010a05c8f5dbf2c02a45e04bdf41331da

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
80KB

MD5
1ada89ae2b8fdd7ca97a522778dc6d25

SHA1
f83e4c60b492dc845900ddd6358c73a18cbae844

SHA256
f1def8d3c1eb22638f1d0eac4e8377c8b41ea07bc556cb70e1e35b1db97641b6

SHA512
43cfaa0c15f79b1adb265efb9b55828a49c7a0d90aa60149912fb8daf8e18b24d660d239031d4bce93ad79b28c1d0dda1074e1ab0a920f230e54471f30a47a4c

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
80KB

MD5
5d3299cff4d76596015af9314766ed47

SHA1
0fb2a43389a9966cbbbb18a6f57af7460fcc8feb

SHA256
419dfe84cceca227bf8a4339d171d6ebde9006682a6171f616f360fc06df7ba4

SHA512
f2896bb7fc63077af02ce2fdde4fec5a39ed71849acbe3218ba97b4a481c2f116a39b8c43966d685a32173022e951ef483a69c3e626f1af3fd2bb49e2b6d76b9

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
80KB

MD5
62d38934f84b7b1703874edfcf06c6e1

SHA1
93b58bc9a4fdd33ed0a3cf7a92f4b13be8ece00b

SHA256
54f8a537df705c23a8e0309837dd7c69e745fb6e954d5d1e34f2bea15aa6e869

SHA512
642c8994f8c82208b5ba41b567a8634b40255a7d9259aa494fdce87d30e8e0076426fb159ffd8094a14ad2a0d28918e27dd9af7b527c978b814144bebf4a5d70

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
80KB

MD5
18030dbc307d1888e2ab8bafda422298

SHA1
ba6013d890b8f7fa85064c21ae78a52c57fe736b

SHA256
9cb1b675a6200910b21575d8bb2752fece2aef4122bb224a5fbb8c2671deb702

SHA512
771326592f66f2882edf31573ff20cebecf7ca5b71e40a32aa52af33236d5b7c3701d04e3ae28fd9c8549e50cf131ff51e89980429b0e801f86b01c2b86015d4

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
80KB

MD5
98eb54cdf6df373ded688aa1b9da15df

SHA1
d8377da7a6baaa0afc8ef27c3bfaac11061f5635

SHA256
f84974b82d7e9096f7c78297c703f1811c7a604512dbb914fd8911da75461e72

SHA512
a8072145020626b54634519de3512f8a2d704fbfca057e63f72cdfd14c69c76910a160031a81351f944ee68fa089e8ca0806d50beac1abc302ee3aa0a5902a16

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
80KB

MD5
85970e7fde57787a9a61882a1c8d0262

SHA1
9d507e8ced0122651ae9475ba18ed2b32e800bfd

SHA256
ffc86b9dd23233217cec2138cee3be79c8909726785614e13f913a07146ea4e3

SHA512
a6104581419170e580aa790c5c04c4a77b44c40ed2e12e3e1ba6c38069d56b2caebb84608a57d846c05d5f36b8a8dd35e1d4bd902f9db466c2edba423b2184e5

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
80KB

MD5
f44991a9d82e7e47c1168cbf82a2ea8a

SHA1
387c7824ead7aef5a73238fe92563dcc0511267d

SHA256
83f59faa2953acf542c2e1d4c6aa5646011c46b37fcf4576ab9c2c615b048fd5

SHA512
6e19ce3a308558739b26bc40afb38acacfbd1aa8a31fdb81f65d07d5a5c42c8bcb9da0e213e5b9e52dd9927c604b8f645f391aa673a8c59ecb5f5c156d2fa100

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
80KB

MD5
6e3c3d82be0c9c4fc4a5c2f6f6d25aaa

SHA1
1d85b0f4b26296d58932d30137d5c26300a084ce

SHA256
2ed3a39513d6205f6fa1504eca1e411523678ffd67e577f3594d9acd760c9930

SHA512
45d7777b71c090bd2593d382451e30db24b4b83e74c00efa932bb10494641fed03e73768a4a41020858b34edef8bc7c23906d115f8b9d890c854f51e0af5e286

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
80KB

MD5
7664634c00879890f8cfc9acac8acd6a

SHA1
7ce86b7f566f655333baca7b8a4cd75e95056e64

SHA256
b13c5a0e276636b8384317862a3a0a35c73b5a41ac0d503006c949a73486bef9

SHA512
9ce1e2a1ae0f00e09f8afc2bd62205e820c6c3d09cf207a574e68dba4ad2fbc301923650b5195870fcbf4c53fab5ce6b210322ef63a25ae1992aed68020ad5f4

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
80KB

MD5
00a141295f92c9baa19e4bfd28fadb20

SHA1
ecd600644f8c670da595e269d6f0a506f78ecb93

SHA256
f0b90476acd7e2566e27d8dcdbcd37c96f37559877ec49f8b1451f05fa99cd44

SHA512
ea87eab96bef2d5c35c2e3f8526bbaf203e06873099e27a801d006d485231f5a7e979dd3839f5ebe1344837e54bd15cf4fa3be1b80a25a64121595b18f6fcaeb

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
80KB

MD5
9dbb72af018193dc3cb143fa33b565f9

SHA1
cc284634241255f835c439bbdc0eaf103fd6e9ac

SHA256
ae52c127b8050bd8170b2701790ff7a0f7118b68d852ca899e851d29082343ca

SHA512
e481fe5988f5b890a84e1f0d0b26e804eff627e6cdd99a4733bd3669c260d8116c688f9735b0887d7f65184ef05ae7af5e7f04b6382dfd5aa688016699da59b0

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
5350ea846d808fe25f26d3aa49357a6e

SHA1
0dc558f3329e1c2a423f9f919ba32de9262fff81

SHA256
c7ffeb0824c1e10cb883db44730a34b43797d9e3473c359c4d093da72b5e571e

SHA512
883f1d88cd11fbf154b812fed228df210487e959baf0340c4023025c82010cf536bf2611b57741187d04478feba640c1fdd844ff3ecf24c09bd7dec005f9d347

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
80KB

MD5
d68e6c3a1fd0fc11c9e38b3621eb3d1c

SHA1
a122491ef1bb96d5fb70e55abf76f9d56d47f3c5

SHA256
63430604f98562adf64902b7d4898d9d114ee4aae724a33b86d8a055de68710c

SHA512
4a1fa498a3e3f4963e6fc19edd84cb5340dd1847947b65a125c02f8ae4eb6b3908c1027fb95c8e73482d84fd093339c4478261c15257722044a0cc6aa56afa4d

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
80KB

MD5
e67723942a80d10785950c94c45df8ca

SHA1
67bed00357d6ec9cd79b533c3a18c3f08acf2c2d

SHA256
005cac4ecc75fd0ca573fc6c9e1ac522673da6041f929b86efc7f3a0e3df7b4a

SHA512
d4f10e650b98c98e207188806a18b97f326c3dd254cf0441f5eedbe5bb8d32afb68f5615ff6666de5a62fb24cf61e317ac75e8edcb2f5d4f4de45f50803dfaf5

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
80KB

MD5
077c54b29b94c3c7000ca305353ec0bb

SHA1
bb3c58a2b10354eaaed5ddb947f0db3d4cd1fd4f

SHA256
51133712997ceb742c24cbcf5e19d1ce49fe86f19bf447e4fc1266f10f945fc0

SHA512
13c22e40820279929e165a2ea65692115bbc73699d11645ad84690f4dc1a6689979885d240d8cf242816570c3b9bac0888b954400199302845df99355438c555

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
80KB

MD5
a76fcf730e2e0c069f52433b9d09052c

SHA1
627685a55591c623c30840156b2b924d9d3656db

SHA256
d5aa0a93240040b232b1f8f24552392e98ed378ad77631ceb27129cebcec9729

SHA512
5d038b6b1b9777981b16d8e52e64e1571066d2b5d4f5413ec8eba8f523d9da8cf9514e14f30bb98f4da77b18b7c260a69ad63dafd780e1d145dd929d0a7b54a2

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
80KB

MD5
f9febd5d8fb1189da349ffee582e529a

SHA1
34197e7831f948143c95bf8c97d4bdaf201909a4

SHA256
81ddf92dc704b09de675f95a3f07712a3e647d1edf1d1fff2f02a87ac6ca4aa4

SHA512
72e4fe393a8e7336f5e8b94b05d78036a373af695304b9c971fac745781fe871891401fbd862a7d25bfd239df6dce282c612aa9df8bf56ff931b975343ce8b63

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
80KB

MD5
e9c91eade4925f8d1dfbb869b5f1ee3f

SHA1
bdb53e90c32da345e30b7bf5f95463df8afe7019

SHA256
f83624201996a1bb5c0fdf7dcd0ce1d30e8d9b522e00dca87cf92d7559db5d66

SHA512
27e7a337858b66277bf58db7e800762b1307d9bb9555e8983177a3a92b5eff65c0a7c536dae88de1de58395c8ae0c36944e92e0133d08c09b00e337126fa0340

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
a7acb078a9d452e13511ffd3be95feae

SHA1
2320dd6606a3548f71424a9abfe48f339c785c1d

SHA256
ec1a14a30733c4dc6475526e6be1caacb6de5d4bf88c708a4b253201e331f406

SHA512
eb6ff77f1c1812c268c42f7248c00cdf78f36160c049e4c20b4f6df5c1691e922f48134a184fd9cd5abcad862d1347d203d1c01b03f156460871392be0941697

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
29249a5461bc0753ed73250111a7132e

SHA1
3a329db1b2ea7c69698a4bda8a1c948486a252fc

SHA256
3c79755c7178d9aa0123792da33f6e19f98b4f413f9591a69dfac560523233a0

SHA512
034d91bdea025435b4eee49a2d5068849358fa29308b6ac9d4e640216d073abdd071816992a5c96b0d35feb257a2ce859e9d57242eebcc892e0f07956aa7de23

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
80KB

MD5
8e1bdbadfdd4a87dc53154bc7a94bf97

SHA1
34d64b354a87845a4c8db8883656e54dfbcedbc9

SHA256
f212469494b4deb62230b084b08500054c1b216b9d2523abc98c58d9c3c15bf4

SHA512
87fb6c2a1db877222bc826e3fc50e14886115a7bc295101273e2d35e3b54f49e0557c0ca52fb287391cd742fd246cebccebc4520589e8201239e22199882fc78

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
80KB

MD5
06b8de47424c7c040fece6969eeb7049

SHA1
6e66e210abb2e87294fd6ea195e7cda480d43234

SHA256
2d8faec457137ae5e1e67268587847a578edc31098549d9bb64cb7248c5a643c

SHA512
8747d16dbb68c9a5189a59d1b3d1495f44288eeedf66c1f420b634911cb7264e689a888dae27aee08179675c4d52d21ec982b76fa33be9408442a6209290eb98

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
80KB

MD5
bf3d44df3885c3e76284d1f379032bfd

SHA1
6102f440f725dea8ee9c8e61de357c9e89e7178d

SHA256
717c79c6dd36a4a4cf6cf1271dad6934093ed863cc12b21899fe0dea2924a305

SHA512
91d802a5b5531b8144b324b0956e4660aa2a33199c39a81c3829f397e607416ccd6851244a765ea136b3acb723aebb335a29f8b5453964fcf40dc98b275b619f

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
80KB

MD5
cff94a242bfacd49cd516859664e8eee

SHA1
70107fe27ead477c26846145732ecbe0a287cd68

SHA256
40b91b40cbf0b5bfb495d93001a3cca91a9d7b1ac6ef9afbdb745cac073c6c4f

SHA512
712fd06c25d919d0069f83a2209f05608094817a745e5e7fc4640debc0152d26dfad88924f22bd87df824eed2c80848cc881b112f12b5ee513187af529e4aafb

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
644b9ebddc8fe1d8d0a43372a897ea75

SHA1
ef36396b4cbb6f0268397009d74d7017e07bfb47

SHA256
1d3084a2768c139a6e79ac3535a2e964c7353073ebbf9f6412c3017b5558fb29

SHA512
ef77267914a66292710ceb1743670253541a0699721b4047b8f5d978ad44af75acea863af31a7749b3f87bd98ccfcb6bf731f3e9da9f9c63df8874d580bacacf

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
80KB

MD5
30f5e8b08a8bafc95c2c67b8a70a461d

SHA1
195f2e85cc7a9e3462d527ac20c83fb7b2e7837c

SHA256
07de399fb9bfa5efd5c1d8fb230625d807b64cfd92a817e9fdf9d5a1103f7a26

SHA512
33d3b5234539642719f6264fd859b7c060040166d9db996d5826f8abb1cf53c900e1a86ad3944b78b497818653f07c3d50a240ea3c54b3644e3928acc5a3b13d

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
80KB

MD5
1cf4a688c64ab64b4a49b80bed1c6ee6

SHA1
3891e32c2ae1745b21a79ef4a11f00e1a4f0c9c4

SHA256
c0a284248e5fe57983ee879c9a2592c68a7774e14f270927c31893803729d405

SHA512
5f982ad02478204df3bb475e3d9ef54203c1a89b3c75920878c75ee0eb343b4854cdf1aa148a0a9f86106ffe865f68eed52ea5c5a9288ae0892e54d82b6ace42

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
80KB

MD5
e2f6930919b7773255f4cb077004c3fa

SHA1
13b8fc61ee1f1fb599c98b506f8f331cfa9858c8

SHA256
3e3080482c2f8c255be8d6587b8474ae4e308a870b18fa46fa3d1386581992e6

SHA512
360e54c088ef7bde3fe066c11ddcb58a4e2b408c3ac3c2b3ba03afefa77b64566a1a38f9a759c905628f9b3f2a31b8f4072ab7570876f3dd83df8c586a919505

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
80KB

MD5
a6e23ece27435987a6b3df3f996b477a

SHA1
ae11d2b995c2c1d2b03575e1148acb67772751d4

SHA256
e433fd53768ff5f89eae2434ea5714b43fee8e7c4425e2100db7ea05ed310cc0

SHA512
9c41fac9bd6870320c4e7d457f7edc1544720fe5ef7d5f16897a2f9cdce3c68efbd9504dce6bb552e11d62cdff47009c8cb67080b410cd0d55a242792912a3bc

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
80KB

MD5
c7ed982a0d0a634f46ffa4aa6ac71c65

SHA1
a4a9624cef3c215ea898027ca52b18c6931555be

SHA256
802a94c47236cb3dcbc05adc18a7571fb16c22c8f185ab3272845874c4a3823d

SHA512
16c2baa2f15e67c4965abb145cc492e2f00afd16b92005e6df2c8ced20f111c21158bc6cbb351bc5c15d7251a63d23f693feac95b1f67f2caa252fdc5950f0ef

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
80KB

MD5
d73f51d08c1c40878820a7ee29738b82

SHA1
f4f24d5fcf37aa7905361800158b3135ab797615

SHA256
7577f0d3621f9907237d10f75337c4ff2169c32deda1e7613b83a668388a2482

SHA512
c4bd8b7c0003b870747400d8ec16c8fcff74c259e1b9f150376597e9709a507eb3cc0a1074e2b79439a52a3891964f52b94259f86472a171398712e96eec38d8

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
80KB

MD5
3b33e0fe8461bea9591c6b2bc72044fc

SHA1
bf73617750bf6d134f5e4a6d822203053b478749

SHA256
e62351300286fa958d7e1328a78729a6bf360dab3fe24d3bb9fca41a4869a3c1

SHA512
15948ad9e1af7857160b7486cd0323e64c9d1b1ea694472c9100dafa3142722feda6dae3a725a249e0e3f5f9470d632d3fb9c9f4f6398591f9b2257c0bd2f1b5

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
80KB

MD5
7a2959da4db789b910132ecccf953a79

SHA1
82542d27451c1cb467cca824ec55cf44a894dd06

SHA256
8571404bc757a0273b2ae1ecd2d77fa03c3e3bbd43b87ececccec4bbfd1648a6

SHA512
fa1defcb7ed2fe4a142d7ddf2291c6bd6ad849554c28910762b7c57a698817c9380d67bfcc6e9a38ba26fec1d20cffafcf05ed69a85e993bf5e3d2edde1e04bf

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
80KB

MD5
59f1712546dcf91cd4d1723d6371d1a3

SHA1
347ba5b6e5764988fe66be9eb0abe9c6fcc22c3e

SHA256
1b92a19a5f2d1bcc66112b00829fd93c0eafc1f3a3033767acb2a4b3a2f2c070

SHA512
0cbc6cce24c35f9170d1c27f0401e9d27dbc541d6f861b952d8fcbb52646d520446f052e5bc54172e4c790e6fb626d65cc7515b4d8ee38ef1a509f887fac465a

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
80KB

MD5
6f1387d799524636455e0fc0b1760613

SHA1
a0476d53e432411dc4866472ee81b7b5179316ba

SHA256
38b27594c17f7ea730e6e7cdc8ce0fec5bb25963de88548d55836460ff670512

SHA512
d276ca4cdbaef06d0cd8165959f1cc37bb9eccfb18bd36a56f455795746f207c3412e32d5f8b7d358ee18ed6b9b86f4e10a61dc54fe04578832924b7087d3be6

Download Submit
memory/64-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/244-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/372-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/660-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/896-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1008-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1008-593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1040-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1504-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1832-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1900-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2056-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2136-109-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2428-447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-576-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3188-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3196-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3228-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-117-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3248-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3368-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3408-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3512-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3632-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3660-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3784-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3800-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3888-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4100-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4244-404-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4868-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5152-531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5196-537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5232-543-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5276-550-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5312-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5360-564-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5400-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5448-578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5496-584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5544-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5588-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads