780bb08807a0a60c57985761d995dad05286ed7e95a7cd83ea259789b7e55dfa

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.da33ed40aaf506124bf7b44f94286470.exe
Size

439KB
MD5

da33ed40aaf506124bf7b44f94286470
SHA1

2d064295b01d1096b4bed7069c03502cf9954619
SHA256

780bb08807a0a60c57985761d995dad05286ed7e95a7cd83ea259789b7e55dfa
SHA512

b2be2bc9c22d9424d939097213aa37c3c20848ebeb63615135267d6c4dd14cf4e442bcb6c16dd5f839a146c63a05beffe8341ed2289aafe53f43c5f6757c8045
SSDEEP

12288:kfDoqEONtDp9V3PeKm2OPeKm22Vtp90NtmVtp90NtXONt:kkqXDpLpEkpEY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbbagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhmigagd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinmcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leopnglc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plbmokop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emlenj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlfelogp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cadlbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhlpqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnfjbdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knflpoqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miofjepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nemmoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olgncmim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afinioip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqfoamfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjodjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oohgdhfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcepkfld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niakfbpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nknobkje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkcfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njghbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cadlbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdpkflfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifeab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoofle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghppm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfogeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbgcih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpbam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nahgoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjghcfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plpqil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nognnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oampjeml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkabjbih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obafpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phincl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfhad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpcmga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkaicd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qikgco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbbch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knflpoqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkaicd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lankbigo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okchnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmgelf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnjjfegi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdpkflfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okchnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oemefcap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bppfmigl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiildjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjjghcfp.exe

Executes dropped EXE 64 IoCs

pid	Process
864	Oghppm32.exe
4556	Aqkpeopg.exe
1756	Ajcdnd32.exe
2692	Aihaoqlp.exe
3460	Aflaie32.exe
3680	Acpbbi32.exe
2056	Bqfoamfj.exe
4796	Bjodjb32.exe
4464	Bcghch32.exe
3296	Bqkill32.exe
4248	Bgeaifia.exe
1960	Bppfmigl.exe
4900	Cpbbch32.exe
2172	Cabomkll.exe
2672	Cfogeb32.exe
4452	Cadlbk32.exe
2100	Dfhjkabi.exe
5064	Dannij32.exe
4284	Diicml32.exe
1200	Dhlpqc32.exe
368	Emlenj32.exe
1932	Ehcfaboo.exe
484	Eiildjag.exe
4180	Fhmigagd.exe
4172	Fhofmq32.exe
3292	Fdffbake.exe
5036	Fajgkfio.exe
980	Fhflnpoi.exe
3420	Gpcmga32.exe
3840	Gilapgqb.exe
4456	Gdafnpqh.exe
4120	Gnjjfegi.exe
3724	Hnodaecc.exe
3144	Hdilnojp.exe
4052	Hpomcp32.exe
2928	Hkeaqi32.exe
2764	Hdmein32.exe
2640	Hnfjbdmk.exe
3240	Hacbhb32.exe
3336	Igqkqiai.exe
3472	Iafonaao.exe
1632	Ijadbdoj.exe
2452	Idghpmnp.exe
1752	Iakiia32.exe
1336	Iqpfjnba.exe
5100	Iqbbpm32.exe
3264	Jjjghcfp.exe
2216	Jdpkflfe.exe
3440	Jnhpoamf.exe
3856	Jjopcb32.exe
4856	Jnmijq32.exe
1004	Jkaicd32.exe
1696	Kkcfid32.exe
1920	Kndojobi.exe
3956	Kenggi32.exe
5020	Knflpoqf.exe
2936	Kjmmepfj.exe
3540	Kinmcg32.exe
4384	Lbgalmej.exe
1652	Ljbfpo32.exe
5012	Lkabjbih.exe
4012	Lankbigo.exe
3124	Lbngllob.exe
1312	Llflea32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mbbagk32.exe	Leopnglc.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Djaiilmd.dll	Ljbfpo32.exe
File created	C:\Windows\SysWOW64\Kimapcmi.dll	Pcepkfld.exe
File created	C:\Windows\SysWOW64\Eiildjag.exe	Ehcfaboo.exe
File created	C:\Windows\SysWOW64\Jcigfeaf.dll	Mlpokp32.exe
File opened for modification	C:\Windows\SysWOW64\Qmgelf32.exe	Qhjmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Iqpfjnba.exe	Iakiia32.exe
File created	C:\Windows\SysWOW64\Nkddkljd.dll	Mehcdfch.exe
File created	C:\Windows\SysWOW64\Idefqiag.dll	Akhcfe32.exe
File created	C:\Windows\SysWOW64\Gbemad32.dll	Fhflnpoi.exe
File opened for modification	C:\Windows\SysWOW64\Hkeaqi32.exe	Hpomcp32.exe
File opened for modification	C:\Windows\SysWOW64\Jdpkflfe.exe	Jjjghcfp.exe
File created	C:\Windows\SysWOW64\Mgekdpbp.dll	Okchnk32.exe
File created	C:\Windows\SysWOW64\Ingcceof.dll	Oampjeml.exe
File created	C:\Windows\SysWOW64\Qmgelf32.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Pbbigf32.dll	Nlfelogp.exe
File created	C:\Windows\SysWOW64\Njmqnobn.exe	Nfjola32.exe
File opened for modification	C:\Windows\SysWOW64\Dhlpqc32.exe	Diicml32.exe
File opened for modification	C:\Windows\SysWOW64\Nemmoe32.exe	Njghbl32.exe
File created	C:\Windows\SysWOW64\Lepein32.dll	Niakfbpa.exe
File created	C:\Windows\SysWOW64\Oifeab32.exe	Oblmdhdo.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Ahofoogd.exe	Aaenbd32.exe
File opened for modification	C:\Windows\SysWOW64\Olgncmim.exe	Oemefcap.exe
File opened for modification	C:\Windows\SysWOW64\Pkogiikb.exe	Oeaoab32.exe
File created	C:\Windows\SysWOW64\Baiinofi.dll	Nfjola32.exe
File created	C:\Windows\SysWOW64\Jkghalnb.dll	Dhlpqc32.exe
File created	C:\Windows\SysWOW64\Okchnk32.exe	Niakfbpa.exe
File created	C:\Windows\SysWOW64\Oeaoab32.exe	Oohgdhfn.exe
File opened for modification	C:\Windows\SysWOW64\Qkmdkgob.exe	Qikgco32.exe
File opened for modification	C:\Windows\SysWOW64\Aflaie32.exe	Aihaoqlp.exe
File created	C:\Windows\SysWOW64\Idqionfg.dll	Bqfoamfj.exe
File created	C:\Windows\SysWOW64\Fmcldc32.dll	Fhmigagd.exe
File created	C:\Windows\SysWOW64\Gpcmga32.exe	Fhflnpoi.exe
File opened for modification	C:\Windows\SysWOW64\Miaboe32.exe	Mjpbam32.exe
File opened for modification	C:\Windows\SysWOW64\Okgaijaj.exe	Oifeab32.exe
File created	C:\Windows\SysWOW64\Cpbbch32.exe	Bppfmigl.exe
File created	C:\Windows\SysWOW64\Kednfemc.dll	Eiildjag.exe
File created	C:\Windows\SysWOW64\Bchace32.dll	Lkabjbih.exe
File created	C:\Windows\SysWOW64\Nacmdf32.exe	Nlfelogp.exe
File opened for modification	C:\Windows\SysWOW64\Igqkqiai.exe	Hacbhb32.exe
File created	C:\Windows\SysWOW64\Acfhad32.exe	Ahqddk32.exe
File opened for modification	C:\Windows\SysWOW64\Njmqnobn.exe	Nfjola32.exe
File created	C:\Windows\SysWOW64\Emlenj32.exe	Dhlpqc32.exe
File opened for modification	C:\Windows\SysWOW64\Oampjeml.exe	Okchnk32.exe
File opened for modification	C:\Windows\SysWOW64\Dfhjkabi.exe	Cadlbk32.exe
File created	C:\Windows\SysWOW64\Plbmokop.exe	Pamiaboj.exe
File opened for modification	C:\Windows\SysWOW64\Qikgco32.exe	Qlggjk32.exe
File created	C:\Windows\SysWOW64\Dfljoa32.dll	Oghppm32.exe
File opened for modification	C:\Windows\SysWOW64\Jjjghcfp.exe	Iqbbpm32.exe
File opened for modification	C:\Windows\SysWOW64\Alcfei32.exe	Afinioip.exe
File opened for modification	C:\Windows\SysWOW64\Ljqhkckn.exe	Akhcfe32.exe
File opened for modification	C:\Windows\SysWOW64\Miofjepg.exe	Mniallpq.exe
File created	C:\Windows\SysWOW64\Jdigjdia.dll	Knflpoqf.exe
File created	C:\Windows\SysWOW64\Jdpkflfe.exe	Jjjghcfp.exe
File created	C:\Windows\SysWOW64\Oohgdhfn.exe	Oiknlagg.exe
File opened for modification	C:\Windows\SysWOW64\Plbmokop.exe	Pamiaboj.exe
File opened for modification	C:\Windows\SysWOW64\Aaenbd32.exe	Akkffkhk.exe
File opened for modification	C:\Windows\SysWOW64\Fdffbake.exe	Fhofmq32.exe
File created	C:\Windows\SysWOW64\Laahglpp.dll	Gpcmga32.exe
File opened for modification	C:\Windows\SysWOW64\Qjfmkk32.exe	Pdmdnadc.exe
File created	C:\Windows\SysWOW64\Hiebgmkm.dll	Qhjmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Lbgalmej.exe	Kinmcg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6812	6628	WerFault.exe	234

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Milidebi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okgaijaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achegd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gilapgqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkabjbih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmfqg32.dll"	Nbgcih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okchnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oeaoab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgeaifia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idghpmnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leopnglc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlpokp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nahgoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcepkfld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looknpmn.dll"	Bqkill32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpplna32.dll"	Bppfmigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idqionfg.dll"	Bqfoamfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqkill32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.da33ed40aaf506124bf7b44f94286470.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kenggi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oifeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjodjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migidc32.dll"	Gdafnpqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phincl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oghppm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iqpfjnba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkogiikb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnedaem.dll"	Nacmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dannij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clomci32.dll"	Jnmijq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgokg32.dll"	Mbbagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiknlagg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfljoa32.dll"	Oghppm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilmfhhk.dll"	Acpbbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhlpqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.da33ed40aaf506124bf7b44f94286470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iqbbpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcfgpga.dll"	Kinmcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgpnkdm.dll"	Nemmoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oblmdhdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcnob32.dll"	Llflea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhbolp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obafpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chalkm32.dll"	Oiknlagg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdafnpqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnodaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efficj32.dll"	Kndojobi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnphmkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjebhadm.dll"	Qkmdkgob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnmijq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbgcih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpqnneo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqfoamfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfokdq32.dll"	Hnodaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knflpoqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lojkhk32.dll"	Qaflgago.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdffbake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mejpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okgaijaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plbmokop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 864	5068	NEAS.da33ed40aaf506124bf7b44f94286470.exe	86
PID 5068 wrote to memory of 864	5068	NEAS.da33ed40aaf506124bf7b44f94286470.exe	86
PID 5068 wrote to memory of 864	5068	NEAS.da33ed40aaf506124bf7b44f94286470.exe	86
PID 864 wrote to memory of 4556	864	Oghppm32.exe	87
PID 864 wrote to memory of 4556	864	Oghppm32.exe	87
PID 864 wrote to memory of 4556	864	Oghppm32.exe	87
PID 4556 wrote to memory of 1756	4556	Aqkpeopg.exe	88
PID 4556 wrote to memory of 1756	4556	Aqkpeopg.exe	88
PID 4556 wrote to memory of 1756	4556	Aqkpeopg.exe	88
PID 1756 wrote to memory of 2692	1756	Ajcdnd32.exe	90
PID 1756 wrote to memory of 2692	1756	Ajcdnd32.exe	90
PID 1756 wrote to memory of 2692	1756	Ajcdnd32.exe	90
PID 2692 wrote to memory of 3460	2692	Aihaoqlp.exe	91
PID 2692 wrote to memory of 3460	2692	Aihaoqlp.exe	91
PID 2692 wrote to memory of 3460	2692	Aihaoqlp.exe	91
PID 3460 wrote to memory of 3680	3460	Aflaie32.exe	92
PID 3460 wrote to memory of 3680	3460	Aflaie32.exe	92
PID 3460 wrote to memory of 3680	3460	Aflaie32.exe	92
PID 3680 wrote to memory of 2056	3680	Acpbbi32.exe	93
PID 3680 wrote to memory of 2056	3680	Acpbbi32.exe	93
PID 3680 wrote to memory of 2056	3680	Acpbbi32.exe	93
PID 2056 wrote to memory of 4796	2056	Bqfoamfj.exe	94
PID 2056 wrote to memory of 4796	2056	Bqfoamfj.exe	94
PID 2056 wrote to memory of 4796	2056	Bqfoamfj.exe	94
PID 4796 wrote to memory of 4464	4796	Bjodjb32.exe	106
PID 4796 wrote to memory of 4464	4796	Bjodjb32.exe	106
PID 4796 wrote to memory of 4464	4796	Bjodjb32.exe	106
PID 4464 wrote to memory of 3296	4464	Bcghch32.exe	104
PID 4464 wrote to memory of 3296	4464	Bcghch32.exe	104
PID 4464 wrote to memory of 3296	4464	Bcghch32.exe	104
PID 3296 wrote to memory of 4248	3296	Bqkill32.exe	101
PID 3296 wrote to memory of 4248	3296	Bqkill32.exe	101
PID 3296 wrote to memory of 4248	3296	Bqkill32.exe	101
PID 4248 wrote to memory of 1960	4248	Bgeaifia.exe	95
PID 4248 wrote to memory of 1960	4248	Bgeaifia.exe	95
PID 4248 wrote to memory of 1960	4248	Bgeaifia.exe	95
PID 1960 wrote to memory of 4900	1960	Bppfmigl.exe	98
PID 1960 wrote to memory of 4900	1960	Bppfmigl.exe	98
PID 1960 wrote to memory of 4900	1960	Bppfmigl.exe	98
PID 4900 wrote to memory of 2172	4900	Cpbbch32.exe	96
PID 4900 wrote to memory of 2172	4900	Cpbbch32.exe	96
PID 4900 wrote to memory of 2172	4900	Cpbbch32.exe	96
PID 2172 wrote to memory of 2672	2172	Cabomkll.exe	97
PID 2172 wrote to memory of 2672	2172	Cabomkll.exe	97
PID 2172 wrote to memory of 2672	2172	Cabomkll.exe	97
PID 2672 wrote to memory of 4452	2672	Cfogeb32.exe	99
PID 2672 wrote to memory of 4452	2672	Cfogeb32.exe	99
PID 2672 wrote to memory of 4452	2672	Cfogeb32.exe	99
PID 4452 wrote to memory of 2100	4452	Cadlbk32.exe	102
PID 4452 wrote to memory of 2100	4452	Cadlbk32.exe	102
PID 4452 wrote to memory of 2100	4452	Cadlbk32.exe	102
PID 2100 wrote to memory of 5064	2100	Dfhjkabi.exe	103
PID 2100 wrote to memory of 5064	2100	Dfhjkabi.exe	103
PID 2100 wrote to memory of 5064	2100	Dfhjkabi.exe	103
PID 5064 wrote to memory of 4284	5064	Dannij32.exe	105
PID 5064 wrote to memory of 4284	5064	Dannij32.exe	105
PID 5064 wrote to memory of 4284	5064	Dannij32.exe	105
PID 4284 wrote to memory of 1200	4284	Diicml32.exe	107
PID 4284 wrote to memory of 1200	4284	Diicml32.exe	107
PID 4284 wrote to memory of 1200	4284	Diicml32.exe	107
PID 1200 wrote to memory of 368	1200	Dhlpqc32.exe	108
PID 1200 wrote to memory of 368	1200	Dhlpqc32.exe	108
PID 1200 wrote to memory of 368	1200	Dhlpqc32.exe	108
PID 368 wrote to memory of 1932	368	Emlenj32.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.da33ed40aaf506124bf7b44f94286470.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.da33ed40aaf506124bf7b44f94286470.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\Oghppm32.exe
  C:\Windows\system32\Oghppm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\Aqkpeopg.exe
    C:\Windows\system32\Aqkpeopg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\Ajcdnd32.exe
      C:\Windows\system32\Ajcdnd32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Windows\SysWOW64\Aihaoqlp.exe
        
        C:\Windows\system32\Aihaoqlp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Aflaie32.exe
        
        C:\Windows\system32\Aflaie32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Acpbbi32.exe
        
        C:\Windows\system32\Acpbbi32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Bqfoamfj.exe
        
        C:\Windows\system32\Bqfoamfj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Bjodjb32.exe
        
        C:\Windows\system32\Bjodjb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Bcghch32.exe
        
        C:\Windows\system32\Bcghch32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464

C:\Windows\SysWOW64\Bppfmigl.exe
C:\Windows\system32\Bppfmigl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\Cpbbch32.exe
  C:\Windows\system32\Cpbbch32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4900

C:\Windows\SysWOW64\Cabomkll.exe
C:\Windows\system32\Cabomkll.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\Cfogeb32.exe
  C:\Windows\system32\Cfogeb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\Cadlbk32.exe
    C:\Windows\system32\Cadlbk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\SysWOW64\Dfhjkabi.exe
      C:\Windows\system32\Dfhjkabi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\Dannij32.exe
        
        C:\Windows\system32\Dannij32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\SysWOW64\Diicml32.exe
        
        C:\Windows\system32\Diicml32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Dhlpqc32.exe
        
        C:\Windows\system32\Dhlpqc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Emlenj32.exe
        
        C:\Windows\system32\Emlenj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Ehcfaboo.exe
        
        C:\Windows\system32\Ehcfaboo.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Eiildjag.exe
        
        C:\Windows\system32\Eiildjag.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:484
        
        C:\Windows\SysWOW64\Fhmigagd.exe
        
        C:\Windows\system32\Fhmigagd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Fhofmq32.exe
        
        C:\Windows\system32\Fhofmq32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Fdffbake.exe
        
        C:\Windows\system32\Fdffbake.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Fajgkfio.exe
        
        C:\Windows\system32\Fajgkfio.exe
        14⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Fhflnpoi.exe
        
        C:\Windows\system32\Fhflnpoi.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Gpcmga32.exe
        
        C:\Windows\system32\Gpcmga32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Gilapgqb.exe
        
        C:\Windows\system32\Gilapgqb.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Gdafnpqh.exe
        
        C:\Windows\system32\Gdafnpqh.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Gnjjfegi.exe
        
        C:\Windows\system32\Gnjjfegi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Hnodaecc.exe
        
        C:\Windows\system32\Hnodaecc.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Hdilnojp.exe
        
        C:\Windows\system32\Hdilnojp.exe
        21⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Hpomcp32.exe
        
        C:\Windows\system32\Hpomcp32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Hkeaqi32.exe
        
        C:\Windows\system32\Hkeaqi32.exe
        23⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Hdmein32.exe
        
        C:\Windows\system32\Hdmein32.exe
        24⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Hnfjbdmk.exe
        
        C:\Windows\system32\Hnfjbdmk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Hacbhb32.exe
        
        C:\Windows\system32\Hacbhb32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Igqkqiai.exe
        
        C:\Windows\system32\Igqkqiai.exe
        27⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Iafonaao.exe
        
        C:\Windows\system32\Iafonaao.exe
        28⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Ijadbdoj.exe
        
        C:\Windows\system32\Ijadbdoj.exe
        29⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Idghpmnp.exe
        
        C:\Windows\system32\Idghpmnp.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Iakiia32.exe
        
        C:\Windows\system32\Iakiia32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Iqpfjnba.exe
        
        C:\Windows\system32\Iqpfjnba.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Iqbbpm32.exe
        
        C:\Windows\system32\Iqbbpm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Jjjghcfp.exe
        
        C:\Windows\system32\Jjjghcfp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Jdpkflfe.exe
        
        C:\Windows\system32\Jdpkflfe.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Jnhpoamf.exe
        
        C:\Windows\system32\Jnhpoamf.exe
        36⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Jjopcb32.exe
        
        C:\Windows\system32\Jjopcb32.exe
        37⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Jkaicd32.exe
        
        C:\Windows\system32\Jkaicd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Kkcfid32.exe
        
        C:\Windows\system32\Kkcfid32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Kndojobi.exe
        
        C:\Windows\system32\Kndojobi.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Kenggi32.exe
        
        C:\Windows\system32\Kenggi32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Knflpoqf.exe
        
        C:\Windows\system32\Knflpoqf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Kjmmepfj.exe
        
        C:\Windows\system32\Kjmmepfj.exe
        44⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Kinmcg32.exe
        
        C:\Windows\system32\Kinmcg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Lbgalmej.exe
        
        C:\Windows\system32\Lbgalmej.exe
        46⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Ljbfpo32.exe
        
        C:\Windows\system32\Ljbfpo32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Lankbigo.exe
        
        C:\Windows\system32\Lankbigo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Lbngllob.exe
        
        C:\Windows\system32\Lbngllob.exe
        50⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Llflea32.exe
        
        C:\Windows\system32\Llflea32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Leopnglc.exe
        
        C:\Windows\system32\Leopnglc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Mbbagk32.exe
        
        C:\Windows\system32\Mbbagk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Milidebi.exe
        
        C:\Windows\system32\Milidebi.exe
        54⤵
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Mniallpq.exe
        
        C:\Windows\system32\Mniallpq.exe
        55⤵
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Miofjepg.exe
        
        C:\Windows\system32\Miofjepg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1636
        
        C:\Windows\SysWOW64\Mjpbam32.exe
        
        C:\Windows\system32\Mjpbam32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Miaboe32.exe
        
        C:\Windows\system32\Miaboe32.exe
        58⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Mlpokp32.exe
        
        C:\Windows\system32\Mlpokp32.exe
        59⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Mehcdfch.exe
        
        C:\Windows\system32\Mehcdfch.exe
        60⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Mnphmkji.exe
        
        C:\Windows\system32\Mnphmkji.exe
        61⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mejpje32.exe
        
        C:\Windows\system32\Mejpje32.exe
        62⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Njghbl32.exe
        
        C:\Windows\system32\Njghbl32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Nemmoe32.exe
        
        C:\Windows\system32\Nemmoe32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Nlfelogp.exe
        
        C:\Windows\system32\Nlfelogp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Nacmdf32.exe
        
        C:\Windows\system32\Nacmdf32.exe
        66⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Nhmeapmd.exe
        
        C:\Windows\system32\Nhmeapmd.exe
        67⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Nognnj32.exe
        
        C:\Windows\system32\Nognnj32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Nimbkc32.exe
        
        C:\Windows\system32\Nimbkc32.exe
        69⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Nknobkje.exe
        
        C:\Windows\system32\Nknobkje.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Nhbolp32.exe
        
        C:\Windows\system32\Nhbolp32.exe
        72⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Nbgcih32.exe
        
        C:\Windows\system32\Nbgcih32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Niakfbpa.exe
        
        C:\Windows\system32\Niakfbpa.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Okchnk32.exe
        
        C:\Windows\system32\Okchnk32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Oampjeml.exe
        
        C:\Windows\system32\Oampjeml.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Olbdhn32.exe
        
        C:\Windows\system32\Olbdhn32.exe
        77⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Oifeab32.exe
        
        C:\Windows\system32\Oifeab32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Okgaijaj.exe
        
        C:\Windows\system32\Okgaijaj.exe
        80⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Oemefcap.exe
        
        C:\Windows\system32\Oemefcap.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Olgncmim.exe
        
        C:\Windows\system32\Olgncmim.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Obafpg32.exe
        
        C:\Windows\system32\Obafpg32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Oiknlagg.exe
        
        C:\Windows\system32\Oiknlagg.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Oohgdhfn.exe
        
        C:\Windows\system32\Oohgdhfn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Oeaoab32.exe
        
        C:\Windows\system32\Oeaoab32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Pkogiikb.exe
        
        C:\Windows\system32\Pkogiikb.exe
        87⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Pcepkfld.exe
        
        C:\Windows\system32\Pcepkfld.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Plpqil32.exe
        
        C:\Windows\system32\Plpqil32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Pamiaboj.exe
        
        C:\Windows\system32\Pamiaboj.exe
        90⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Plbmokop.exe
        
        C:\Windows\system32\Plbmokop.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Pcmeke32.exe
        
        C:\Windows\system32\Pcmeke32.exe
        92⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Phincl32.exe
        
        C:\Windows\system32\Phincl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Pocfpf32.exe
        
        C:\Windows\system32\Pocfpf32.exe
        94⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Pemomqcn.exe
        
        C:\Windows\system32\Pemomqcn.exe
        95⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        96⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\Qikgco32.exe
        
        C:\Windows\system32\Qikgco32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Qkmdkgob.exe
        
        C:\Windows\system32\Qkmdkgob.exe
        98⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Qaflgago.exe
        
        C:\Windows\system32\Qaflgago.exe
        99⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ahqddk32.exe
        
        C:\Windows\system32\Ahqddk32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Acfhad32.exe
        
        C:\Windows\system32\Acfhad32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Ajpqnneo.exe
        
        C:\Windows\system32\Ajpqnneo.exe
        102⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Alnmjjdb.exe
        
        C:\Windows\system32\Alnmjjdb.exe
        103⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Achegd32.exe
        
        C:\Windows\system32\Achegd32.exe
        104⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Ahenokjf.exe
        
        C:\Windows\system32\Ahenokjf.exe
        105⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Aoofle32.exe
        
        C:\Windows\system32\Aoofle32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Afinioip.exe
        
        C:\Windows\system32\Afinioip.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Alcfei32.exe
        
        C:\Windows\system32\Alcfei32.exe
        108⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Abponp32.exe
        
        C:\Windows\system32\Abponp32.exe
        109⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Akhcfe32.exe
        
        C:\Windows\system32\Akhcfe32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        111⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        112⤵
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        115⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        119⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        122⤵
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6576
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        124⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 408
        125⤵
        Program crash
        
        PID:6812

C:\Windows\SysWOW64\Bgeaifia.exe
C:\Windows\system32\Bgeaifia.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\Bqkill32.exe
C:\Windows\system32\Bqkill32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6628 -ip 6628
1⤵
PID:6676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acpbbi32.exe

Filesize
439KB

MD5
c264eddcd3339dcc2dd0a8fa5ff72b46

SHA1
7d520bd857739b1dcba82ccaa49c18e7a068b258

SHA256
75638e9c64707f6f291618db222ec04375d1867970023ce93944129c72a4341b

SHA512
fa094c7d270b167200522b094d77d16b07e08e4347492f311e558f56a12f01cf0e2baac8ef08f8d8d2abebcff38af1cebde0c7e680a0453bdae889a880b4d4c0

Download Submit
C:\Windows\SysWOW64\Acpbbi32.exe

Filesize
439KB

MD5
c264eddcd3339dcc2dd0a8fa5ff72b46

SHA1
7d520bd857739b1dcba82ccaa49c18e7a068b258

SHA256
75638e9c64707f6f291618db222ec04375d1867970023ce93944129c72a4341b

SHA512
fa094c7d270b167200522b094d77d16b07e08e4347492f311e558f56a12f01cf0e2baac8ef08f8d8d2abebcff38af1cebde0c7e680a0453bdae889a880b4d4c0

Download Submit
C:\Windows\SysWOW64\Aflaie32.exe

Filesize
439KB

MD5
175f5ad94085910741ae48b7da9aeeec

SHA1
f26f787bb83edcb69faacf2e58151f9d380995ee

SHA256
d8ff9be0fcd6991f433e2daa66ba3677a4620420ac8ec0a2541c840449184d60

SHA512
bc84f8b715b2870ab4a6f20b203cf8922687e1157476662fc446caea6b45d6e0319f7872c16128e8b96c8e81b882313074084af831b96c4b780f793a9f1a6ab7

Download Submit
C:\Windows\SysWOW64\Aflaie32.exe

Filesize
439KB

MD5
175f5ad94085910741ae48b7da9aeeec

SHA1
f26f787bb83edcb69faacf2e58151f9d380995ee

SHA256
d8ff9be0fcd6991f433e2daa66ba3677a4620420ac8ec0a2541c840449184d60

SHA512
bc84f8b715b2870ab4a6f20b203cf8922687e1157476662fc446caea6b45d6e0319f7872c16128e8b96c8e81b882313074084af831b96c4b780f793a9f1a6ab7

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
64KB

MD5
e3a6941b89c3f22d97e08f7563803da8

SHA1
bf1961a743cace12e8befee449191d5ea76629c5

SHA256
5adfed966d786578f098ccdc25c1c209b873b3c58e8c8fa558944846fde87a3a

SHA512
d4c932160ad9132379547928bf3111b2c47ef5aa25f7239875e9e6d8a4f200bca9c14f88e22dcb39d9a47c9b1c2db67cb76e536abaee50927c8cf0b6cd30f159

Download Submit
C:\Windows\SysWOW64\Aihaoqlp.exe

Filesize
439KB

MD5
7f2091e50ba00c021f3aaa66e0c0b9e3

SHA1
48483a89fb5c62d995839d888fae9e24bd64d329

SHA256
652f8aee4af57c9f0ede20291d820c8d01008ad82e4646414edd5f38f5ea3104

SHA512
630ab376f586d69448655f3fff21870a2bc2f6b8d805355b7b5f8bf1e8ff1f66d5881e56b7cc17e5613e59e1175b0c4988f7a9b2f8a0e9974c38c3fa39554389

Download Submit
C:\Windows\SysWOW64\Aihaoqlp.exe

Filesize
439KB

MD5
7f2091e50ba00c021f3aaa66e0c0b9e3

SHA1
48483a89fb5c62d995839d888fae9e24bd64d329

SHA256
652f8aee4af57c9f0ede20291d820c8d01008ad82e4646414edd5f38f5ea3104

SHA512
630ab376f586d69448655f3fff21870a2bc2f6b8d805355b7b5f8bf1e8ff1f66d5881e56b7cc17e5613e59e1175b0c4988f7a9b2f8a0e9974c38c3fa39554389

Download Submit
C:\Windows\SysWOW64\Ajcdnd32.exe

Filesize
439KB

MD5
0cbfe72bf6689f4c88e79beb4b6d6f36

SHA1
7cb6e143e495ec128035977072347cec1329e354

SHA256
9b49542f63740439cf43fbd92fd12ef96c5e6d2b79aa1cb7626534fd49ad29b7

SHA512
0bd90b20dc6c8a0529daea0cdf3382083d42da29454e5da8005d7bb4860796af8179b04d0846a5bc3904a6153c81900c2ffc8dcd007353256d6964de839c4728

Download Submit
C:\Windows\SysWOW64\Ajcdnd32.exe

Filesize
439KB

MD5
0cbfe72bf6689f4c88e79beb4b6d6f36

SHA1
7cb6e143e495ec128035977072347cec1329e354

SHA256
9b49542f63740439cf43fbd92fd12ef96c5e6d2b79aa1cb7626534fd49ad29b7

SHA512
0bd90b20dc6c8a0529daea0cdf3382083d42da29454e5da8005d7bb4860796af8179b04d0846a5bc3904a6153c81900c2ffc8dcd007353256d6964de839c4728

Download Submit
C:\Windows\SysWOW64\Aqkpeopg.exe

Filesize
439KB

MD5
0b34abeeca5abb434f7ff9cfe2c10085

SHA1
c7eae3d7157421e1cb099c408bc7b8b818808e5e

SHA256
f74eed22ab2ba957d835b34d8671228a4ce9705ed84a4bf210588accb487bbf6

SHA512
c940087ba0b7d86f43b335d5c9004807f0ba4df1fd7c09e1fc14abcdb22cb9b2d08ba3df31cc29b6df150e68d24b208567c934c32dba5ea2b5c511c50c00f95f

Download Submit
C:\Windows\SysWOW64\Aqkpeopg.exe

Filesize
439KB

MD5
0b34abeeca5abb434f7ff9cfe2c10085

SHA1
c7eae3d7157421e1cb099c408bc7b8b818808e5e

SHA256
f74eed22ab2ba957d835b34d8671228a4ce9705ed84a4bf210588accb487bbf6

SHA512
c940087ba0b7d86f43b335d5c9004807f0ba4df1fd7c09e1fc14abcdb22cb9b2d08ba3df31cc29b6df150e68d24b208567c934c32dba5ea2b5c511c50c00f95f

Download Submit
C:\Windows\SysWOW64\Bcghch32.exe

Filesize
439KB

MD5
6a5aa9cd570838332c26cc235af957d0

SHA1
618bb57756790e92f33235495a9f356515df5553

SHA256
12fdf0dc92ad29fcba3cb9e87b855a2d4ad10dda471dcad80002a22d3a72e459

SHA512
13a3437c58c0c9509aea16c5102c04d62c49ea100e46024bc9ca2e23991e3438d24ab621c55f08a40770ed4c80806e0912b9ea286570bb69ddadf7cea9dba41e

Download Submit
C:\Windows\SysWOW64\Bcghch32.exe

Filesize
439KB

MD5
6a5aa9cd570838332c26cc235af957d0

SHA1
618bb57756790e92f33235495a9f356515df5553

SHA256
12fdf0dc92ad29fcba3cb9e87b855a2d4ad10dda471dcad80002a22d3a72e459

SHA512
13a3437c58c0c9509aea16c5102c04d62c49ea100e46024bc9ca2e23991e3438d24ab621c55f08a40770ed4c80806e0912b9ea286570bb69ddadf7cea9dba41e

Download Submit
C:\Windows\SysWOW64\Bgeaifia.exe

Filesize
439KB

MD5
968bac6eebc0f619d90de1e0156705e9

SHA1
4b574ddf9528a169f07a1eeb231c9bd1bc0e1e93

SHA256
43f6b6c5341d695a74d209f49cc829f0e498575ccf59322918f2511e809c2d49

SHA512
56def9e9936df11df3ba050299453c4f9eb3fb646acf4607b547aa048747413f2d53ddc06ab9f6d77b6cf13d3a67ae33713b5926d01939c398c5019f9bad1977

Download Submit
C:\Windows\SysWOW64\Bgeaifia.exe

Filesize
439KB

MD5
968bac6eebc0f619d90de1e0156705e9

SHA1
4b574ddf9528a169f07a1eeb231c9bd1bc0e1e93

SHA256
43f6b6c5341d695a74d209f49cc829f0e498575ccf59322918f2511e809c2d49

SHA512
56def9e9936df11df3ba050299453c4f9eb3fb646acf4607b547aa048747413f2d53ddc06ab9f6d77b6cf13d3a67ae33713b5926d01939c398c5019f9bad1977

Download Submit
C:\Windows\SysWOW64\Bjodjb32.exe

Filesize
439KB

MD5
1d817875f86bf6262bd01a0b334ebaac

SHA1
5cef4bb13e08cffc421c98164017f8f171a877d4

SHA256
3dd8f00249eddab025a25e164bb2e20877192b2c06b44175a1232550d7ce18a4

SHA512
faa4bcb4da65572c1033ccf245d885c0a2dbb76245c56e844f9ddc0f8a944603571a874d837ab22143ae72e5f01bd264002fc1b0949122b5ea16b047d9f0ec5e

Download Submit
C:\Windows\SysWOW64\Bjodjb32.exe

Filesize
439KB

MD5
1d817875f86bf6262bd01a0b334ebaac

SHA1
5cef4bb13e08cffc421c98164017f8f171a877d4

SHA256
3dd8f00249eddab025a25e164bb2e20877192b2c06b44175a1232550d7ce18a4

SHA512
faa4bcb4da65572c1033ccf245d885c0a2dbb76245c56e844f9ddc0f8a944603571a874d837ab22143ae72e5f01bd264002fc1b0949122b5ea16b047d9f0ec5e

Download Submit
C:\Windows\SysWOW64\Bppfmigl.exe

Filesize
439KB

MD5
3266aaa9102df259a24a0c9541e6aff2

SHA1
7ad0bed0d2dde68306a3de6490475a0849c9991b

SHA256
5e543b69323b0bc296d29e98d44ef3b7d1e4a5a32f4821b6292d5a8ea6262e8d

SHA512
148993e48f498f2fecaea5d2ecc16ac7ddd959f6a53f68c740bdda7239c3d49860170bd4ca00850a193e55f5d3c9dfc2b9521b7f502bab83642da2386a411a3b

Download Submit
C:\Windows\SysWOW64\Bppfmigl.exe

Filesize
439KB

MD5
3266aaa9102df259a24a0c9541e6aff2

SHA1
7ad0bed0d2dde68306a3de6490475a0849c9991b

SHA256
5e543b69323b0bc296d29e98d44ef3b7d1e4a5a32f4821b6292d5a8ea6262e8d

SHA512
148993e48f498f2fecaea5d2ecc16ac7ddd959f6a53f68c740bdda7239c3d49860170bd4ca00850a193e55f5d3c9dfc2b9521b7f502bab83642da2386a411a3b

Download Submit
C:\Windows\SysWOW64\Bqfoamfj.exe

Filesize
439KB

MD5
2c9f4059f90bc740bb10b258cfff05e2

SHA1
00eea8e5dd8c2ac1b1513ed7ae184bfb897623a1

SHA256
afb2aa91462e6826b963b479be417c0bdac89a67d5f61621253ea9ed5ab020a4

SHA512
88ad4f5a10416ba5aebec11041f52cbf5bb8d5daafa8939087a52b1d9b2655e582c0d41bb300feee77578117fcdd5a1a036b7451f050c545c348021a480686e0

Download Submit
C:\Windows\SysWOW64\Bqfoamfj.exe

Filesize
439KB

MD5
2c9f4059f90bc740bb10b258cfff05e2

SHA1
00eea8e5dd8c2ac1b1513ed7ae184bfb897623a1

SHA256
afb2aa91462e6826b963b479be417c0bdac89a67d5f61621253ea9ed5ab020a4

SHA512
88ad4f5a10416ba5aebec11041f52cbf5bb8d5daafa8939087a52b1d9b2655e582c0d41bb300feee77578117fcdd5a1a036b7451f050c545c348021a480686e0

Download Submit
C:\Windows\SysWOW64\Bqkill32.exe

Filesize
439KB

MD5
0c0c1cb376ac67b54d10d8b3de35727e

SHA1
50e1b824191bd8b88f88dd068728c39748d7fbb8

SHA256
7c112da215731662b328500d7278fd596448818aae779d8f2d1c46584a4bf8c6

SHA512
8e94baaed0a98f2cdd206ee3855df941965b97d1bee0f68fbaf578a4b16c772cb8bea7da018833a14cd6517b86056f1e983beed97294027d89c85a78bdda388c

Download Submit
C:\Windows\SysWOW64\Bqkill32.exe

Filesize
439KB

MD5
0c0c1cb376ac67b54d10d8b3de35727e

SHA1
50e1b824191bd8b88f88dd068728c39748d7fbb8

SHA256
7c112da215731662b328500d7278fd596448818aae779d8f2d1c46584a4bf8c6

SHA512
8e94baaed0a98f2cdd206ee3855df941965b97d1bee0f68fbaf578a4b16c772cb8bea7da018833a14cd6517b86056f1e983beed97294027d89c85a78bdda388c

Download Submit
C:\Windows\SysWOW64\Cabomkll.exe

Filesize
439KB

MD5
c841de06130c5e0e8f0db1d29935f099

SHA1
23fec5cbd83d699c09e55d7fd93f9585c4f74cd0

SHA256
933d68911602a938b45a43d1542a2f4c9f5867b5fb7a742e3f1eb3445ebc4bf9

SHA512
b32a711e5043beb1f54f3d0f0db66c746ec1a411a22791f528a15d479e6b175e3e842328a00310c3f41f1ad21098401037420f797abbec619ba68c32ebc7ef25

Download Submit
C:\Windows\SysWOW64\Cabomkll.exe

Filesize
439KB

MD5
c841de06130c5e0e8f0db1d29935f099

SHA1
23fec5cbd83d699c09e55d7fd93f9585c4f74cd0

SHA256
933d68911602a938b45a43d1542a2f4c9f5867b5fb7a742e3f1eb3445ebc4bf9

SHA512
b32a711e5043beb1f54f3d0f0db66c746ec1a411a22791f528a15d479e6b175e3e842328a00310c3f41f1ad21098401037420f797abbec619ba68c32ebc7ef25

Download Submit
C:\Windows\SysWOW64\Cadlbk32.exe

Filesize
439KB

MD5
a554235387461057aff7fc3071fdb510

SHA1
0a9359804d1d8858c0514babd0d918caaf8785db

SHA256
73461f4c2c1bda39a93798b29144aa1dca047438cbd45f4bbca0cc295019e6df

SHA512
f15f49cfc648198200483c63f536b253d42e3e15769c2fafe26bc06b600f095735cd7fc822cdf827207e85667ebabb5e38a2f57ec56a871d6739862dcc6a3e2d

Download Submit
C:\Windows\SysWOW64\Cadlbk32.exe

Filesize
439KB

MD5
a554235387461057aff7fc3071fdb510

SHA1
0a9359804d1d8858c0514babd0d918caaf8785db

SHA256
73461f4c2c1bda39a93798b29144aa1dca047438cbd45f4bbca0cc295019e6df

SHA512
f15f49cfc648198200483c63f536b253d42e3e15769c2fafe26bc06b600f095735cd7fc822cdf827207e85667ebabb5e38a2f57ec56a871d6739862dcc6a3e2d

Download Submit
C:\Windows\SysWOW64\Cfogeb32.exe

Filesize
439KB

MD5
08c8a6b78caee07107d3063650257a3e

SHA1
a4d0dddfeef501c0b5a52da04f145b2c95005e8f

SHA256
f2f677169102bf39ddae2f01ef68571a532106ce9f5460db356a47330ed5bf35

SHA512
ccc272a545a6eb824d733cc279d2d13eb1d0644eb9e39f071a3880d934341f785a50a17cb9a83827723988ef116afc1a0af4763be071a650243198babfd1e527

Download Submit
C:\Windows\SysWOW64\Cfogeb32.exe

Filesize
439KB

MD5
08c8a6b78caee07107d3063650257a3e

SHA1
a4d0dddfeef501c0b5a52da04f145b2c95005e8f

SHA256
f2f677169102bf39ddae2f01ef68571a532106ce9f5460db356a47330ed5bf35

SHA512
ccc272a545a6eb824d733cc279d2d13eb1d0644eb9e39f071a3880d934341f785a50a17cb9a83827723988ef116afc1a0af4763be071a650243198babfd1e527

Download Submit
C:\Windows\SysWOW64\Cpbbch32.exe

Filesize
439KB

MD5
c39de6f93c6e30de7ab9894e29a36495

SHA1
5f76d66b29bff7ae7f16cd335e502a6d3a5feaf9

SHA256
aa13571cd58c1ceb781ebf7b276e95047ac8611cfe486a9d978aaf0899899a97

SHA512
f04fdbae788ff8f7257586af85095e5726b2668d00e6133e8996b30e288cca702cabb0d4fd08c02f8405b36988fc1a7482c46e059f329f12deaedb560b462ac0

Download Submit
C:\Windows\SysWOW64\Cpbbch32.exe

Filesize
439KB

MD5
c39de6f93c6e30de7ab9894e29a36495

SHA1
5f76d66b29bff7ae7f16cd335e502a6d3a5feaf9

SHA256
aa13571cd58c1ceb781ebf7b276e95047ac8611cfe486a9d978aaf0899899a97

SHA512
f04fdbae788ff8f7257586af85095e5726b2668d00e6133e8996b30e288cca702cabb0d4fd08c02f8405b36988fc1a7482c46e059f329f12deaedb560b462ac0

Download Submit
C:\Windows\SysWOW64\Dannij32.exe

Filesize
439KB

MD5
d62d1567c4a0bc1f18b9a9ab884ed313

SHA1
947ca791fe33f35b61e67c5e8f270dc66139a3e4

SHA256
d29a25895cad5cf7b078f9aa00ff79316e8d85eff73959f8a2f478595785fed2

SHA512
12705fa02b2a05a947a3aed61e537474bba7f7d0aa45ebb4ca6b80ccc9ebea2249c9472b60c12084d2fe1c958db320e26d519c7572fd81542918f5326a865fde

Download Submit
C:\Windows\SysWOW64\Dannij32.exe

Filesize
439KB

MD5
d62d1567c4a0bc1f18b9a9ab884ed313

SHA1
947ca791fe33f35b61e67c5e8f270dc66139a3e4

SHA256
d29a25895cad5cf7b078f9aa00ff79316e8d85eff73959f8a2f478595785fed2

SHA512
12705fa02b2a05a947a3aed61e537474bba7f7d0aa45ebb4ca6b80ccc9ebea2249c9472b60c12084d2fe1c958db320e26d519c7572fd81542918f5326a865fde

Download Submit
C:\Windows\SysWOW64\Dfhjkabi.exe

Filesize
439KB

MD5
a9bb0d30892bc1d12d334afee1820a36

SHA1
75ffe8155ad68efa2a6e4c64e51f5de2eda41c3d

SHA256
0f7f9f7d8635d2f712379ae01125e943259de0a74e8fa0750c74514ccae49758

SHA512
ee8ba5b4bf68d17de1b6cdb549ea7e4af9135a9b793e3785054a2fa7eb856fabf708ab881e7a93438c395842935aa90edeb0d1c8cee888571f1aba752494a201

Download Submit
C:\Windows\SysWOW64\Dfhjkabi.exe

Filesize
439KB

MD5
a9bb0d30892bc1d12d334afee1820a36

SHA1
75ffe8155ad68efa2a6e4c64e51f5de2eda41c3d

SHA256
0f7f9f7d8635d2f712379ae01125e943259de0a74e8fa0750c74514ccae49758

SHA512
ee8ba5b4bf68d17de1b6cdb549ea7e4af9135a9b793e3785054a2fa7eb856fabf708ab881e7a93438c395842935aa90edeb0d1c8cee888571f1aba752494a201

Download Submit
C:\Windows\SysWOW64\Dhlpqc32.exe

Filesize
439KB

MD5
c3ee3f3b86ac495def905ac176b1c38e

SHA1
36e24ed107b13838bbfa9b6cc4b535559a7ca743

SHA256
45880acab1627cc604df7859753109cc82b7a5eb7ffdc5173e9f1df223500965

SHA512
ecb0d2c96838431f30cbccbd85e0e3b84315b106345d755f4bcc8bcd616c44af24a375ecf74cd5fb2ea54a68a151bdbb35950ace7cc0c38f01a152017dfb4658

Download Submit
C:\Windows\SysWOW64\Dhlpqc32.exe

Filesize
439KB

MD5
c3ee3f3b86ac495def905ac176b1c38e

SHA1
36e24ed107b13838bbfa9b6cc4b535559a7ca743

SHA256
45880acab1627cc604df7859753109cc82b7a5eb7ffdc5173e9f1df223500965

SHA512
ecb0d2c96838431f30cbccbd85e0e3b84315b106345d755f4bcc8bcd616c44af24a375ecf74cd5fb2ea54a68a151bdbb35950ace7cc0c38f01a152017dfb4658

Download Submit
C:\Windows\SysWOW64\Diicml32.exe

Filesize
439KB

MD5
3b5bf05df2dc5d266285038b864ea80f

SHA1
5f7406b5e9af0a14f6ef981f594eb62c1b19c504

SHA256
1fa90720082a5a8a76c0c059d9df7980b5338802a6674dff0fbed58a0b77378d

SHA512
7a7c9139b31e77904759efe284074feab9a17d5132d284f47e91b0e9dca622784f4dfe8b16082173955db81fec4b5c72b79ba7e862b8a74ecd6ffe9ffc11c577

Download Submit
C:\Windows\SysWOW64\Diicml32.exe

Filesize
439KB

MD5
3b5bf05df2dc5d266285038b864ea80f

SHA1
5f7406b5e9af0a14f6ef981f594eb62c1b19c504

SHA256
1fa90720082a5a8a76c0c059d9df7980b5338802a6674dff0fbed58a0b77378d

SHA512
7a7c9139b31e77904759efe284074feab9a17d5132d284f47e91b0e9dca622784f4dfe8b16082173955db81fec4b5c72b79ba7e862b8a74ecd6ffe9ffc11c577

Download Submit
C:\Windows\SysWOW64\Ehcfaboo.exe

Filesize
439KB

MD5
10f8c6a5b23006d6da6fcc4aceabe286

SHA1
32d9f43e6c930cc4cae8d5043c7b5730406d4d01

SHA256
7345d07705a3888aa8be2885c4889b6197ad0d35dbe88cc5e23131b1fceb1978

SHA512
3d308247bf1f9fbd143f0c8fac1d08538cf2639a3d527127c55082b81677a7ceeb1b5ee1f1f8e7d5c38d5b3cdd836c8749c8fd9d8c819c0d25a4e90e8a523a4a

Download Submit
C:\Windows\SysWOW64\Ehcfaboo.exe

Filesize
439KB

MD5
cf0d12c6c0275167f360ea027e5a1502

SHA1
c48e3c7ca52ac54632c0661a8287300f26069c70

SHA256
eb4bdb62b06a61f4f62dcdd130d512574d10b72ce655c318f4b20e020c3b5428

SHA512
c4f6ea49103533d90f54b64a6e46141e4e0a5645b3721d19a837949b45a39e6038c11627b495deb7d93b2a7ac053b4706bb5ab72deaa6c6ea0456c18a2c080b7

Download Submit
C:\Windows\SysWOW64\Ehcfaboo.exe

Filesize
439KB

MD5
cf0d12c6c0275167f360ea027e5a1502

SHA1
c48e3c7ca52ac54632c0661a8287300f26069c70

SHA256
eb4bdb62b06a61f4f62dcdd130d512574d10b72ce655c318f4b20e020c3b5428

SHA512
c4f6ea49103533d90f54b64a6e46141e4e0a5645b3721d19a837949b45a39e6038c11627b495deb7d93b2a7ac053b4706bb5ab72deaa6c6ea0456c18a2c080b7

Download Submit
C:\Windows\SysWOW64\Eiildjag.exe

Filesize
439KB

MD5
e5f5edb8791fd06abffda89efa7980ce

SHA1
f1ddcf6f9458ce0bef50a0765c097358ffa59807

SHA256
1bd68ef8f2a615438e16cfd859d8e96b7fea0624e31997be67cb1f6ce25298e6

SHA512
d80748e6174df279c3255c406f6dfbe96a9fc4130e9c22769692251f964fa9f2d7f0b1f6a73835bfffdbba2c868c3d50a351747e77c656b005fa0a8a5679b1eb

Download Submit
C:\Windows\SysWOW64\Eiildjag.exe

Filesize
439KB

MD5
e5f5edb8791fd06abffda89efa7980ce

SHA1
f1ddcf6f9458ce0bef50a0765c097358ffa59807

SHA256
1bd68ef8f2a615438e16cfd859d8e96b7fea0624e31997be67cb1f6ce25298e6

SHA512
d80748e6174df279c3255c406f6dfbe96a9fc4130e9c22769692251f964fa9f2d7f0b1f6a73835bfffdbba2c868c3d50a351747e77c656b005fa0a8a5679b1eb

Download Submit
C:\Windows\SysWOW64\Emlenj32.exe

Filesize
439KB

MD5
10f8c6a5b23006d6da6fcc4aceabe286

SHA1
32d9f43e6c930cc4cae8d5043c7b5730406d4d01

SHA256
7345d07705a3888aa8be2885c4889b6197ad0d35dbe88cc5e23131b1fceb1978

SHA512
3d308247bf1f9fbd143f0c8fac1d08538cf2639a3d527127c55082b81677a7ceeb1b5ee1f1f8e7d5c38d5b3cdd836c8749c8fd9d8c819c0d25a4e90e8a523a4a

Download Submit
C:\Windows\SysWOW64\Emlenj32.exe

Filesize
439KB

MD5
10f8c6a5b23006d6da6fcc4aceabe286

SHA1
32d9f43e6c930cc4cae8d5043c7b5730406d4d01

SHA256
7345d07705a3888aa8be2885c4889b6197ad0d35dbe88cc5e23131b1fceb1978

SHA512
3d308247bf1f9fbd143f0c8fac1d08538cf2639a3d527127c55082b81677a7ceeb1b5ee1f1f8e7d5c38d5b3cdd836c8749c8fd9d8c819c0d25a4e90e8a523a4a

Download Submit
C:\Windows\SysWOW64\Fajgkfio.exe

Filesize
439KB

MD5
16f678e479d5f708f6214d08e2e02019

SHA1
078b2aa21b89494e5d3348e4b7f6a8d4d4c24f9c

SHA256
a68ae5611034497a8f107a565afc74542bfc3335daa00ee47d8b881fbd2c4ff4

SHA512
567fd8cd1b63f9b6f196bb55137d82d3986cd54f7b768f200a40b7570a0cc256688bd2b18898ac7fbf8fa5c55649b6c31c7990d3f154ca60b1cafcc311a1610b

Download Submit
C:\Windows\SysWOW64\Fajgkfio.exe

Filesize
439KB

MD5
16f678e479d5f708f6214d08e2e02019

SHA1
078b2aa21b89494e5d3348e4b7f6a8d4d4c24f9c

SHA256
a68ae5611034497a8f107a565afc74542bfc3335daa00ee47d8b881fbd2c4ff4

SHA512
567fd8cd1b63f9b6f196bb55137d82d3986cd54f7b768f200a40b7570a0cc256688bd2b18898ac7fbf8fa5c55649b6c31c7990d3f154ca60b1cafcc311a1610b

Download Submit
C:\Windows\SysWOW64\Fdffbake.exe

Filesize
439KB

MD5
e5becd6387d1baf455626c98f04364b3

SHA1
194ff2ab8e51cb0894b8cb5be960d4b00e86a008

SHA256
abd7bd7a6090cbfad0dc4b1af56813fb786ca92858a23941f28065bba3d0140e

SHA512
766793a20728c2d840b1738923a6701af494a58fbb5960cd0833292bd8d9439d230e2f85bdd8696fb6d68a77508204e12fdab58882806ce8d050a7939d1555bb

Download Submit
C:\Windows\SysWOW64\Fdffbake.exe

Filesize
439KB

MD5
e5becd6387d1baf455626c98f04364b3

SHA1
194ff2ab8e51cb0894b8cb5be960d4b00e86a008

SHA256
abd7bd7a6090cbfad0dc4b1af56813fb786ca92858a23941f28065bba3d0140e

SHA512
766793a20728c2d840b1738923a6701af494a58fbb5960cd0833292bd8d9439d230e2f85bdd8696fb6d68a77508204e12fdab58882806ce8d050a7939d1555bb

Download Submit
C:\Windows\SysWOW64\Fhflnpoi.exe

Filesize
439KB

MD5
b8c7d44361f2eab3b6441e5042fa45b0

SHA1
c1bbbfd29b547ed83d6102e97b40c3b96f7e3019

SHA256
f47614f23ea6eae07996b90775e6e315939655ac5d8eddaff9e7492da2df237e

SHA512
26ae863edcf30b29dabde767edd920aed46dd96340076f01ec94e9c331753d5349637e90873c9c11d0eb09c1a1c8bdde888f8f596dbd28e87e943e67925bc1d7

Download Submit
C:\Windows\SysWOW64\Fhflnpoi.exe

Filesize
439KB

MD5
b8c7d44361f2eab3b6441e5042fa45b0

SHA1
c1bbbfd29b547ed83d6102e97b40c3b96f7e3019

SHA256
f47614f23ea6eae07996b90775e6e315939655ac5d8eddaff9e7492da2df237e

SHA512
26ae863edcf30b29dabde767edd920aed46dd96340076f01ec94e9c331753d5349637e90873c9c11d0eb09c1a1c8bdde888f8f596dbd28e87e943e67925bc1d7

Download Submit
C:\Windows\SysWOW64\Fhmigagd.exe

Filesize
439KB

MD5
8894523d8f64b1c9674cea782489c264

SHA1
2860896ed062d16bf53b329d5d47600a0eda63ac

SHA256
a91d7a53c2dbf71f47e25dd7d11d25d5177bb4921c54d1221786790728be1394

SHA512
c9dd4447a155058a11425143f1cc12ce125dddb2dd3410c3aa63ae94bf3d887134cc09678b03745a492a1a2c4abdad71a052b0154315e1f5e544d6d251a903df

Download Submit
C:\Windows\SysWOW64\Fhmigagd.exe

Filesize
439KB

MD5
8894523d8f64b1c9674cea782489c264

SHA1
2860896ed062d16bf53b329d5d47600a0eda63ac

SHA256
a91d7a53c2dbf71f47e25dd7d11d25d5177bb4921c54d1221786790728be1394

SHA512
c9dd4447a155058a11425143f1cc12ce125dddb2dd3410c3aa63ae94bf3d887134cc09678b03745a492a1a2c4abdad71a052b0154315e1f5e544d6d251a903df

Download Submit
C:\Windows\SysWOW64\Fhofmq32.exe

Filesize
439KB

MD5
21a6ffd5df5caa5430d3379dd446973d

SHA1
1b1892dd3aa0b06d4aa770a93fe294e89497854c

SHA256
d142e7247b7162469e92c4869b9f6d9841f2ae93e29561f380a9ed8ea076cc6f

SHA512
ef35d06bc6d2496e0d24b5ad01256741e06f2ce1a9af497afc6a059ae39ebc24172459ec344f89133a0164084965b83b067a432c646d00ca6b59f632b0837316

Download Submit
C:\Windows\SysWOW64\Fhofmq32.exe

Filesize
439KB

MD5
21a6ffd5df5caa5430d3379dd446973d

SHA1
1b1892dd3aa0b06d4aa770a93fe294e89497854c

SHA256
d142e7247b7162469e92c4869b9f6d9841f2ae93e29561f380a9ed8ea076cc6f

SHA512
ef35d06bc6d2496e0d24b5ad01256741e06f2ce1a9af497afc6a059ae39ebc24172459ec344f89133a0164084965b83b067a432c646d00ca6b59f632b0837316

Download Submit
C:\Windows\SysWOW64\Gdafnpqh.exe

Filesize
439KB

MD5
e865f264e4075988a315f8b4a420dee6

SHA1
806bc4ceb2b8a92e998006ce1e3a2c0cbe444ebb

SHA256
eabf4eac1cde954e6bdf3b7a6b1c00c0940f1658c5e2deae9ef12ef0b57b0714

SHA512
b96b5fa9318e9200fb1f82314bfa2940918fa92b871077875ffcf20a70975d1dc49b8f96f0578e5aa08a18815d6ac7de051f67b18dcc0a27387106ddf5e6712c

Download Submit
C:\Windows\SysWOW64\Gdafnpqh.exe

Filesize
439KB

MD5
e865f264e4075988a315f8b4a420dee6

SHA1
806bc4ceb2b8a92e998006ce1e3a2c0cbe444ebb

SHA256
eabf4eac1cde954e6bdf3b7a6b1c00c0940f1658c5e2deae9ef12ef0b57b0714

SHA512
b96b5fa9318e9200fb1f82314bfa2940918fa92b871077875ffcf20a70975d1dc49b8f96f0578e5aa08a18815d6ac7de051f67b18dcc0a27387106ddf5e6712c

Download Submit
C:\Windows\SysWOW64\Gilapgqb.exe

Filesize
439KB

MD5
d7f647631cb8c0da73baec73ca199068

SHA1
ff2755d7d5e05b71b722e5a6733a61223504d003

SHA256
38d9a396d72bb7be50b491678e61c81a3840df8a47b882454a007690085bd0b7

SHA512
79dffed0daf0d441f8e8f61d78668211ff616d671401f16be8ab23583a970d5fa380af0da0ee6e9cc153a5b9b6b09a8df98e22d60c947af5ceafbf2336f0dcc3

Download Submit
C:\Windows\SysWOW64\Gilapgqb.exe

Filesize
439KB

MD5
d7f647631cb8c0da73baec73ca199068

SHA1
ff2755d7d5e05b71b722e5a6733a61223504d003

SHA256
38d9a396d72bb7be50b491678e61c81a3840df8a47b882454a007690085bd0b7

SHA512
79dffed0daf0d441f8e8f61d78668211ff616d671401f16be8ab23583a970d5fa380af0da0ee6e9cc153a5b9b6b09a8df98e22d60c947af5ceafbf2336f0dcc3

Download Submit
C:\Windows\SysWOW64\Gnjjfegi.exe

Filesize
439KB

MD5
e4f53f7eaea9b45cbe3c7d690bfc9171

SHA1
d2f95155e834e28633e0ff0c9a13e14bfc3e82ca

SHA256
5f65930fd1b98aa8ee553e4f579cb3a31d95b6079773a6e722673f0e58205e16

SHA512
11a5358d2351e5b0031023e106ccdfbbec1f880e1168a4fde98ff278cdf35d34808b42356e92149fb94f61b58c9aeee496e3328c8042dc835d99f30f83910d3d

Download Submit
C:\Windows\SysWOW64\Gnjjfegi.exe

Filesize
439KB

MD5
e4f53f7eaea9b45cbe3c7d690bfc9171

SHA1
d2f95155e834e28633e0ff0c9a13e14bfc3e82ca

SHA256
5f65930fd1b98aa8ee553e4f579cb3a31d95b6079773a6e722673f0e58205e16

SHA512
11a5358d2351e5b0031023e106ccdfbbec1f880e1168a4fde98ff278cdf35d34808b42356e92149fb94f61b58c9aeee496e3328c8042dc835d99f30f83910d3d

Download Submit
C:\Windows\SysWOW64\Gpcmga32.exe

Filesize
439KB

MD5
b551680b06bc2189f682d01cdcff9559

SHA1
ed7ad44efb54e783bad8c9e41847f907c247cf54

SHA256
da4e431b8a5e8b46b7b103b2f16b77b2ed2066d7c415682954ed59395258e4eb

SHA512
73b09bac5edc0a5ca04f5fee0a38821252bd1be33c0192473194ef0729321464b9f82a07ab65e61159ac729fcb6c87801ef5258e6d0b7c4d4fb9a852fb49ff58

Download Submit
C:\Windows\SysWOW64\Gpcmga32.exe

Filesize
439KB

MD5
b551680b06bc2189f682d01cdcff9559

SHA1
ed7ad44efb54e783bad8c9e41847f907c247cf54

SHA256
da4e431b8a5e8b46b7b103b2f16b77b2ed2066d7c415682954ed59395258e4eb

SHA512
73b09bac5edc0a5ca04f5fee0a38821252bd1be33c0192473194ef0729321464b9f82a07ab65e61159ac729fcb6c87801ef5258e6d0b7c4d4fb9a852fb49ff58

Download Submit
C:\Windows\SysWOW64\Oghppm32.exe

Filesize
439KB

MD5
a51d6c19bab91172d9f5572a632f3185

SHA1
a4d6f88d9a283c4f9c787045ff40dfabc75a6e20

SHA256
ae3a6fc8780bdadd693f7131c6cdc2c4b8e825924bdc6b0657ebe6ba768c9fc8

SHA512
f583c2b0721387cafbc9cc0e236d400d4e3e9175afa3c3ab68278d70984a84a2e1a0aaa7f5f7c91aa30aa15e02802125fbcbc51dc8acb4f0380d141f719d0d69

Download Submit
C:\Windows\SysWOW64\Oghppm32.exe

Filesize
439KB

MD5
a51d6c19bab91172d9f5572a632f3185

SHA1
a4d6f88d9a283c4f9c787045ff40dfabc75a6e20

SHA256
ae3a6fc8780bdadd693f7131c6cdc2c4b8e825924bdc6b0657ebe6ba768c9fc8

SHA512
f583c2b0721387cafbc9cc0e236d400d4e3e9175afa3c3ab68278d70984a84a2e1a0aaa7f5f7c91aa30aa15e02802125fbcbc51dc8acb4f0380d141f719d0d69

Download Submit
memory/368-170-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/484-186-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/864-8-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/980-225-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1004-377-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1200-161-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1336-335-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1632-317-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1652-425-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1696-383-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1752-329-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1756-24-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1920-389-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1932-177-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1960-100-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2056-57-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2100-142-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2172-126-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2216-353-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2452-323-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2640-293-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2672-125-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2692-33-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2764-287-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2928-281-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2936-407-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3144-269-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3240-299-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3264-347-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3292-209-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3296-94-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3336-305-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3440-359-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3460-41-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3472-311-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3540-413-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3680-49-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3724-263-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3840-241-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3856-365-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3956-395-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4012-437-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4052-275-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4120-257-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4172-201-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4180-193-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4248-97-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4284-154-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4384-419-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4452-130-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4456-249-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4464-84-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4556-17-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4796-65-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4856-371-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4900-110-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5012-431-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5020-401-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5036-218-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5064-146-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5068-0-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5068-73-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5068-5-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5100-341-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads