e4af77421b35bc7f686d8c2814e24237015e24d50d027d11990847466752400a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4af77421b35bc7f686d8c2814e24237015e24d50d027d11990847466752400a.exe
Size

59KB
MD5

296344eaac81f15e3f9fbab63b90a88b
SHA1

d20a7431b5940407919e213dee1d114fc50b7cd8
SHA256

e4af77421b35bc7f686d8c2814e24237015e24d50d027d11990847466752400a
SHA512

33529eb0294bceef4b357a277ab4dc6fb9cedf1e26940c957efeeaec6f1d3556ee6e20e4b75236923724c7a2bbb48f01668b525b673ab5a8e8672d2b5799982a
SSDEEP

768:bnAlvvvXvlTu6kEnrecoxcSUaGZZ3G9epm8yZ/1H5kW5nf1fZMEBFELvkVgFRo:bnAlvXo6kHco8R3GYpm8IXNCyVso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipgbdbqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqkqhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hehkajig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipoheakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlolpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbped32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjola32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgphpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kncaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpcapp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klhnfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe

Executes dropped EXE 64 IoCs

pid	Process
3888	Geaepk32.exe
3004	Gpgind32.exe
1832	Hedafk32.exe
2108	Hlnjbedi.exe
3548	Hfcnpn32.exe
2136	Hlpfhe32.exe
3656	Hehkajig.exe
2212	Hpnoncim.exe
2176	Hekgfj32.exe
1384	Hlepcdoa.exe
4724	Hmdlmg32.exe
2228	Hoeieolb.exe
4064	Iliinc32.exe
1472	Ibcaknbi.exe
948	Iinjhh32.exe
4100	Ipgbdbqb.exe
4684	Iedjmioj.exe
1528	Ibhkfm32.exe
1116	Imnocf32.exe
2896	Ioolkncg.exe
4416	Ieidhh32.exe
1012	Ipoheakj.exe
920	Jiglnf32.exe
3624	Jpaekqhh.exe
3440	Jcoaglhk.exe
2196	Jiiicf32.exe
4056	Jpcapp32.exe
3948	Jepjhg32.exe
2724	Jngbjd32.exe
3484	Johnamkm.exe
1704	Jebfng32.exe
868	Jllokajf.exe
3232	Jgbchj32.exe
696	Jjpode32.exe
448	Jlolpq32.exe
1136	Kcidmkpq.exe
2604	Kpmdfonj.exe
2244	Keimof32.exe
4568	Klcekpdo.exe
1756	Kgiiiidd.exe
1972	Kncaec32.exe
1048	Kodnmkap.exe
2752	Kjjbjd32.exe
2372	Klhnfo32.exe
2548	Kcbfcigf.exe
4384	Kngkqbgl.exe
4784	Lfbped32.exe
556	Llmhaold.exe
2988	Lcgpni32.exe
3864	Lnldla32.exe
3272	Lqkqhm32.exe
4352	Lgdidgjg.exe
4344	Lnoaaaad.exe
3108	Lfjfecno.exe
3312	Lqojclne.exe
1656	Lflbkcll.exe
2456	Mqafhl32.exe
3140	Mfnoqc32.exe
2544	Mnegbp32.exe
4048	Mnhdgpii.exe
1476	Mgphpe32.exe
760	Mmmqhl32.exe
1936	Mfeeabda.exe
704	Mnmmboed.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mfnoqc32.exe	Mqafhl32.exe
File created	C:\Windows\SysWOW64\Eignjamf.dll	Ahofoogd.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Lflbkcll.exe	Lqojclne.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Ngndaccj.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Mmmqhl32.exe	Mgphpe32.exe
File created	C:\Windows\SysWOW64\Ignlbcmf.dll	Jgbchj32.exe
File created	C:\Windows\SysWOW64\Pnmopk32.exe	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Bhkfkmmg.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Boenhgdd.exe
File opened for modification	C:\Windows\SysWOW64\Conanfli.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Ocgeag32.dll	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Abhemohm.dll	Kpmdfonj.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Iinjhh32.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Hemikcpm.dll	Kcbfcigf.exe
File opened for modification	C:\Windows\SysWOW64\Ibhkfm32.exe	Iedjmioj.exe
File opened for modification	C:\Windows\SysWOW64\Ocjoadei.exe	Oakbehfe.exe
File opened for modification	C:\Windows\SysWOW64\Lqojclne.exe	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Gmophg32.dll	Hoeieolb.exe
File opened for modification	C:\Windows\SysWOW64\Iedjmioj.exe	Ipgbdbqb.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Hedafk32.exe	Gpgind32.exe
File created	C:\Windows\SysWOW64\Difebl32.dll	Mnhdgpii.exe
File created	C:\Windows\SysWOW64\Mnegbp32.exe	Mfnoqc32.exe
File opened for modification	C:\Windows\SysWOW64\Gpgind32.exe	Geaepk32.exe
File created	C:\Windows\SysWOW64\Dddjmo32.dll	Pmblagmf.exe
File created	C:\Windows\SysWOW64\Pnjbcghk.dll	Jiiicf32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjola32.exe	Nqmfdj32.exe
File opened for modification	C:\Windows\SysWOW64\Oclkgccf.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Lmnbjama.dll	Palklf32.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Ioolkncg.exe	Imnocf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Chkobkod.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Lielhgaa.dll	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Ipoheakj.exe	Ieidhh32.exe
File created	C:\Windows\SysWOW64\Ojhpimhp.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Dhhmleng.dll	Ojhpimhp.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Kjjbjd32.exe	Kodnmkap.exe
File opened for modification	C:\Windows\SysWOW64\Ioolkncg.exe	Imnocf32.exe
File created	C:\Windows\SysWOW64\Efmnhl32.dll	Lqojclne.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	Phajna32.exe
File opened for modification	C:\Windows\SysWOW64\Akkffkhk.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Jiiicf32.exe	Jcoaglhk.exe
File opened for modification	C:\Windows\SysWOW64\Kodnmkap.exe	Kncaec32.exe
File created	C:\Windows\SysWOW64\Cocjiehd.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Hbdmdpjg.dll	Johnamkm.exe
File created	C:\Windows\SysWOW64\Klhnfo32.exe	Kjjbjd32.exe
File created	C:\Windows\SysWOW64\Mfjnfknb.dll	Mnegbp32.exe
File created	C:\Windows\SysWOW64\Obqhpfck.dll	Mfhbga32.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Hmdlmg32.exe	Hlepcdoa.exe
File opened for modification	C:\Windows\SysWOW64\Nmfcok32.exe	Ngjkfd32.exe
File opened for modification	C:\Windows\SysWOW64\Qmeigg32.exe	Qjfmkk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6224	1516	WerFault.exe	243

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinjhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jepjhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll"	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhgag32.dll"	Hlepcdoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogakfe32.dll"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll"	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobfelii.dll"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfebfnqn.dll"	Gpgind32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijikdfig.dll"	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll"	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgeag32.dll"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlpfhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbdadm32.dll"	Nfcabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdlmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihcbonm.dll"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjbcghk.dll"	Jiiicf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll"	Klcekpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kncaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll"	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmfdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 3888	1428	e4af77421b35bc7f686d8c2814e24237015e24d50d027d11990847466752400a.exe	82
PID 1428 wrote to memory of 3888	1428	e4af77421b35bc7f686d8c2814e24237015e24d50d027d11990847466752400a.exe	82
PID 1428 wrote to memory of 3888	1428	e4af77421b35bc7f686d8c2814e24237015e24d50d027d11990847466752400a.exe	82
PID 3888 wrote to memory of 3004	3888	Geaepk32.exe	84
PID 3888 wrote to memory of 3004	3888	Geaepk32.exe	84
PID 3888 wrote to memory of 3004	3888	Geaepk32.exe	84
PID 3004 wrote to memory of 1832	3004	Gpgind32.exe	85
PID 3004 wrote to memory of 1832	3004	Gpgind32.exe	85
PID 3004 wrote to memory of 1832	3004	Gpgind32.exe	85
PID 1832 wrote to memory of 2108	1832	Hedafk32.exe	86
PID 1832 wrote to memory of 2108	1832	Hedafk32.exe	86
PID 1832 wrote to memory of 2108	1832	Hedafk32.exe	86
PID 2108 wrote to memory of 3548	2108	Hlnjbedi.exe	87
PID 2108 wrote to memory of 3548	2108	Hlnjbedi.exe	87
PID 2108 wrote to memory of 3548	2108	Hlnjbedi.exe	87
PID 3548 wrote to memory of 2136	3548	Hfcnpn32.exe	89
PID 3548 wrote to memory of 2136	3548	Hfcnpn32.exe	89
PID 3548 wrote to memory of 2136	3548	Hfcnpn32.exe	89
PID 2136 wrote to memory of 3656	2136	Hlpfhe32.exe	90
PID 2136 wrote to memory of 3656	2136	Hlpfhe32.exe	90
PID 2136 wrote to memory of 3656	2136	Hlpfhe32.exe	90
PID 3656 wrote to memory of 2212	3656	Hehkajig.exe	91
PID 3656 wrote to memory of 2212	3656	Hehkajig.exe	91
PID 3656 wrote to memory of 2212	3656	Hehkajig.exe	91
PID 2212 wrote to memory of 2176	2212	Hpnoncim.exe	92
PID 2212 wrote to memory of 2176	2212	Hpnoncim.exe	92
PID 2212 wrote to memory of 2176	2212	Hpnoncim.exe	92
PID 2176 wrote to memory of 1384	2176	Hekgfj32.exe	93
PID 2176 wrote to memory of 1384	2176	Hekgfj32.exe	93
PID 2176 wrote to memory of 1384	2176	Hekgfj32.exe	93
PID 1384 wrote to memory of 4724	1384	Hlepcdoa.exe	94
PID 1384 wrote to memory of 4724	1384	Hlepcdoa.exe	94
PID 1384 wrote to memory of 4724	1384	Hlepcdoa.exe	94
PID 4724 wrote to memory of 2228	4724	Hmdlmg32.exe	95
PID 4724 wrote to memory of 2228	4724	Hmdlmg32.exe	95
PID 4724 wrote to memory of 2228	4724	Hmdlmg32.exe	95
PID 2228 wrote to memory of 4064	2228	Hoeieolb.exe	96
PID 2228 wrote to memory of 4064	2228	Hoeieolb.exe	96
PID 2228 wrote to memory of 4064	2228	Hoeieolb.exe	96
PID 4064 wrote to memory of 1472	4064	Iliinc32.exe	98
PID 4064 wrote to memory of 1472	4064	Iliinc32.exe	98
PID 4064 wrote to memory of 1472	4064	Iliinc32.exe	98
PID 1472 wrote to memory of 948	1472	Ibcaknbi.exe	99
PID 1472 wrote to memory of 948	1472	Ibcaknbi.exe	99
PID 1472 wrote to memory of 948	1472	Ibcaknbi.exe	99
PID 948 wrote to memory of 4100	948	Iinjhh32.exe	100
PID 948 wrote to memory of 4100	948	Iinjhh32.exe	100
PID 948 wrote to memory of 4100	948	Iinjhh32.exe	100
PID 4100 wrote to memory of 4684	4100	Ipgbdbqb.exe	101
PID 4100 wrote to memory of 4684	4100	Ipgbdbqb.exe	101
PID 4100 wrote to memory of 4684	4100	Ipgbdbqb.exe	101
PID 4684 wrote to memory of 1528	4684	Iedjmioj.exe	102
PID 4684 wrote to memory of 1528	4684	Iedjmioj.exe	102
PID 4684 wrote to memory of 1528	4684	Iedjmioj.exe	102
PID 1528 wrote to memory of 1116	1528	Ibhkfm32.exe	103
PID 1528 wrote to memory of 1116	1528	Ibhkfm32.exe	103
PID 1528 wrote to memory of 1116	1528	Ibhkfm32.exe	103
PID 1116 wrote to memory of 2896	1116	Imnocf32.exe	104
PID 1116 wrote to memory of 2896	1116	Imnocf32.exe	104
PID 1116 wrote to memory of 2896	1116	Imnocf32.exe	104
PID 2896 wrote to memory of 4416	2896	Ioolkncg.exe	105
PID 2896 wrote to memory of 4416	2896	Ioolkncg.exe	105
PID 2896 wrote to memory of 4416	2896	Ioolkncg.exe	105
PID 4416 wrote to memory of 1012	4416	Ieidhh32.exe	106

C:\Users\Admin\AppData\Local\Temp\e4af77421b35bc7f686d8c2814e24237015e24d50d027d11990847466752400a.exe
"C:\Users\Admin\AppData\Local\Temp\e4af77421b35bc7f686d8c2814e24237015e24d50d027d11990847466752400a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\Geaepk32.exe
  C:\Windows\system32\Geaepk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\Gpgind32.exe
    C:\Windows\system32\Gpgind32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\Hedafk32.exe
      C:\Windows\system32\Hedafk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        32⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        33⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        35⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        37⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        41⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        47⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        51⤵
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        53⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        54⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3228
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:780
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        71⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        73⤵
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4548
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        77⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        78⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        79⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        80⤵
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1976
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        83⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        84⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1168
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3992
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        88⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        91⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        93⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        94⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        95⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        98⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        101⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        106⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        109⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        110⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        113⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        117⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        119⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        122⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        123⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        124⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        127⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        129⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        131⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        132⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        134⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        135⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        136⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        137⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        138⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        139⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        140⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        143⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        145⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        147⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        148⤵
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        149⤵
        
        PID:520
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        150⤵
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        151⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        152⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        153⤵
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        156⤵
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        159⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        160⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 400
        161⤵
        Program crash
        
        PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1516 -ip 1516
1⤵
PID:6196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
59KB

MD5
4effe7e00a62d88e738dd374d6655acf

SHA1
29aea0306931988b6c5bcdf4a15d9b44c8bffb9d

SHA256
d3557f6a11afd8acd5c6e88b2b8199276fa75e0200d3f800b15f41563b71db9c

SHA512
89446d8a3b9615999c0f3f53fa4acf445071aa0a621216bc9f8e964f10de7d468f6ab594979685f50e0e67dfcfdab6b59bccbb91942d1fbecd8ae11b94033393

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
59KB

MD5
1dceaf0575535facfa707623c889e98d

SHA1
b4d303b435684d0bdee2053d1548af247b857817

SHA256
5c1682616a828c0f70327ca89bc07b605dc60686bf8ae16605f47e1447476628

SHA512
95428fa7182bf15de292c927cb4d4527b64280c0a142f00b13261f8dd880263df1d6dfea283cfeca176a077666d795a38950b0ef538fb01d9c73e96386adeadc

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
59KB

MD5
ea8a49e8ef9174083fd0d2aa819c67d1

SHA1
e54a9b26e7efa204860591f4649377a3f1983d62

SHA256
3678153270db7068925f6b22e86383453607ce55274d40ad3a360c123b2d7671

SHA512
75e8b5d1aaff581fbb2e5b8c0ee30064c71f0393301e67594db953567cd30487a16cd0e22f953efba78decdd4cc84c97e816fd8f71a031da12e84ab2c1aa8bb1

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
59KB

MD5
00eb9b764e4e5bdce4e841c99877d3fd

SHA1
feb191825f6e142bcc4fdc6e82dd6254f2c8aa52

SHA256
2726a6e14f75cf683d6f4985b84b336306e75bec6ca9e1aa4b503ed9860c9ea6

SHA512
c9528c136ddf8068f97c5d52ebd18aeb0ba230ed605336648a09db2142c674478874b542a9e5dff68af12a7ab4e2902268207705f2ba49bf96037c7574a1e1c4

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
59KB

MD5
851750f9e829a5127adca2b2a60a3eab

SHA1
094231d76856ae7fca92888ef58c9a1b967b605e

SHA256
f29006a996cad15dc6c93aa72624365ee569fd49f84fd87ab1078dcbff667cda

SHA512
67661aed1c34e9cc643c21cfe8e034cc3f16c14ffe115f7cf5daceecbaa6baab15115d09a4c2c7427b413bbc3fffc7c187ac1e2a0702dedbdb6b7f91268e148b

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
59KB

MD5
7c6e21e63faee8aec4f1673c80a5e334

SHA1
2f68a062e2f63e69694c31cbd4f24f7c275f8ada

SHA256
50975e513b5589ff9fbfdc776bbc3e03a5902309db51ec91787b64f7e04c2f81

SHA512
12349623ccd9d3261cff1bba2d33fc4d2e9e03cd486af3c3e76f33e45a48f3a4cb4dc668dd0b1a0746c4435b783a22c6e0109c3ba669b07a5b8969993e5d8e43

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
59KB

MD5
0aa926272cf24b229de0a87fa0ed425f

SHA1
b82db47c7811d752c5b2a39d8c24ed3c934aca01

SHA256
b6d3a4ef25a6b56feff70e647ab6027ede6d001dd092005fc57099b313f751f8

SHA512
4a717cc583a581aa2943b6c9ea04253cb574c57ff2a9be534bef0851d57a2830f783627777f10229e24b47163355ad2911ee249918ae94cfd18fcc1724c5236e

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
59KB

MD5
5152f48b6620f47ff48c005fc15b6082

SHA1
39644a91bb5956ddb7a689a2a1b46bb3799847e5

SHA256
f596730d21cc2e38a7675f2639e471edbe6216bd5a763f3bf79de1f33f2a7dd1

SHA512
6ff3c9cfaa013b8229b691f26005d2673c01c6637f4b4668816934e0ee18d529c26c6dcc15cb9eef7a88025090b46bb4bb142823a11449842c1de8667f4aaf27

Download Submit
C:\Windows\SysWOW64\Geaepk32.exe

Filesize
59KB

MD5
2c42d45097c4c7e481bdb1b1d2b36f9e

SHA1
ec5a4a1c981437efa7ddd0edfe667ed47e8723b8

SHA256
cc66ff2557a90ff4148c9090f445915f3cdc8c20ee276a8d0583fadee53a2490

SHA512
13a89c14f34a5d35c4d0e6706393488fd58f60331514796f1b0f05cf16fc13eda59bd5672f7ad62dd59e243acfa438efd7cfeada499b0e00dcbe9988a3f1cc85

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
59KB

MD5
f8904211beed965525e08780f45194f4

SHA1
6a9c42754109f850eca74a8d1b945983b6b3fa99

SHA256
47552f722470f366d28e2fa3a5e2d0eeefa6278637f872408b24755cebb438d9

SHA512
68a9acdd1f2386575ba6b92b1bf9b0c27e6241f35eb67734cf9534fe0062b6e2a00554b4c5fccfba1551240de2d71f68f6ca1a900d5e3a9a121ddb9dec6dc8a0

Download Submit
C:\Windows\SysWOW64\Hedafk32.exe

Filesize
59KB

MD5
df3dfc113c621795ef14ce0df49ad473

SHA1
9c901493fac4ef992430aee18a37fbedef52b40b

SHA256
6066f0002bd7bfff8bedd1c9f6392a7ad94c16aba89d5efe475dc3d7c1e52f93

SHA512
2f7f43b600233b49ced6ca2b47a728b0cfce94d7c92ffada0dea36642d99e32fe7fb20210e2278699b01e7d66672ef0c5e1cab9e1cbccf486dea99c1f12af695

Download Submit
C:\Windows\SysWOW64\Hehkajig.exe

Filesize
59KB

MD5
da6bf6cd4fcc930bce532b14afd0bbdd

SHA1
c2853c2777075e0d5872505b44cbc08a74c708c7

SHA256
d59e484fe549def3c9f436f6b9e936dde4c7417bf503e2d3c73d0e35357d9ad6

SHA512
c3a40ab15272b428b53e78634a5b836f137f073fd1a914b548aaefe273c9448c5d3f2f17a695aa51234d3374b85287cf5dfc10d703e3e5d65dc0bb1702b3c226

Download Submit
C:\Windows\SysWOW64\Hekgfj32.exe

Filesize
59KB

MD5
566a61dce32ddae65d71ae35f2de2d7d

SHA1
1cb8c64f9fe17213b73eb00066b692fc1fda0abb

SHA256
98d9ee4557b76838e2adb069ba9e43a7ea34d365d11ddd6cc116ed7a5fc7c04b

SHA512
4f2fd24eb31ff20a5c784b7c967cb44971b9372d35754f007d3fdbde5dff148e398499d987360d2bc639c960e58c259039b03e84081afb1c171e1b6ad7e74f2d

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe

Filesize
59KB

MD5
82e3b5181439822d67b457e8fa06ca56

SHA1
ba52c5820148ac17cf1aa3fa0cc6562487dd707a

SHA256
68208f191a8bbc5aae2fe8d1d275245ee6cc510f4c15e26e53cd1ca0dd74ae25

SHA512
dbc730d738d191139fcddb9da01528df861266a33f1149a887ac4371da4899a732e91db2c305147d971fc6ffbb762b049b04bf46a13587edefb7b98be502d027

Download Submit
C:\Windows\SysWOW64\Hlepcdoa.exe

Filesize
59KB

MD5
6fe38a6eae67c4af9f6ff92630addb3b

SHA1
322f8e455d23b8118e4d1e1e8c13c278618c8c2d

SHA256
8981d3f0332b45d2869c055f93db7745b09aee8ea6cc94a84910399dde3ec499

SHA512
ceef5ef27a95a3251f8f4267e5a6f56f288b65128e6225502ccfd0fb668243fda8c961e3d3010167d729a6b0151a3739b44fcabd1d3c0dbe8cd04af9556ff642

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
59KB

MD5
6eee9d606794641cdc5a2a411d2b5a77

SHA1
7744069bcbeaf1556ba92228b9818d4c3897f9b2

SHA256
8aec4821a756bcdfc9540178261f9d229a50de111dbbf8cca9ffb9e0f9a44da8

SHA512
0867fdcfbd2b57c86e74b891ea8d892a05bab0ace9262f9395882c9deb94f8472bb1121146304dac9218ed029d2136ab2a07b681f8ba9766d248e66521878987

Download Submit
C:\Windows\SysWOW64\Hlpfhe32.exe

Filesize
59KB

MD5
bb0ec2ac73f840ee2077e63dffd29465

SHA1
37b614d1597462639b00a07844643eb2f493159d

SHA256
353dcb9065c0462a6a22642e53b8f213b96ddd19e1fcbdf79f734e677d71a9a8

SHA512
e0cf958a520c09147e1f3c17623b035c9240e12293a425f062f62d62b691fc274fc8003cbc3e7018282e97cde03a8edf36b013b7d6be844842b35b313067c236

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
59KB

MD5
3047f46fff7cfe8e0085d4c91aa95706

SHA1
731c36ef3ecf0daeb301732eb2dfbb00f487b12e

SHA256
4988e90e8845815cfce5243eb4e8161c24b3157e7986464d4d342ba2f9304311

SHA512
be955ef1d26db117a25c620f49ad79d437dc1d09a04228f08ef7c7598249a6fb8310cb15f96927a6f250f8d3a0a1b84b31971280bae48fbbc65153768f1dea29

Download Submit
C:\Windows\SysWOW64\Hoeieolb.exe

Filesize
59KB

MD5
3405bb10346f8e46040ea74cd252ca80

SHA1
8e78b529d2fcf2a878e6a7d1ce4a9128019b3ca3

SHA256
0f872108bfd1958031be32dea97f0111208663dcd656813238f4bdcf12796f7f

SHA512
3a8f61ad048a4a0eabfbb827daf65219d4f1404fb32254bf4c41ce6bb0a2ad48423ba904b2f509d7de5336a48b6ca782867e292fa192b0b7983d546e964e1d56

Download Submit
C:\Windows\SysWOW64\Hpnoncim.exe

Filesize
59KB

MD5
35c1a7a927af7ff9c4b522e6a75c392b

SHA1
4cef7872f6b1750c09fa54804b7d05f92792ab73

SHA256
e5062115d64290a5a461b903126424e7914e5a2dd821a23ec13b79607c335011

SHA512
6c4585c696825b4d5a8c82723a86d2bb15b9aa7bb2b2d846297ec5bbe0e1388d53179c47baaf5cdd82fc5ae712ee2e6c776c08e117faf24060d9925d85d2c1dc

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
59KB

MD5
60de4318dfff06c13a11f1faa01df527

SHA1
b17f5091279298b56af9a987a8250983c3f0f52c

SHA256
805361a55e15a81e059f6cecb9eb3e33a65feeda8196c2e1a700b466b452a3ba

SHA512
7cf72075efb9bc1aa3e0c2a18dcc4edc74006871d0d7a4a2175506359e01381bed5f95523c60563ee8a45f8d418e6d0ea184c6d99e9bf9d6ca1a381f91ffdffa

Download Submit
C:\Windows\SysWOW64\Ibhkfm32.exe

Filesize
59KB

MD5
c13c144e9ec145bfb923ca80b83d45b7

SHA1
5eb30a9874d601152b41ee88da73e8c408c81e35

SHA256
d389a0a46cdfa5db8c2d9e8b7064d693ca45e1ce6139a3317fe0abe600e68ff2

SHA512
7bbee2c74b0b219988c2522033298a9ea2cc4288e73c184d4ee1ac0ebe381025223e3a27ed1165b9bc44870f8febda1fe35dcf7ad5b8d2544e819eb5c54e5081

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
59KB

MD5
2feb0166665a1a4a52cd3574ad2d7b3f

SHA1
e4648552674af47198e0059939dfc37b5f0123cd

SHA256
8dce3da1e24ad8522b308101b754211de42f6e0023a32fc84d4464920d7befdc

SHA512
9d1117c30ed79d46f0b668b215626e046a6bf68ffbf5d87a2ab8d253820e46e41c07e3316eed56de49561b0e9a602a10f401749b83be6de207302a53dfe1526b

Download Submit
C:\Windows\SysWOW64\Ieidhh32.exe

Filesize
59KB

MD5
f56c76b1402fa8b5b31b075a5ddac5f3

SHA1
7529aa8e252e12faf2e455d6a945df33b58717e1

SHA256
a320c9fecf47723379889ca0c99092b45418ae28cbd37ec63b4eec97a0e741fa

SHA512
f70fe44d95ccfba1096d1e25b8c16dfa41966ac9de1f8a5e7f0bd39426aa2dad7a5075220993b7d6f0aff3b569140fb776f0589e49a6334b5a050de4f6d77a28

Download Submit
C:\Windows\SysWOW64\Iinjhh32.exe

Filesize
59KB

MD5
c0d3509e2a5eb748ccffa4d7da566d43

SHA1
20daa52f266b5e6e3c697add092780886ef2ab36

SHA256
ed4f87e3bc3a3e42998b4f0dbad5dffb968067902f2ee150fd29553fa28c3aac

SHA512
cf46633774d3e48425821e1adcae3e7307f9d4f5bc9dbe8a7cfc96286277e6174fbed6fd3e51f3ced9105d0a86914466f5a0aa07b57fd2be3e1ea6c8f8e56167

Download Submit
C:\Windows\SysWOW64\Iliinc32.exe

Filesize
59KB

MD5
a6d228d6960d29fe4c3d2653ec281ca2

SHA1
7534cfcb6882d9e6d10f6528a15f96aadb732189

SHA256
0998b07f1fc8e9958d05caa4876048ee430d20a951f9f973aa3db215e514a1ad

SHA512
89265e8588c7ba2509f32f57299fd16778906fac9815bfe7617a732574b5ab0b06e096992d8c37ba77e089281da64f786fe550718a84e4f8037b52a5f2b60533

Download Submit
C:\Windows\SysWOW64\Imnocf32.exe

Filesize
59KB

MD5
7efa83da688c0752542a83be45a82bdc

SHA1
863cddd7261d42f9e4e097a4cd9cb755fc42ecd4

SHA256
5f763fdf2ad1a978271ad471b648aba77f95fddd5c1acd7ef43f839575c6f60d

SHA512
39ec63a90892655d8eb700780acb234fc3d6d532d129a01fb291cdcac9d2e4e3b966d7048ace7908f41e0bf8e33a9363c949fc9a15f19a6c20752edc13c6d8f8

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
59KB

MD5
fde32b5a4d77c1d0da0637cb20006dca

SHA1
b401357e5fab964f02d48b1c747c46459b25c75b

SHA256
7e31d32e51557e713ab0f522fb52615db365ae44b28f8f12ab29accd6190bdde

SHA512
d8f286f74c47cc363a65b36478c9421fdd99bd48b814cea23cb0c48e94cd86c41271058b7320f93a3156c8ef18b14faef7342f068dd733bb47063b4ca3f60971

Download Submit
C:\Windows\SysWOW64\Ipgbdbqb.exe

Filesize
59KB

MD5
047c2943d9f9d6b6c1cc06612665b787

SHA1
6e5d5021e1dc3ca79fbe43ada734dff714bad788

SHA256
dd04ae549c463164de9d521d3164e93b9e89e85ee6706d48c16b1765aabd9f4c

SHA512
2f34d9489a8fb12b81fff56d4ef5270b2076730b3e78a2ce5554f95e9618fba743dd7368940dbecebe837ab31594601113707723ad4047b7b57d02096edb2429

Download Submit
C:\Windows\SysWOW64\Ipoheakj.exe

Filesize
59KB

MD5
49e8048f06124c2e6d3747a57e94ee86

SHA1
6360dac90cba26a2fd62b2a0c49bcbf347bf77d6

SHA256
5a0c197230f9c1f9f858c52afa99d00c6d460b3bfaee398f365eb6cd47d851d6

SHA512
940e4d3737a272a32f7a37ba6f07afe76705ca2307fd1924dfb94520fb614b8b78eb82545cabfe87df6f5fd6e758c8c11a3c4005c1e5ab1c6686dd180d36a6ca

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
59KB

MD5
540cfc9f90f7ec138393d7023b7b8a51

SHA1
755cdd48d3487fa1e84aaeac1823562087b0423b

SHA256
3c572628110232b21bd7e4cfb58e59891ba5e728b18d1b334971b1e1717acc74

SHA512
026b407c7953c9ef24a94738649f406403f0050752d67adb8a856ee04180c2b01c7a93b1f837b7bd987e8c79a63a47b7e8a1fed3bd52f8bcf9d90da9d968db5e

Download Submit
C:\Windows\SysWOW64\Jebfng32.exe

Filesize
59KB

MD5
5db39cdf88213090cf26de771138743f

SHA1
c1310ab6ead2c9937cc272e5ba57b5e2c0fe8d83

SHA256
688c2b3e1f9b67fa34f889fb9463beead93f4a2725dcbec001e0e59e70109805

SHA512
7a127b847184624d754f5ac6c4450160f74948bfbfe16636c5782e9d5911caabce024659c7aa321a11f0198cc39f55c6db1c06cf86303b9054ef8cfb0e1ca309

Download Submit
C:\Windows\SysWOW64\Jepjhg32.exe

Filesize
59KB

MD5
df47a505eeaf2a241341dffe7f4574e0

SHA1
33d1c21c88270b6c601d95389b69c0a6b7168ed2

SHA256
3436201a2e2dee763aea6badbec889c1de612378b0926e7168bb0db9eb5e52af

SHA512
12b446170eeff6ad5df25c97541f6aa2376b5ef67de5f124407a55ac3fa2db381594ecb3f7b6393c8922a96f8b4efeaaa820e39291b0b466182399d2e89f65eb

Download Submit
C:\Windows\SysWOW64\Jiglnf32.exe

Filesize
59KB

MD5
2f6cfc8056b7a2356339d418b7e54d61

SHA1
2bc084c2c31aad38d64b427e1a67322578367397

SHA256
86fa22057446e868b22a3e30495171c1d41b07e1199a56c8ba8d05e7d8ee481f

SHA512
e5f598e1ae28b76934b86b0669d88879b7e0eb91a82ecc5b61a2740671370b3d83f828726f7304170a7d8ebbe91c3d1ea535520b119191dcc797f0c2d8751bd4

Download Submit
C:\Windows\SysWOW64\Jiiicf32.exe

Filesize
59KB

MD5
db9b72f1d749d008a7a3400de8ab89b4

SHA1
d733bd3f8ef40283b25b7033b954235d6c9a0ab4

SHA256
77f12af27384ecbacc0bd5d55a22f3282cfe7a2e3f7ac019192317c8aa3c43fd

SHA512
3970bdcff181f0296b34f410db521920c31c26dacd18825e9ae6fd07fccfb28145a7ec6b68847fd5f688cfcc4356cee3832a0dc6096aa828d8c799cb6e092b9d

Download Submit
C:\Windows\SysWOW64\Jllokajf.exe

Filesize
59KB

MD5
2fe6f249a01204f8f6f663343de07dc5

SHA1
9a269dd1230c35a0d975423dfe886c109b38b0ce

SHA256
9d5798681520a778f7dbef822303e5db2562f342c8a0a9853d2227771bded8e2

SHA512
b29a79241344a9de123ffd670942d3982c599db699f80a168707fbea324e2429f22773f109e925f694c0dbf51e61da492215adb5c465a9fbaa94414cd1fceec1

Download Submit
C:\Windows\SysWOW64\Jngbjd32.exe

Filesize
59KB

MD5
5b60c98d2b3ede462fe81b8e41121613

SHA1
ff0f8493d2a4f068763cd446dea7cddb2b967cec

SHA256
bde5af9d2458338da6eb6e763e47b70680a3c55c37d47e62ecfa071688bc4ac6

SHA512
2199217dc56213fe543ac8482d5bffc4ae99e3c04b96042a168706c8f7467d42db0bd764affa41c81b2e95d6a04a1bf5d5e9deed6c4e332d46abc4983a42ad3b

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
59KB

MD5
901c364a4a8a535d1f02110e715aab7c

SHA1
95628ac7c3f36e9677515942710877cc0d0e431b

SHA256
30da96fd1e1803e009b0e8db5f2fb65c8d92ad3083a0eb14ecbe3fc2011c673e

SHA512
8adedfb9de3a5817f0ab31c7c2891323be6b14c343afc645e1c63c2d446e4cffefa978686cb621d6a763d2e682274d756e11aa7697904db4674739029029a733

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
59KB

MD5
807ad735034913a827743c4ab1e7709c

SHA1
a9154d026e46d4b2e9a1146baac80019c251fe9c

SHA256
5a48c598a63fa267ce5321a26c4f20878c33ed3fea37b14b0f92033db7fd63f3

SHA512
d73cb72128d5a92c8f25be5a26d741b72cdb7bf61a9d4bb1d1c75642ebb97174a7fa02f5fd44045952ef0c4a873fa0c18d8dc94c99c9ec9e3deb65426831760c

Download Submit
C:\Windows\SysWOW64\Jpcapp32.exe

Filesize
59KB

MD5
32d01ef2452b7391a8d0165527ca33e0

SHA1
eeaacdef6ffa720f34197e1e91f9cb581a0a2c5d

SHA256
4f53fc1dc2c022069d74a09c395f03816b08a834499ff12de54b2783f8f3aa95

SHA512
4f67dbef1e3c1a3a61174cbadc6a47e746c2e05f0bd6055a7e053d24940e176cc36c9126ce64e2206c6ce230cdcaae8aa6e6d99243b9841da12a3532dcf33a95

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
59KB

MD5
17511b01507e0b5f4f314649d63bc5ac

SHA1
bc13554701dddad6b1ca000f90e2f01801414083

SHA256
0d2fda22db08535f87c1cd216c66ff9b8f6916f8a03a0e424ead9d815940f557

SHA512
90127b1b15fcfaa1908630dadaea360324dee74b873b8afa9290e2a9a3c6211472ca6dbc93207348f781e9c2e649649abeed5bc839d069fb433e6979c53fb9ca

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
59KB

MD5
27d2e0f539fb4538555c7532623e0fda

SHA1
7e75cfcfd992303b591b03cf4df217f8bc82b654

SHA256
65434cae0401f7ef84dada266c13cf44210c4f33286b743e75962a1005a71e4d

SHA512
781ff26e7026fe5b998cdd6f90f61ff339026d4647f7a35d3aaa88ee809b750abec8b11f43697d74d3cf2fc2003696bf1648c9d120d05fa1273db746641cca92

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
59KB

MD5
e8744c59bd9e64e65d1c7b35fd0392e9

SHA1
17a729ee3b7034fa3038c2c836989074635ad1d5

SHA256
56f5c82a1fc310c98b45f01cd5ef41b2573a9c6481e227c3583acf2238a5fa92

SHA512
bcbbdeaffeed7b38aaadc2c31e15dc563b212de76c09e885baf6659abeb1f57d327e9a8ff0b499d5020d21c6e5f96912a7442f77ae322685d8c0c17ff2cbec7a

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
59KB

MD5
5884fd262f9301c567eec4afd1e46395

SHA1
a92352d5e9542fbec622fdadd451c73f4eabe63a

SHA256
7d9205264db17e1852d9fb3ffe9998575ba86bfe253691f05218ef697029420b

SHA512
78470dbfd9f267448230d226842fc2d9cad75e030aa5a117abdc0d292297f4573c871e738da0f25f53553e126c698d03bc829586aee9bf24260f292f49d6e947

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
59KB

MD5
56e1e124ae98cbd632e0affddb90dbce

SHA1
c6999c2c4740244a01684414ab5156d9cc2499ec

SHA256
9604980d7795f6b267aff6f3ba28af6d112836a5aad214aaa422b99446912929

SHA512
8cee36a1eb578905ccb55a8b5a4d600e4ed85e13582145f12b5cc3e4da409b5d7003a63c20e4be9cfffe3d8e0169f0adcc998bf8c7db60dccbc2a2cdfbacdca0

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
59KB

MD5
f0ea7491d0c13a5b3259147a81371536

SHA1
6df09a2fea24b51e16a2f31c0bf2a2ed818daa17

SHA256
776886925c784062951b7d87ba4a323ba384e103a33ea86fe77e9ba8bac457ad

SHA512
3e367aa01d76fd47e10ba694d67a7c2207345901880b4009c4414576596cf9478713eeca70e90062815e2202f149fccda51786ebc8106ab13a1472088e65ec3e

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe

Filesize
59KB

MD5
88a31ebbab07aabb788b77ab6a86a817

SHA1
aac9b3899d5d6d7848bd56cbb3e9a69ec53626c7

SHA256
341be5248d44092f2004718a9c48042a6f8a1c398b6bac1bb36a5ec50d6a3ad4

SHA512
c0832e7753bc1a9c4b2f7eebd1e7e07ce73fe04212fde3bfe19044e4cfa32ef1fc652086fe7a52460e110c5e85fa4d47a9f8ec20a131760f38c5bc0418d59fa9

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
59KB

MD5
d569862003adc6f89e3f65a9451a227e

SHA1
3bc1377c6c22c26b5318a28dd7e7ab35cf341fdc

SHA256
03f2c04837c99875f9a354f52307f49f01175c72eb459e2121cc0dfe9509cbe6

SHA512
aeca69e220d78f792aa5092b035695f1bbf5ef9b8d7a25740c6e43e8208629988efd6a79a11c47c8fc923f5557b678228985bb81a3344d4ed543e851c05edd51

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
59KB

MD5
5c3edef28d40a62d721cd1e199222555

SHA1
82950cea2e667d65dbcc0e9575b13b7289d6bee5

SHA256
997603b331c14d851f1c6510b7ccbc1d64587c06d9d62554594b5d764f04e664

SHA512
5872a0cbb5f52acbb160f09b421d14b774f71be3642ae7d08f5f3a2671bb44cd5cb82a8ca916175577d20115e0c331c694ff97506c96e6db0bad21ab097902fd

Download Submit
memory/448-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/460-536-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/556-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/696-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/760-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/780-477-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/868-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/920-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/948-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1012-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1048-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1116-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-284-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1384-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1384-606-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-465-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1428-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1428-546-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1472-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-400-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1704-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1756-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1832-561-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1832-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-446-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1972-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2108-568-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2108-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-580-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2176-599-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2176-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2196-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2212-593-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2212-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2228-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2244-296-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2260-562-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-471-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2372-332-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2456-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2544-418-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2548-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2604-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-504-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2724-236-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2752-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2896-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2988-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-555-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3008-549-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3108-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3140-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3228-453-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3232-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3272-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3312-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3320-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3440-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3484-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3520-524-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3536-512-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-574-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3624-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3656-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3656-587-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3864-368-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3888-548-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3888-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3948-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3992-581-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4048-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4056-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4064-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4100-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4108-518-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4344-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4352-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4384-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4416-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4548-506-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4568-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4684-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4700-489-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4724-613-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4724-92-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4784-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4860-487-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5056-530-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5208-600-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5252-607-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5296-614-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads