07d1bc862a4132f277f533091903ef7b08210e3fb56b84b46e469518fe757c8a

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.af5a9c7f1e3e2da207da7999e46bc490.exe
Size

55KB
MD5

af5a9c7f1e3e2da207da7999e46bc490
SHA1

eb8ec620762cf2d50533d038c14cbfd760973e27
SHA256

07d1bc862a4132f277f533091903ef7b08210e3fb56b84b46e469518fe757c8a
SHA512

1c9a1103c02bc8dccf57378d0a91d16fb9f7219c76cb35f175435b6de88577fb0bb96dce4b0f10e5c21417cbebfe6594d6e9d4adf9774305420ff7d149ea6e4e
SSDEEP

1536:b7L0NTViSsOsTY/lGW9iG0NSoNSd0A3shxD6:bP0NpiS4Yn9iG0NXNW0A8hh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pknqoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bojomm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.af5a9c7f1e3e2da207da7999e46bc490.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Felbnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npbceggm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blqllqqa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Addaif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Popbpqjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlqqcnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmafajfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhenj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dheibpje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dooaoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eejeiocj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joahqn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.af5a9c7f1e3e2da207da7999e46bc490.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pknqoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlqqcnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oodcdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhkdof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgmjmjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnfge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flkdfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijbno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpimlfke.exe

Executes dropped EXE 64 IoCs

pid	Process
216	Ikpjbq32.exe
1768	Odhifjkg.exe
3112	Oalipoiq.exe
3148	Onpjichj.exe
3872	Oobfob32.exe
4944	Oodcdb32.exe
5068	Okkdic32.exe
4852	Pknqoc32.exe
2672	Popbpqjh.exe
1184	Qhkdof32.exe
4560	Qhmqdemc.exe
3760	Addaif32.exe
3132	Adfnofpd.exe
3000	Adikdfna.exe
1864	Anaomkdb.exe
4604	Ahgcjddh.exe
4640	Adndoe32.exe
4092	Bnhenj32.exe
2900	Bhnikc32.exe
2388	Bojomm32.exe
2272	Bkaobnio.exe
4712	Blqllqqa.exe
4064	Cdlqqcnl.exe
4216	Cnfaohbj.exe
3288	Cdpjlb32.exe
840	Cbdjeg32.exe
3772	Cbfgkffn.exe
3044	Dfdpad32.exe
4600	Dheibpje.exe
5016	Dooaoj32.exe
936	Dkfadkgf.exe
2120	Dijbno32.exe
4728	Deqcbpld.exe
2180	Ebdcld32.exe
1660	Ekodjiol.exe
3892	Eejeiocj.exe
2252	Felbnn32.exe
3924	Fflohaij.exe
2404	Fpdcag32.exe
3328	Flkdfh32.exe
4588	Fpimlfke.exe
2204	Fiaael32.exe
1100	Gfeaopqo.exe
4520	Gpnfge32.exe
4892	Gmafajfi.exe
4320	Gihgfk32.exe
1600	Hlbcnd32.exe
3312	Hekgfj32.exe
1012	Hbohpn32.exe
4348	Hpchib32.exe
492	Ibcaknbi.exe
1308	Iedjmioj.exe
1036	Igfclkdj.exe
3596	Joahqn32.exe
3468	Jgmjmjnb.exe
2680	Jniood32.exe
1420	Jgbchj32.exe
2752	Kodnmkap.exe
2240	Klhnfo32.exe
3876	Lcdciiec.exe
4144	Llmhaold.exe
4764	Ljqhkckn.exe
3352	Lgdidgjg.exe
2228	Lmaamn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bkgeainn.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Ahgcjddh.exe	Anaomkdb.exe
File created	C:\Windows\SysWOW64\Cnfaohbj.exe	Cdlqqcnl.exe
File created	C:\Windows\SysWOW64\Deqcbpld.exe	Dijbno32.exe
File opened for modification	C:\Windows\SysWOW64\Mfeeabda.exe	Mmmqhl32.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Cdlqqcnl.exe	Blqllqqa.exe
File opened for modification	C:\Windows\SysWOW64\Iedjmioj.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Epopbo32.dll	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Cpfcfmlp.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Nchcpi32.dll	Cbdjeg32.exe
File created	C:\Windows\SysWOW64\Bgmioggn.dll	Felbnn32.exe
File created	C:\Windows\SysWOW64\Lblldc32.dll	Ibcaknbi.exe
File opened for modification	C:\Windows\SysWOW64\Ahofoogd.exe	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Jhkbjd32.dll	Deqcbpld.exe
File created	C:\Windows\SysWOW64\Kaofbcjo.dll	Ebdcld32.exe
File opened for modification	C:\Windows\SysWOW64\Hekgfj32.exe	Hlbcnd32.exe
File created	C:\Windows\SysWOW64\Qjalckog.dll	Qhkdof32.exe
File opened for modification	C:\Windows\SysWOW64\Bhnikc32.exe	Bnhenj32.exe
File opened for modification	C:\Windows\SysWOW64\Cbfgkffn.exe	Cbdjeg32.exe
File created	C:\Windows\SysWOW64\Kdebopdl.dll	Adfgdpmi.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Qhmqdemc.exe	Qhkdof32.exe
File created	C:\Windows\SysWOW64\Fgeaiknl.dll	Jgbchj32.exe
File created	C:\Windows\SysWOW64\Mmmqhl32.exe	Mjlhgaqp.exe
File opened for modification	C:\Windows\SysWOW64\Oghghb32.exe	Ombcji32.exe
File opened for modification	C:\Windows\SysWOW64\Qpcecb32.exe	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Npldbgic.dll	Mcpcdg32.exe
File created	C:\Windows\SysWOW64\Odhifjkg.exe	Ikpjbq32.exe
File created	C:\Windows\SysWOW64\Elkllcbh.dll	Dijbno32.exe
File opened for modification	C:\Windows\SysWOW64\Fpimlfke.exe	Flkdfh32.exe
File opened for modification	C:\Windows\SysWOW64\Gpnfge32.exe	Gfeaopqo.exe
File opened for modification	C:\Windows\SysWOW64\Lgdidgjg.exe	Ljqhkckn.exe
File created	C:\Windows\SysWOW64\Oodcdb32.exe	Oobfob32.exe
File created	C:\Windows\SysWOW64\Poigcbng.dll	Dfdpad32.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	Nfaemp32.exe
File opened for modification	C:\Windows\SysWOW64\Qmeigg32.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Adhdjpjf.exe	Amnlme32.exe
File opened for modification	C:\Windows\SysWOW64\Adndoe32.exe	Ahgcjddh.exe
File opened for modification	C:\Windows\SysWOW64\Cbdjeg32.exe	Cdpjlb32.exe
File created	C:\Windows\SysWOW64\Iocedcbl.dll	Akdilipp.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Gfeaopqo.exe	Fiaael32.exe
File created	C:\Windows\SysWOW64\Gfkcaoef.dll	Nnafno32.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Omfmcjlk.dll	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Nmbjcljl.exe	Mfhbga32.exe
File opened for modification	C:\Windows\SysWOW64\Ppahmb32.exe	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Qmeigg32.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Idllbp32.dll	Qhmqdemc.exe
File created	C:\Windows\SysWOW64\Adfnofpd.exe	Addaif32.exe
File created	C:\Windows\SysWOW64\Hkpnbd32.dll	Addaif32.exe
File created	C:\Windows\SysWOW64\Hbohpn32.exe	Hekgfj32.exe
File created	C:\Windows\SysWOW64\Ghkogl32.dll	Mmmqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Popbpqjh.exe	Pknqoc32.exe
File opened for modification	C:\Windows\SysWOW64\Fpdcag32.exe	Fflohaij.exe
File created	C:\Windows\SysWOW64\Jbhfhgch.dll	Kodnmkap.exe
File created	C:\Windows\SysWOW64\Hilpobpd.dll	Mfeeabda.exe
File opened for modification	C:\Windows\SysWOW64\Njhgbp32.exe	Npbceggm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6064	5944	WerFault.exe	212

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhkdof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joahqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njjdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pffgom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hponje32.dll"	Oodcdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Felbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhmqdemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkfadkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadhip32.dll"	Cdlqqcnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dijbno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llmhaold.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbijb32.dll"	Ikpjbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnqimah.dll"	Odhifjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbfgkffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.af5a9c7f1e3e2da207da7999e46bc490.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anaomkdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adndoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dijbno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgcjddh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbhmo32.dll"	Adndoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlbcnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okkdic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginacp32.dll"	Adikdfna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchcpi32.dll"	Cbdjeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eejeiocj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eejeiocj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmenh32.dll"	Dkfadkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npgmpf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 216	2740	NEAS.af5a9c7f1e3e2da207da7999e46bc490.exe	87
PID 2740 wrote to memory of 216	2740	NEAS.af5a9c7f1e3e2da207da7999e46bc490.exe	87
PID 2740 wrote to memory of 216	2740	NEAS.af5a9c7f1e3e2da207da7999e46bc490.exe	87
PID 216 wrote to memory of 1768	216	Ikpjbq32.exe	88
PID 216 wrote to memory of 1768	216	Ikpjbq32.exe	88
PID 216 wrote to memory of 1768	216	Ikpjbq32.exe	88
PID 1768 wrote to memory of 3112	1768	Odhifjkg.exe	89
PID 1768 wrote to memory of 3112	1768	Odhifjkg.exe	89
PID 1768 wrote to memory of 3112	1768	Odhifjkg.exe	89
PID 3112 wrote to memory of 3148	3112	Oalipoiq.exe	91
PID 3112 wrote to memory of 3148	3112	Oalipoiq.exe	91
PID 3112 wrote to memory of 3148	3112	Oalipoiq.exe	91
PID 3148 wrote to memory of 3872	3148	Onpjichj.exe	92
PID 3148 wrote to memory of 3872	3148	Onpjichj.exe	92
PID 3148 wrote to memory of 3872	3148	Onpjichj.exe	92
PID 3872 wrote to memory of 4944	3872	Oobfob32.exe	93
PID 3872 wrote to memory of 4944	3872	Oobfob32.exe	93
PID 3872 wrote to memory of 4944	3872	Oobfob32.exe	93
PID 4944 wrote to memory of 5068	4944	Oodcdb32.exe	94
PID 4944 wrote to memory of 5068	4944	Oodcdb32.exe	94
PID 4944 wrote to memory of 5068	4944	Oodcdb32.exe	94
PID 5068 wrote to memory of 4852	5068	Okkdic32.exe	95
PID 5068 wrote to memory of 4852	5068	Okkdic32.exe	95
PID 5068 wrote to memory of 4852	5068	Okkdic32.exe	95
PID 4852 wrote to memory of 2672	4852	Pknqoc32.exe	96
PID 4852 wrote to memory of 2672	4852	Pknqoc32.exe	96
PID 4852 wrote to memory of 2672	4852	Pknqoc32.exe	96
PID 2672 wrote to memory of 1184	2672	Popbpqjh.exe	97
PID 2672 wrote to memory of 1184	2672	Popbpqjh.exe	97
PID 2672 wrote to memory of 1184	2672	Popbpqjh.exe	97
PID 1184 wrote to memory of 4560	1184	Qhkdof32.exe	99
PID 1184 wrote to memory of 4560	1184	Qhkdof32.exe	99
PID 1184 wrote to memory of 4560	1184	Qhkdof32.exe	99
PID 4560 wrote to memory of 3760	4560	Qhmqdemc.exe	101
PID 4560 wrote to memory of 3760	4560	Qhmqdemc.exe	101
PID 4560 wrote to memory of 3760	4560	Qhmqdemc.exe	101
PID 3760 wrote to memory of 3132	3760	Addaif32.exe	102
PID 3760 wrote to memory of 3132	3760	Addaif32.exe	102
PID 3760 wrote to memory of 3132	3760	Addaif32.exe	102
PID 3132 wrote to memory of 3000	3132	Adfnofpd.exe	103
PID 3132 wrote to memory of 3000	3132	Adfnofpd.exe	103
PID 3132 wrote to memory of 3000	3132	Adfnofpd.exe	103
PID 3000 wrote to memory of 1864	3000	Adikdfna.exe	104
PID 3000 wrote to memory of 1864	3000	Adikdfna.exe	104
PID 3000 wrote to memory of 1864	3000	Adikdfna.exe	104
PID 1864 wrote to memory of 4604	1864	Anaomkdb.exe	105
PID 1864 wrote to memory of 4604	1864	Anaomkdb.exe	105
PID 1864 wrote to memory of 4604	1864	Anaomkdb.exe	105
PID 4604 wrote to memory of 4640	4604	Ahgcjddh.exe	106
PID 4604 wrote to memory of 4640	4604	Ahgcjddh.exe	106
PID 4604 wrote to memory of 4640	4604	Ahgcjddh.exe	106
PID 4640 wrote to memory of 4092	4640	Adndoe32.exe	107
PID 4640 wrote to memory of 4092	4640	Adndoe32.exe	107
PID 4640 wrote to memory of 4092	4640	Adndoe32.exe	107
PID 4092 wrote to memory of 2900	4092	Bnhenj32.exe	108
PID 4092 wrote to memory of 2900	4092	Bnhenj32.exe	108
PID 4092 wrote to memory of 2900	4092	Bnhenj32.exe	108
PID 2900 wrote to memory of 2388	2900	Bhnikc32.exe	109
PID 2900 wrote to memory of 2388	2900	Bhnikc32.exe	109
PID 2900 wrote to memory of 2388	2900	Bhnikc32.exe	109
PID 2388 wrote to memory of 2272	2388	Bojomm32.exe	111
PID 2388 wrote to memory of 2272	2388	Bojomm32.exe	111
PID 2388 wrote to memory of 2272	2388	Bojomm32.exe	111
PID 2272 wrote to memory of 4712	2272	Bkaobnio.exe	112

C:\Users\Admin\AppData\Local\Temp\NEAS.af5a9c7f1e3e2da207da7999e46bc490.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.af5a9c7f1e3e2da207da7999e46bc490.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\Ikpjbq32.exe
  C:\Windows\system32\Ikpjbq32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\Odhifjkg.exe
    C:\Windows\system32\Odhifjkg.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\Oalipoiq.exe
      C:\Windows\system32\Oalipoiq.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3148
      - C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Oodcdb32.exe
        
        C:\Windows\system32\Oodcdb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Okkdic32.exe
        
        C:\Windows\system32\Okkdic32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Pknqoc32.exe
        
        C:\Windows\system32\Pknqoc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Popbpqjh.exe
        
        C:\Windows\system32\Popbpqjh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Qhkdof32.exe
        
        C:\Windows\system32\Qhkdof32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Qhmqdemc.exe
        
        C:\Windows\system32\Qhmqdemc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Addaif32.exe
        
        C:\Windows\system32\Addaif32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Cnfaohbj.exe
        
        C:\Windows\system32\Cnfaohbj.exe
        25⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        36⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3924
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        47⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        50⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        51⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:492
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        54⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        57⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        60⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4300
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        67⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        68⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        74⤵
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        77⤵
        
        PID:676
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        78⤵
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        80⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        84⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        88⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        90⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        91⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        93⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        98⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        106⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        110⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        113⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        114⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        116⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        118⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        119⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        122⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        123⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 400
        124⤵
        Program crash
        
        PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5944 -ip 5944
1⤵
PID:6008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Addaif32.exe

Filesize
55KB

MD5
51f5618eb4ce5ae58f966648131524ab

SHA1
713dc9bda42924f4ef0884d670524821469ee48b

SHA256
d0a83bdb6a85e1173f09f592db7d452c682f53c34bba41a08d4dfce2f2f661b2

SHA512
0a45e187c5f4ef7027a6eeecca1299a5c6022f09c2ea4a55247aa8b3c7278c41f25d522e9918d4542bc1640f1e7c513a48ba71e4e4b851b97182037fe9ecd49a

Download Submit
C:\Windows\SysWOW64\Addaif32.exe

Filesize
55KB

MD5
51f5618eb4ce5ae58f966648131524ab

SHA1
713dc9bda42924f4ef0884d670524821469ee48b

SHA256
d0a83bdb6a85e1173f09f592db7d452c682f53c34bba41a08d4dfce2f2f661b2

SHA512
0a45e187c5f4ef7027a6eeecca1299a5c6022f09c2ea4a55247aa8b3c7278c41f25d522e9918d4542bc1640f1e7c513a48ba71e4e4b851b97182037fe9ecd49a

Download Submit
C:\Windows\SysWOW64\Adfnofpd.exe

Filesize
55KB

MD5
b6c4cb2e610c94f791a499e5127d9074

SHA1
42b2f19070c70f006401191c295b0b2695cd5915

SHA256
112f21eb617bf005e9461e7fe18e16aa06905be77627402e32af0389f6f0c8a3

SHA512
f8779466bf76c5e0c6bcbf436f9de5a8aab3b7302434ad8890f0d4acd8e6c68b85006a0b92d35c3db5c004b96250ffc6868f5217a503896e134f3c339f4b83ef

Download Submit
C:\Windows\SysWOW64\Adfnofpd.exe

Filesize
55KB

MD5
b6c4cb2e610c94f791a499e5127d9074

SHA1
42b2f19070c70f006401191c295b0b2695cd5915

SHA256
112f21eb617bf005e9461e7fe18e16aa06905be77627402e32af0389f6f0c8a3

SHA512
f8779466bf76c5e0c6bcbf436f9de5a8aab3b7302434ad8890f0d4acd8e6c68b85006a0b92d35c3db5c004b96250ffc6868f5217a503896e134f3c339f4b83ef

Download Submit
C:\Windows\SysWOW64\Adikdfna.exe

Filesize
55KB

MD5
24a2adcb66cb1220135e2f525ea1e422

SHA1
a7ea616090f2168cded54b082c0bc4795657e416

SHA256
4ca83c9c9f743db7f4cc9841465d1423416fee9e11df828e8c35e47a7dc5bdaf

SHA512
320a456b598188bd4cdaaeb64f701214d9150f6f8f596cfc264151521e23300f0a284af16434478327302c48e1a813d342873ede49cb825d7611041cae44c384

Download Submit
C:\Windows\SysWOW64\Adikdfna.exe

Filesize
55KB

MD5
24a2adcb66cb1220135e2f525ea1e422

SHA1
a7ea616090f2168cded54b082c0bc4795657e416

SHA256
4ca83c9c9f743db7f4cc9841465d1423416fee9e11df828e8c35e47a7dc5bdaf

SHA512
320a456b598188bd4cdaaeb64f701214d9150f6f8f596cfc264151521e23300f0a284af16434478327302c48e1a813d342873ede49cb825d7611041cae44c384

Download Submit
C:\Windows\SysWOW64\Adndoe32.exe

Filesize
55KB

MD5
4ba880e37813d878cf8ac4bd1b636f48

SHA1
74e48b05a95c27b6045a814fb77612f4a19baed3

SHA256
10f24f58fe487d7437b35ce65aab8f28a6e0049a7ab93868388f3a69fd840acb

SHA512
a9a25d74856997e4989fda654ed756200b44131e224183445c4e841d3cccd1ee21c79eeb39a5864c55f4355ce6df49ad67610fd832058fd0e0812477e403fd73

Download Submit
C:\Windows\SysWOW64\Adndoe32.exe

Filesize
55KB

MD5
4ba880e37813d878cf8ac4bd1b636f48

SHA1
74e48b05a95c27b6045a814fb77612f4a19baed3

SHA256
10f24f58fe487d7437b35ce65aab8f28a6e0049a7ab93868388f3a69fd840acb

SHA512
a9a25d74856997e4989fda654ed756200b44131e224183445c4e841d3cccd1ee21c79eeb39a5864c55f4355ce6df49ad67610fd832058fd0e0812477e403fd73

Download Submit
C:\Windows\SysWOW64\Ahgcjddh.exe

Filesize
55KB

MD5
6dd3076f343cdcf88b55a17f7198f0ac

SHA1
5ffcb317347455b0f98751f05eb280ae2bd9c359

SHA256
ae129644ecbd5706aea5d90bef521c04b7a865e16ab2bb69b194540de53d7444

SHA512
dfda0ab35ee6fa2d10abd0f761bf3bc804f5ec7e061db6bdde85c7c59a72250eb725a2ba215f2c773c69e56f464617246573f7468fd5d6e10405d0e791104063

Download Submit
C:\Windows\SysWOW64\Ahgcjddh.exe

Filesize
55KB

MD5
6dd3076f343cdcf88b55a17f7198f0ac

SHA1
5ffcb317347455b0f98751f05eb280ae2bd9c359

SHA256
ae129644ecbd5706aea5d90bef521c04b7a865e16ab2bb69b194540de53d7444

SHA512
dfda0ab35ee6fa2d10abd0f761bf3bc804f5ec7e061db6bdde85c7c59a72250eb725a2ba215f2c773c69e56f464617246573f7468fd5d6e10405d0e791104063

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
55KB

MD5
2fc44415879c64be49de26636b43ed4d

SHA1
ef6f655d07b2311b76841c180e9f0fd01a86efd3

SHA256
1db128fa0e5b7c030a9c8c1be804a51d0cbcc31eeef0cbc780a0ba2d203f162b

SHA512
b5967dec9226a5810eb9d6b3343dce26869aa5268fabd5372959f023d90d57c65d75ee5fab2248fc7551125b9ccdcb594952474ecbca364334a6e50a84c11587

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
55KB

MD5
2fc44415879c64be49de26636b43ed4d

SHA1
ef6f655d07b2311b76841c180e9f0fd01a86efd3

SHA256
1db128fa0e5b7c030a9c8c1be804a51d0cbcc31eeef0cbc780a0ba2d203f162b

SHA512
b5967dec9226a5810eb9d6b3343dce26869aa5268fabd5372959f023d90d57c65d75ee5fab2248fc7551125b9ccdcb594952474ecbca364334a6e50a84c11587

Download Submit
C:\Windows\SysWOW64\Bhnikc32.exe

Filesize
55KB

MD5
d84c32056c117198d95622e20e7978c8

SHA1
77093c7930a905d439d85dc4ef49673582ef77e4

SHA256
6c46f2487080e881c39ab7d4903c5afb0da94ca1053c0c8206676e152969bdb3

SHA512
27ce962fbcd54e26e32ad8a850758c772385e012d6b50a9201ef8928778f585966a24fa84362ec3d0958a31a9e65e22b67f65816cf31ffae4c10eaa66fe63764

Download Submit
C:\Windows\SysWOW64\Bhnikc32.exe

Filesize
55KB

MD5
d84c32056c117198d95622e20e7978c8

SHA1
77093c7930a905d439d85dc4ef49673582ef77e4

SHA256
6c46f2487080e881c39ab7d4903c5afb0da94ca1053c0c8206676e152969bdb3

SHA512
27ce962fbcd54e26e32ad8a850758c772385e012d6b50a9201ef8928778f585966a24fa84362ec3d0958a31a9e65e22b67f65816cf31ffae4c10eaa66fe63764

Download Submit
C:\Windows\SysWOW64\Bkaobnio.exe

Filesize
55KB

MD5
e808a9977d30ebe676352b369772108b

SHA1
ee27cfe5403e97c2dbf5728711b16f778bdfbcd6

SHA256
7489f61bd662281cfa0d3a6a93fc9ad347a06396b8a40c4e513ca975f6717c86

SHA512
45a4b4e507380c114856b8813f29456197908901dd6f909a6a4f6f9736e483c411e8ef5c85fcbe477028fadfd101a34b41f9995e3b86438dc423253bba297932

Download Submit
C:\Windows\SysWOW64\Bkaobnio.exe

Filesize
55KB

MD5
e808a9977d30ebe676352b369772108b

SHA1
ee27cfe5403e97c2dbf5728711b16f778bdfbcd6

SHA256
7489f61bd662281cfa0d3a6a93fc9ad347a06396b8a40c4e513ca975f6717c86

SHA512
45a4b4e507380c114856b8813f29456197908901dd6f909a6a4f6f9736e483c411e8ef5c85fcbe477028fadfd101a34b41f9995e3b86438dc423253bba297932

Download Submit
C:\Windows\SysWOW64\Blqllqqa.exe

Filesize
55KB

MD5
702077aedf5312e19fd7b6ca05d332e7

SHA1
df8a405be66b7542701f75bef33e283b8b5a6ad1

SHA256
afdd3d3244a1223be62bb6629bf8b04d35c528abeef33d0a4c7b345048fe2693

SHA512
511fb24b1f297cfb114d4332d0249310c76a9bae428cfc2979623049c205956a1b86a86f8c5daf825c84484f23598b09c30a8fea42d1d28b6c9cf9399e90d4a6

Download Submit
C:\Windows\SysWOW64\Blqllqqa.exe

Filesize
55KB

MD5
702077aedf5312e19fd7b6ca05d332e7

SHA1
df8a405be66b7542701f75bef33e283b8b5a6ad1

SHA256
afdd3d3244a1223be62bb6629bf8b04d35c528abeef33d0a4c7b345048fe2693

SHA512
511fb24b1f297cfb114d4332d0249310c76a9bae428cfc2979623049c205956a1b86a86f8c5daf825c84484f23598b09c30a8fea42d1d28b6c9cf9399e90d4a6

Download Submit
C:\Windows\SysWOW64\Bnhenj32.exe

Filesize
55KB

MD5
2f2d44710b752f594fdda71770da3916

SHA1
385b0a3fe5af9d9ce5b71dcb0ca61562fdbf5144

SHA256
a5a04c8a54271bca84c8f11529ac992ef2cacb0756ea70db6296c5e9d4ee045f

SHA512
0f5f95d048438c1b27e01df47eb3eea491ece765cd9db71a12aa085fa5235700bb1310fe91318d5df82ca9c0a019d843a34aa0eec7679597ffd1d8f5e6f3b0a8

Download Submit
C:\Windows\SysWOW64\Bnhenj32.exe

Filesize
55KB

MD5
2f2d44710b752f594fdda71770da3916

SHA1
385b0a3fe5af9d9ce5b71dcb0ca61562fdbf5144

SHA256
a5a04c8a54271bca84c8f11529ac992ef2cacb0756ea70db6296c5e9d4ee045f

SHA512
0f5f95d048438c1b27e01df47eb3eea491ece765cd9db71a12aa085fa5235700bb1310fe91318d5df82ca9c0a019d843a34aa0eec7679597ffd1d8f5e6f3b0a8

Download Submit
C:\Windows\SysWOW64\Bojomm32.exe

Filesize
55KB

MD5
ab66ebb6cf7740b22b7f2dd392dc815b

SHA1
263079f1efd8dfc84b4beb56f787076356e1d004

SHA256
b0f5f66cb53d96fc4eae33c5f940c4bac2550206840f7775077df4b9151fc973

SHA512
03406835cbeb800273d0de167a90b1bef75270f812808fd7004c44518491149b4306021fd03f487b146984107b6c43f0601b186534a1016f23e908ae7c64de01

Download Submit
C:\Windows\SysWOW64\Bojomm32.exe

Filesize
55KB

MD5
ab66ebb6cf7740b22b7f2dd392dc815b

SHA1
263079f1efd8dfc84b4beb56f787076356e1d004

SHA256
b0f5f66cb53d96fc4eae33c5f940c4bac2550206840f7775077df4b9151fc973

SHA512
03406835cbeb800273d0de167a90b1bef75270f812808fd7004c44518491149b4306021fd03f487b146984107b6c43f0601b186534a1016f23e908ae7c64de01

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
55KB

MD5
fd0cbabe6a8244731330d43e746940f9

SHA1
095315a457671d30e283b61bedfa5aa04968f178

SHA256
7cc8f5b388ace101fc2d4dd7dcfc81210fb32b4fb5572ce76f10683515037153

SHA512
51db376cca247449618b66c895172db040c134a192d4cca2865d197b966bc3e99f6c2d1052181a61acbfe47be36f3e5c25dacdb9a1352d64949456275ad98c21

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
55KB

MD5
fd0cbabe6a8244731330d43e746940f9

SHA1
095315a457671d30e283b61bedfa5aa04968f178

SHA256
7cc8f5b388ace101fc2d4dd7dcfc81210fb32b4fb5572ce76f10683515037153

SHA512
51db376cca247449618b66c895172db040c134a192d4cca2865d197b966bc3e99f6c2d1052181a61acbfe47be36f3e5c25dacdb9a1352d64949456275ad98c21

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
55KB

MD5
0b480a5270f8e597d1ab4b39a9015efc

SHA1
8c44c8480f3fa9ecdcc3040cdf8cf6d408503065

SHA256
3f7a342fa69a5138125d45dbd52978aa1b54a6406613a82f720cba81a63482e5

SHA512
7fd04073c589a1ae6386126c5fff95a78a8a3de2eae250164ef6130df567f1659de3c326aa26e3e996430f5afef697a540e6be168e7fac2fb08d08533afb1cf5

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
55KB

MD5
0b480a5270f8e597d1ab4b39a9015efc

SHA1
8c44c8480f3fa9ecdcc3040cdf8cf6d408503065

SHA256
3f7a342fa69a5138125d45dbd52978aa1b54a6406613a82f720cba81a63482e5

SHA512
7fd04073c589a1ae6386126c5fff95a78a8a3de2eae250164ef6130df567f1659de3c326aa26e3e996430f5afef697a540e6be168e7fac2fb08d08533afb1cf5

Download Submit
C:\Windows\SysWOW64\Cdlqqcnl.exe

Filesize
55KB

MD5
dd5e986317a79f302e82abb4286732cf

SHA1
e9a4347d0c5a62d3862a959bceccdada5c9c1102

SHA256
3788296de50729bc9813bf54c0e0e20c3a56559d5577f77b2f9e170975824b73

SHA512
3e8a541fb927418fb0738696efcbcaf151e15d808a1879a574255341164b7c973172aa47e99223c0aed3fb41483ce22150c2b84a65c5530622a2a35b4bb6f379

Download Submit
C:\Windows\SysWOW64\Cdlqqcnl.exe

Filesize
55KB

MD5
dd5e986317a79f302e82abb4286732cf

SHA1
e9a4347d0c5a62d3862a959bceccdada5c9c1102

SHA256
3788296de50729bc9813bf54c0e0e20c3a56559d5577f77b2f9e170975824b73

SHA512
3e8a541fb927418fb0738696efcbcaf151e15d808a1879a574255341164b7c973172aa47e99223c0aed3fb41483ce22150c2b84a65c5530622a2a35b4bb6f379

Download Submit
C:\Windows\SysWOW64\Cdpjlb32.exe

Filesize
55KB

MD5
5b8c575489635fb5488e4238fd47cfd1

SHA1
ed5bc7afe195267d0a95605233b2e46c4f91b4f5

SHA256
6bc8307aff6f4c236383ea335110a0e7aa4a1a2c214286f27bace1f431d762ed

SHA512
b1f83d50fb35f05e4756c6208bc935ad814f1a90ecbe53d05eac28b73dd5aa106ec30ec40771114af037a119b36270bbbe884dddd992f22ac619562848a75d56

Download Submit
C:\Windows\SysWOW64\Cdpjlb32.exe

Filesize
55KB

MD5
5b8c575489635fb5488e4238fd47cfd1

SHA1
ed5bc7afe195267d0a95605233b2e46c4f91b4f5

SHA256
6bc8307aff6f4c236383ea335110a0e7aa4a1a2c214286f27bace1f431d762ed

SHA512
b1f83d50fb35f05e4756c6208bc935ad814f1a90ecbe53d05eac28b73dd5aa106ec30ec40771114af037a119b36270bbbe884dddd992f22ac619562848a75d56

Download Submit
C:\Windows\SysWOW64\Cnfaohbj.exe

Filesize
55KB

MD5
ece56ac858c19287c555a9611d7ad1b8

SHA1
4bc44aad2169093c36cd81ab8ab0d0d1c55eec5f

SHA256
7c3211a3d7bcee1fef9633dd7344d2aeede589f790786af67769204a477f9b44

SHA512
acade76fd967648ef4d06bc7add78a37c3c1dca407a541a2907996931b44d24088cd67af1efbc7f0a6aeedfe970c8095b6ac854a54fedeb5159420d9248513d3

Download Submit
C:\Windows\SysWOW64\Cnfaohbj.exe

Filesize
55KB

MD5
ece56ac858c19287c555a9611d7ad1b8

SHA1
4bc44aad2169093c36cd81ab8ab0d0d1c55eec5f

SHA256
7c3211a3d7bcee1fef9633dd7344d2aeede589f790786af67769204a477f9b44

SHA512
acade76fd967648ef4d06bc7add78a37c3c1dca407a541a2907996931b44d24088cd67af1efbc7f0a6aeedfe970c8095b6ac854a54fedeb5159420d9248513d3

Download Submit
C:\Windows\SysWOW64\Dfdpad32.exe

Filesize
55KB

MD5
dd2ace4b70e1ad9140cbecca856dd2a4

SHA1
bf4ebcab32c74c6148bd96b0f0525c089994db35

SHA256
8ddff0b8d6b408828b8b6f33f74f55ce7177b998a155bc5b95b0ea761813d3f2

SHA512
d49db837d03ad54363d3a32347a0e574ccbcd7d6d8b976cee8de23653f280bec2f581bde3499bc49eb7556bbab8a9942f4237afcf4c676a577fe9c59425c0793

Download Submit
C:\Windows\SysWOW64\Dfdpad32.exe

Filesize
55KB

MD5
dd2ace4b70e1ad9140cbecca856dd2a4

SHA1
bf4ebcab32c74c6148bd96b0f0525c089994db35

SHA256
8ddff0b8d6b408828b8b6f33f74f55ce7177b998a155bc5b95b0ea761813d3f2

SHA512
d49db837d03ad54363d3a32347a0e574ccbcd7d6d8b976cee8de23653f280bec2f581bde3499bc49eb7556bbab8a9942f4237afcf4c676a577fe9c59425c0793

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
55KB

MD5
3584b1dc8eb2cbfe5c9e4308510b0dbb

SHA1
51c6a73488d7f1c8115a5e39d2d7ba5ad6ea51e8

SHA256
4ceb0c2568044ead0cfc31d5f52b8319fc0db5afa57a75829812e99014443d8a

SHA512
2bce959f3a68079e92ac371d05266fa44bc933fa009562482e46d729bd3e31d9493675c2e6ece882dd1860572fe129fa67b588ace60249ce9503b827f5feccfb

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
55KB

MD5
3584b1dc8eb2cbfe5c9e4308510b0dbb

SHA1
51c6a73488d7f1c8115a5e39d2d7ba5ad6ea51e8

SHA256
4ceb0c2568044ead0cfc31d5f52b8319fc0db5afa57a75829812e99014443d8a

SHA512
2bce959f3a68079e92ac371d05266fa44bc933fa009562482e46d729bd3e31d9493675c2e6ece882dd1860572fe129fa67b588ace60249ce9503b827f5feccfb

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
55KB

MD5
a4a094bd80f9e414808eb62c3a1eec97

SHA1
fc7f17656b6b5a693bdfe61394b2e3535f64558f

SHA256
68f0aad9475502f0c7b91526199aea5c88bf8f3160b6ea2b814440fda322e426

SHA512
da0124f940e814db45fa916e77a235b4be37811deef30b73067e23cc6867bf58cb6ecd861f0621b660757c4ecd6870c4fd4be48dbea4ceba5131de06e5598e13

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
55KB

MD5
a4a094bd80f9e414808eb62c3a1eec97

SHA1
fc7f17656b6b5a693bdfe61394b2e3535f64558f

SHA256
68f0aad9475502f0c7b91526199aea5c88bf8f3160b6ea2b814440fda322e426

SHA512
da0124f940e814db45fa916e77a235b4be37811deef30b73067e23cc6867bf58cb6ecd861f0621b660757c4ecd6870c4fd4be48dbea4ceba5131de06e5598e13

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
55KB

MD5
eade19ec2b5eed0a9a736f90a5adf734

SHA1
2b34248fed052a5d20141d505965db887c936252

SHA256
c16d05ed292b38f6773be1f8e1f65e062a82b89b8f400d442f91dface5470205

SHA512
d7c3f64d981532998351fa3accd68b3485e9b03985f6d1c4bbc956e63c90acd270dd5aa2ef86ddc2ada3262169047e1320c3576fa667247c4298ca1e74eb62c3

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
55KB

MD5
eade19ec2b5eed0a9a736f90a5adf734

SHA1
2b34248fed052a5d20141d505965db887c936252

SHA256
c16d05ed292b38f6773be1f8e1f65e062a82b89b8f400d442f91dface5470205

SHA512
d7c3f64d981532998351fa3accd68b3485e9b03985f6d1c4bbc956e63c90acd270dd5aa2ef86ddc2ada3262169047e1320c3576fa667247c4298ca1e74eb62c3

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
55KB

MD5
d10f581b1a72a1e17cf842decdb9c1b6

SHA1
b531226f40bf1dda7051a9f7a8f6f1b8549dc0d4

SHA256
4b53d2048520342e86dc9f2003d2ae0a9f3a5c95e81c110b34f65987d4d0387a

SHA512
89494a862def07693d7557ebb09007fde353b22b4bb0508c56a639c4b01a2a962101532f3896df99e926aea250769ad8627dade19ccd3e32dd702bb1ef8dd594

Download Submit
C:\Windows\SysWOW64\Dooaoj32.exe

Filesize
55KB

MD5
54f38a329f545b1b2ab3bad1916864ce

SHA1
888a8b8564613259f0db2c8c289f20c9f60586a1

SHA256
8ba520f3ead5ebd2ee0674a88bddf3853471e7d61e1345ad06e72c49c116bb13

SHA512
2fa6b06f28f2d978111439f58350d3095256a7da93a9fbf49b6e143feec8abab7b10e034c0821ad5a2e59af22a85a27b8c8945d16f17adb23134577a908fc6bb

Download Submit
C:\Windows\SysWOW64\Dooaoj32.exe

Filesize
55KB

MD5
54f38a329f545b1b2ab3bad1916864ce

SHA1
888a8b8564613259f0db2c8c289f20c9f60586a1

SHA256
8ba520f3ead5ebd2ee0674a88bddf3853471e7d61e1345ad06e72c49c116bb13

SHA512
2fa6b06f28f2d978111439f58350d3095256a7da93a9fbf49b6e143feec8abab7b10e034c0821ad5a2e59af22a85a27b8c8945d16f17adb23134577a908fc6bb

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
55KB

MD5
8a11341f001cbe677e1eec18aec0824b

SHA1
f4341d6082be24e99f819a5bd482fd3cf7a726f5

SHA256
d1e27941dd2f634e8f9efa5486243d7f4a7b562cee25f27e9c20d71aed147644

SHA512
c1bed5cf977257f960123483a5232aa6ef68dbb484cce67060141332c122ff907091ba94f075c68ca26c3d5209164c68cf81965574f254be95e8f7ad7f5625e9

Download Submit
C:\Windows\SysWOW64\Ikpjbq32.exe

Filesize
55KB

MD5
9f6833963ab60af9ce53e29d5934d3fd

SHA1
e2535cfc7e484cc4c1b121a6c9600427cb3fbe4e

SHA256
a16983dbbb9878725c67ac0c6adf4ff21d923cece8c6af30ff9b96b513de5e45

SHA512
cccf2ba109e707b6d468fab905a6bd178cee754c5b8876ad4af12ef5ad0db6158102b8e0be7b6e6e5793347449f6f0a2bb1ffda360c09eedfd3254328bb140ef

Download Submit
C:\Windows\SysWOW64\Ikpjbq32.exe

Filesize
55KB

MD5
9f6833963ab60af9ce53e29d5934d3fd

SHA1
e2535cfc7e484cc4c1b121a6c9600427cb3fbe4e

SHA256
a16983dbbb9878725c67ac0c6adf4ff21d923cece8c6af30ff9b96b513de5e45

SHA512
cccf2ba109e707b6d468fab905a6bd178cee754c5b8876ad4af12ef5ad0db6158102b8e0be7b6e6e5793347449f6f0a2bb1ffda360c09eedfd3254328bb140ef

Download Submit
C:\Windows\SysWOW64\Ljqhkckn.exe

Filesize
55KB

MD5
96739a301cee40de3dd7ab55b3c30194

SHA1
cf29344185a71c5ee1e5d2372133a2c0a2c9bdbf

SHA256
e27960db061647dc287577f6eaa5e2696d9d5c96cb5088930b44b80c288593d4

SHA512
34800ad426854be75be17be15f99a1b56852af379ec9282d04a9d6a2f282e62feab27605f376ba9973855a2ed18203434d1bd4bdedfca88bc3d45bbaa5ad4253

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
55KB

MD5
1abcba8f044fb0de240b0409d3cbdfee

SHA1
431f69ed319b964890dd75d90d8deec6d5db98c5

SHA256
70492ade34dcedde4d02514688952c953e0e0a5a2784fd58318ba98ee266a807

SHA512
7b513c61c064be636aad5abc2b9731e2ec6acbbf6c894294b6aba568fbf05221f42c577ff48a1ea6e0a88e2fc0a35711970453fc84c3aec8c2e504cf2d1996c9

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
55KB

MD5
e6dc8f3c1f5e17f531d1017598df39be

SHA1
98f26985c393607218ffba99ba898313648fd0d0

SHA256
5bf743538c235cbf43f2004698572e4d5fa74b51f627ce8296a3dcbb2ab4c608

SHA512
91ad825b8e3b342c97e04a81a7679ebb8ac00a5073084670cb6d46a556f22aac28c56d891a0ccd7f5f03c53b781af1cba11f1c25b4d93fc6508f0b151dbf4136

Download Submit
C:\Windows\SysWOW64\Oalipoiq.exe

Filesize
55KB

MD5
bb158270bbdb10b98718b0a13472ce36

SHA1
4b5829f794579e6288b407b565d67e5e8cdd6cff

SHA256
de1324952c977d94a315ce5fedf08fb5d5548fc4eae6c1c71ff8042614bc75eb

SHA512
a9cc440ca183538f4a12aa208b752ff2108d5a21d9811727eff159bc0ae9e20fbcb699f497d760e5a58c9bf1b4465a5ebe3015bba5e869edbd369ee6eb434762

Download Submit
C:\Windows\SysWOW64\Oalipoiq.exe

Filesize
55KB

MD5
bb158270bbdb10b98718b0a13472ce36

SHA1
4b5829f794579e6288b407b565d67e5e8cdd6cff

SHA256
de1324952c977d94a315ce5fedf08fb5d5548fc4eae6c1c71ff8042614bc75eb

SHA512
a9cc440ca183538f4a12aa208b752ff2108d5a21d9811727eff159bc0ae9e20fbcb699f497d760e5a58c9bf1b4465a5ebe3015bba5e869edbd369ee6eb434762

Download Submit
C:\Windows\SysWOW64\Odhifjkg.exe

Filesize
55KB

MD5
1d468c35e01e55d07539044c55aefd32

SHA1
07c69a42d2815066a06e576e3c571606b7a87e4a

SHA256
3bfe1bced333d4db303d3c21512e677a4900c5d6f5f5273f4c4f5babc21a5b16

SHA512
08e1bf524d355fda724b781f19f642e246ed0071bde89cdc3927057ef1f44515f8c303291c0fb8abe320f3df5c5f0bc320c441dfb96cd2144aa01bec92d94537

Download Submit
C:\Windows\SysWOW64\Odhifjkg.exe

Filesize
55KB

MD5
1d468c35e01e55d07539044c55aefd32

SHA1
07c69a42d2815066a06e576e3c571606b7a87e4a

SHA256
3bfe1bced333d4db303d3c21512e677a4900c5d6f5f5273f4c4f5babc21a5b16

SHA512
08e1bf524d355fda724b781f19f642e246ed0071bde89cdc3927057ef1f44515f8c303291c0fb8abe320f3df5c5f0bc320c441dfb96cd2144aa01bec92d94537

Download Submit
C:\Windows\SysWOW64\Okkdic32.exe

Filesize
55KB

MD5
3aa4033f765cca38f2d0dcaacf4c371f

SHA1
c07745336b08403278a3e780460fb235abdd2fa3

SHA256
c3e4d96e1950f4c1aaec2bece2c87cef43e73e32bf060d51a2c04afe20586142

SHA512
353598f99575f038f888785f1f50eb072a02889f8d8fcc55befa6e3581ffd63bcd49b1e8e5156b05566963f528cd1710190dec7c5ddec7694cb8602c68f7e268

Download Submit
C:\Windows\SysWOW64\Okkdic32.exe

Filesize
55KB

MD5
3aa4033f765cca38f2d0dcaacf4c371f

SHA1
c07745336b08403278a3e780460fb235abdd2fa3

SHA256
c3e4d96e1950f4c1aaec2bece2c87cef43e73e32bf060d51a2c04afe20586142

SHA512
353598f99575f038f888785f1f50eb072a02889f8d8fcc55befa6e3581ffd63bcd49b1e8e5156b05566963f528cd1710190dec7c5ddec7694cb8602c68f7e268

Download Submit
C:\Windows\SysWOW64\Onpjichj.exe

Filesize
55KB

MD5
7845aa4fd20de7433c17fb4f8d704136

SHA1
890b55998365f9c21a391578a6fd66b6328515aa

SHA256
a69bdcf3fca2ddc3d6676f3adf7195c85517aa88acc23a4147a0087cecd2010a

SHA512
fafeff613ebda2055ffda1a638dcb96c1837a1223a7927e0e137afa59974990c1a94d0d935cb3524062b3aa90c2d451e2c39f648ec0ef42a949b4ddf46cd90cc

Download Submit
C:\Windows\SysWOW64\Onpjichj.exe

Filesize
55KB

MD5
7845aa4fd20de7433c17fb4f8d704136

SHA1
890b55998365f9c21a391578a6fd66b6328515aa

SHA256
a69bdcf3fca2ddc3d6676f3adf7195c85517aa88acc23a4147a0087cecd2010a

SHA512
fafeff613ebda2055ffda1a638dcb96c1837a1223a7927e0e137afa59974990c1a94d0d935cb3524062b3aa90c2d451e2c39f648ec0ef42a949b4ddf46cd90cc

Download Submit
C:\Windows\SysWOW64\Oobfob32.exe

Filesize
55KB

MD5
991dee5cf98fb7e96e1a51d191344d8f

SHA1
fbdcffe77e72a46011903a2c417a53c8aef1ad05

SHA256
33492e61d2a5d5d225676f50bd25f6d0371341947180ea76dc9bfa840aa1c606

SHA512
04e6bf8a9303a4f20c5a2496d4d0d1dabe23dd380ec0dee5191fbc2582a0399655d815bad4b3cc376729b43821e7fbcc1cb4c2effca6dfa5043b4e654aac6f27

Download Submit
C:\Windows\SysWOW64\Oobfob32.exe

Filesize
55KB

MD5
991dee5cf98fb7e96e1a51d191344d8f

SHA1
fbdcffe77e72a46011903a2c417a53c8aef1ad05

SHA256
33492e61d2a5d5d225676f50bd25f6d0371341947180ea76dc9bfa840aa1c606

SHA512
04e6bf8a9303a4f20c5a2496d4d0d1dabe23dd380ec0dee5191fbc2582a0399655d815bad4b3cc376729b43821e7fbcc1cb4c2effca6dfa5043b4e654aac6f27

Download Submit
C:\Windows\SysWOW64\Oodcdb32.exe

Filesize
55KB

MD5
195e1d5fa87f8aac83def2a4991ccf16

SHA1
e59f084db16cc862d49392a698e2c8363fcdc564

SHA256
e22c659a3f3b6ace0b93de306654e8a9a7b917b3090829067c698e0c029f3016

SHA512
543f641313040c65357348c9bf43f6233abb2f05bda8b295140020f6917d144bb5081282ec61b15e159847cb135491c9c27ea11eddf7206731fb4508e4b67c49

Download Submit
C:\Windows\SysWOW64\Oodcdb32.exe

Filesize
55KB

MD5
195e1d5fa87f8aac83def2a4991ccf16

SHA1
e59f084db16cc862d49392a698e2c8363fcdc564

SHA256
e22c659a3f3b6ace0b93de306654e8a9a7b917b3090829067c698e0c029f3016

SHA512
543f641313040c65357348c9bf43f6233abb2f05bda8b295140020f6917d144bb5081282ec61b15e159847cb135491c9c27ea11eddf7206731fb4508e4b67c49

Download Submit
C:\Windows\SysWOW64\Pknqoc32.exe

Filesize
55KB

MD5
b7a370b291d50428f53f7c96e5113af5

SHA1
7e2475d4397fae3e63169628d0388f01a32ed1fe

SHA256
be7f993811fea9f4ee0c5e21bb9f3f4a2a7650d5e3537b7a655f3d5e276230b9

SHA512
d3b5f99748124f60a9e4770699fb39a3300e13125a56c4bfffbba867edb44f00fd22ef5c88f0aec70551dbbbc7fb2afb32051919d97b3f961ece3ac5d779322e

Download Submit
C:\Windows\SysWOW64\Pknqoc32.exe

Filesize
55KB

MD5
b7a370b291d50428f53f7c96e5113af5

SHA1
7e2475d4397fae3e63169628d0388f01a32ed1fe

SHA256
be7f993811fea9f4ee0c5e21bb9f3f4a2a7650d5e3537b7a655f3d5e276230b9

SHA512
d3b5f99748124f60a9e4770699fb39a3300e13125a56c4bfffbba867edb44f00fd22ef5c88f0aec70551dbbbc7fb2afb32051919d97b3f961ece3ac5d779322e

Download Submit
C:\Windows\SysWOW64\Popbpqjh.exe

Filesize
55KB

MD5
40cdd121521b90806c9a1a36224ac2fd

SHA1
17ba2b7761310d5e79d7f5403d869d7132027f72

SHA256
b67bebd7c78408ee892a3bda984bba900d8a53b29da94255f66a490fd2b82660

SHA512
89efbcf2c7bd5087846f55a51e90b016479dc6671b1c5ab8d7f4372c855548a1a68da5d1702358eeb32e890793333449df51a32d69f0440fbc7d922f89ffcf35

Download Submit
C:\Windows\SysWOW64\Popbpqjh.exe

Filesize
55KB

MD5
40cdd121521b90806c9a1a36224ac2fd

SHA1
17ba2b7761310d5e79d7f5403d869d7132027f72

SHA256
b67bebd7c78408ee892a3bda984bba900d8a53b29da94255f66a490fd2b82660

SHA512
89efbcf2c7bd5087846f55a51e90b016479dc6671b1c5ab8d7f4372c855548a1a68da5d1702358eeb32e890793333449df51a32d69f0440fbc7d922f89ffcf35

Download Submit
C:\Windows\SysWOW64\Qhkdof32.exe

Filesize
55KB

MD5
0ac5cd649dfcb9cd9420ad75de16052f

SHA1
a67434e302471ecbd073f968b7c1221f38e6f553

SHA256
c7600b78c2e4185948c2fa30fc2f462002d537ee0550751130e16e66247010de

SHA512
2a1ca2c63340cbbd152840b1c18ef2d4f5cf335f013124f56595de58904c7ed7c9101ad16e55a4383bdf3374834756c56def18fed68f389efd5a21af579a4e15

Download Submit
C:\Windows\SysWOW64\Qhkdof32.exe

Filesize
55KB

MD5
0ac5cd649dfcb9cd9420ad75de16052f

SHA1
a67434e302471ecbd073f968b7c1221f38e6f553

SHA256
c7600b78c2e4185948c2fa30fc2f462002d537ee0550751130e16e66247010de

SHA512
2a1ca2c63340cbbd152840b1c18ef2d4f5cf335f013124f56595de58904c7ed7c9101ad16e55a4383bdf3374834756c56def18fed68f389efd5a21af579a4e15

Download Submit
C:\Windows\SysWOW64\Qhmqdemc.exe

Filesize
55KB

MD5
6ba7246448bba1a11eac1f6927b0396a

SHA1
0cee52d1f95ada758b4a53004786b2da1768243e

SHA256
e2c4a970068b21ace62af5efb791cf66a30250568dda49a537351c52b410c70e

SHA512
e9b09473c8f2cd4f69ea855bb28eabf0c67e7bda3cef6eecaf8e09951870f90c0d13c2620436da9df855c57bb5e08dad24b814b7a21973261af46c04fc94ae47

Download Submit
C:\Windows\SysWOW64\Qhmqdemc.exe

Filesize
55KB

MD5
6ba7246448bba1a11eac1f6927b0396a

SHA1
0cee52d1f95ada758b4a53004786b2da1768243e

SHA256
e2c4a970068b21ace62af5efb791cf66a30250568dda49a537351c52b410c70e

SHA512
e9b09473c8f2cd4f69ea855bb28eabf0c67e7bda3cef6eecaf8e09951870f90c0d13c2620436da9df855c57bb5e08dad24b814b7a21973261af46c04fc94ae47

Download Submit
memory/216-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/492-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1100-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1308-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3132-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3312-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3352-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3468-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3760-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4320-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5176-867-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5296-879-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5396-865-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5452-864-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5520-876-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5600-863-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5612-875-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5712-891-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5724-862-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5972-870-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6012-869-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6028-884-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6108-868-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads