a458b9a4c5a5ad3f75e4be1f8cda661a497432432b4849e5b6e09d90082cd772

Analysis

max time kernel
161s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66961ad6a3dc7e89aa9f8cda9e935f7c.exe
Size

323KB
MD5

66961ad6a3dc7e89aa9f8cda9e935f7c
SHA1

6cc0d0cb62eddfa17de0c96afb4bc974fc2a4f26
SHA256

a458b9a4c5a5ad3f75e4be1f8cda661a497432432b4849e5b6e09d90082cd772
SHA512

97ad68b01f1eb558a004bd4c877e835768ea7ffd7ef77fb3d860a67d94195b9f0b25ada0409c0b4cef6bed29a5a5ca45d7017cf7620a189dd6ba85016cc67510
SSDEEP

6144:x3aMzvn+DuIBlljd3rKzwN8Jlljd3njPX9ZAk3fs:x3aynPAjpKXjtjP9Zt0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fndgfffm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilbclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anijjkbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjdpac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feofmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jafaem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkipi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijppjfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clohhbli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebnddn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iemdkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jliimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnggnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffeaichg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqdlmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koiejemn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nldjnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepmjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhgfaha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhpkldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfbfmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megldcgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkenkhec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dijppjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfnhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcoaock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcfejfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enaaiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecpomiok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anijjkbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fifomlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obgeqcnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cljomc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecpomiok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eihcln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feofmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpfnqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njfafhjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlpabkba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhcjbfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abflfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgieajgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcibchgq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mndcnafd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdhnhkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpchbhjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dalkek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdchakoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieoapl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfoamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nojfic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efampahd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnddn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalkek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfqjhmhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefgak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opgloh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agojdnng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngodlgka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oamgcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhcjbfag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpchbhjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokdllim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqdlpmce.exe

Executes dropped EXE 64 IoCs

pid	Process
4768	Oamgcm32.exe
696	Afkipi32.exe
4880	Anijjkbj.exe
1660	Akmjdpac.exe
1804	Clpppmqn.exe
3556	Cbihmg32.exe
3424	Dbehienn.exe
3000	Eihcln32.exe
3128	Efampahd.exe
2464	Fifomlap.exe
2280	Fhnichde.exe
3984	Gheodg32.exe
3448	Hcipcnac.exe
3576	Iiokacgp.exe
1956	Jjjggede.exe
1428	Kplijk32.exe
1628	Lhcjbfag.exe
4108	Mpchbhjl.exe
4448	Adkelplc.exe
4060	Abflfc32.exe
1736	Bqdlmo32.exe
1796	Cbknhqbl.exe
4904	Dijppjfd.exe
4320	Dalkek32.exe
1072	Ebnddn32.exe
4416	Fjpoio32.exe
3068	Feofmf32.exe
3144	Gaoihfoo.exe
4952	Icmbcg32.exe
4476	Jcfejfag.exe
1764	Jhjcbljf.exe
1916	Koiejemn.exe
2588	Kfggbope.exe
4960	Lfqjhmhk.exe
4004	Llpofd32.exe
5064	Mlialb32.exe
2356	Njmopj32.exe
4940	Nlnkgbhp.exe
1852	Njfafhjf.exe
3608	Obhlkjaj.exe
4304	Pdalkk32.exe
4472	Pdchakoo.exe
1300	Agfnhf32.exe
5056	Apobakpn.exe
4628	Akgcdc32.exe
4384	Alhpkldp.exe
3676	Anjikoip.exe
4020	Blabakle.exe
3796	Bnehgmob.exe
2268	Ccendc32.exe
1880	Cmdhnhkp.exe
4488	Dgcoaock.exe
4240	Dnmgni32.exe
2396	Enaaiifb.exe
1252	Elhnhm32.exe
2164	Febogbhg.exe
4624	Fmndkd32.exe
1728	Fnpmkg32.exe
3804	Fdmfcn32.exe
4024	Fndgfffm.exe
3544	Ilbclg32.exe
4012	Iemdkl32.exe
4616	Ioeicajh.exe
3456	Ieoapl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Alhpkldp.exe	Akgcdc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpfqiha.exe	Begcjjql.exe
File opened for modification	C:\Windows\SysWOW64\Clpppmqn.exe	Akmjdpac.exe
File opened for modification	C:\Windows\SysWOW64\Jekpljgg.exe	Jefgak32.exe
File created	C:\Windows\SysWOW64\Dahogoog.dll	Fcibchgq.exe
File created	C:\Windows\SysWOW64\Fjpoio32.exe	Ebnddn32.exe
File opened for modification	C:\Windows\SysWOW64\Anjikoip.exe	Alhpkldp.exe
File created	C:\Windows\SysWOW64\Qeddkilb.dll	Dgcoaock.exe
File opened for modification	C:\Windows\SysWOW64\Nldjnk32.exe	Nejbaqgo.exe
File opened for modification	C:\Windows\SysWOW64\Ffeaichg.exe	Ffahnd32.exe
File created	C:\Windows\SysWOW64\Impldi32.exe	Iffcgoka.exe
File created	C:\Windows\SysWOW64\Kakdifap.dll	Fjpoio32.exe
File created	C:\Windows\SysWOW64\Ilbclg32.exe	Fndgfffm.exe
File created	C:\Windows\SysWOW64\Jekpljgg.exe	Jefgak32.exe
File created	C:\Windows\SysWOW64\Jcepnl32.dll	Gagebknp.exe
File created	C:\Windows\SysWOW64\Mndcnafd.exe	Mhgkfkhl.exe
File created	C:\Windows\SysWOW64\Nojfic32.exe	Ngodlgka.exe
File opened for modification	C:\Windows\SysWOW64\Fhnichde.exe	Fifomlap.exe
File created	C:\Windows\SysWOW64\Lcakilpk.dll	Qlpcpffl.exe
File opened for modification	C:\Windows\SysWOW64\Ffahnd32.exe	Ecpomiok.exe
File created	C:\Windows\SysWOW64\Apbonqaj.dll	Obhlkjaj.exe
File opened for modification	C:\Windows\SysWOW64\Fjpoio32.exe	Ebnddn32.exe
File created	C:\Windows\SysWOW64\Mhgkfkhl.exe	Mbmbiqqp.exe
File created	C:\Windows\SysWOW64\Jliimf32.exe	Ieoapl32.exe
File created	C:\Windows\SysWOW64\Mnggnh32.exe	Megldcgd.exe
File created	C:\Windows\SysWOW64\Lcpcqh32.dll	Lnanadfi.exe
File created	C:\Windows\SysWOW64\Nqdlpmce.exe	Mndcnafd.exe
File opened for modification	C:\Windows\SysWOW64\Gaoihfoo.exe	Feofmf32.exe
File created	C:\Windows\SysWOW64\Dnmgni32.exe	Dgcoaock.exe
File created	C:\Windows\SysWOW64\Mcbfbj32.dll	Bgafin32.exe
File created	C:\Windows\SysWOW64\Kkqepi32.exe	Kdfmcobk.exe
File created	C:\Windows\SysWOW64\Agnblobc.dll	Cmdhnhkp.exe
File opened for modification	C:\Windows\SysWOW64\Mpchbhjl.exe	Lhcjbfag.exe
File created	C:\Windows\SysWOW64\Njfafhjf.exe	Nlnkgbhp.exe
File created	C:\Windows\SysWOW64\Nldjnk32.exe	Nejbaqgo.exe
File created	C:\Windows\SysWOW64\Qfpebmne.dll	Kplijk32.exe
File opened for modification	C:\Windows\SysWOW64\Lfkich32.exe	Loodqn32.exe
File created	C:\Windows\SysWOW64\Gjmmfq32.exe	Fpbpmhjb.exe
File created	C:\Windows\SysWOW64\Lfbqdb32.dll	Lhgbomfo.exe
File created	C:\Windows\SysWOW64\Kdpmmf32.exe	Knfepldb.exe
File created	C:\Windows\SysWOW64\Damneiak.dll	Loodqn32.exe
File created	C:\Windows\SysWOW64\Lopeamfc.dll	Nojfic32.exe
File opened for modification	C:\Windows\SysWOW64\Pdchakoo.exe	Pdalkk32.exe
File created	C:\Windows\SysWOW64\Feofmf32.exe	Fjpoio32.exe
File created	C:\Windows\SysWOW64\Gbbfag32.dll	Jafaem32.exe
File created	C:\Windows\SysWOW64\Nloebh32.dll	Pdchakoo.exe
File opened for modification	C:\Windows\SysWOW64\Aepmjk32.exe	Qlpcpffl.exe
File created	C:\Windows\SysWOW64\Cmqqnelh.dll	Njfafhjf.exe
File opened for modification	C:\Windows\SysWOW64\Lbgcch32.exe	Lkhbko32.exe
File opened for modification	C:\Windows\SysWOW64\Ccendc32.exe	Bnehgmob.exe
File opened for modification	C:\Windows\SysWOW64\Jpfnqc32.exe	Ihkila32.exe
File opened for modification	C:\Windows\SysWOW64\Akgcdc32.exe	Apobakpn.exe
File opened for modification	C:\Windows\SysWOW64\Knfepldb.exe	Jekpljgg.exe
File opened for modification	C:\Windows\SysWOW64\Blnoad32.exe	Bgafin32.exe
File created	C:\Windows\SysWOW64\Bdendn32.dll	Ffahnd32.exe
File opened for modification	C:\Windows\SysWOW64\Gmnfglcd.exe	Gagebknp.exe
File created	C:\Windows\SysWOW64\Fndinf32.dll	Blnoad32.exe
File opened for modification	C:\Windows\SysWOW64\Mlialb32.exe	Llpofd32.exe
File created	C:\Windows\SysWOW64\Odnfkbla.dll	Agojdnng.exe
File created	C:\Windows\SysWOW64\Efampahd.exe	Eihcln32.exe
File created	C:\Windows\SysWOW64\Mlialb32.exe	Llpofd32.exe
File created	C:\Windows\SysWOW64\Nlnkgbhp.exe	Njmopj32.exe
File created	C:\Windows\SysWOW64\Cmdhnhkp.exe	Ccendc32.exe
File created	C:\Windows\SysWOW64\Ejhehcge.dll	Pbokab32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
800	5820	WerFault.exe	226

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpofhkf.dll"	Aepmjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anijjkbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kplijk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecpomiok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfggbope.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obhlkjaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Begcjjql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damneiak.dll"	Loodqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdchhk32.dll"	Icmbcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngodlgka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fifomlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdalkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcoaock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnmgni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jekpljgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknhjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfbfmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlpabkba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcfpn32.dll"	Jpfnqc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akgcdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nldjnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anjikoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifomlap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dalkek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnfkbla.dll"	Agojdnng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjmfmnhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhcjbfag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	66961ad6a3dc7e89aa9f8cda9e935f7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbehienn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njfafhjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbpnomm.dll"	Lfkich32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mndcnafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clpppmqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbehienn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andlfi32.dll"	Ccendc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioeicajh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occlhfgg.dll"	Iemdkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcibchgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjmmfq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbggd32.dll"	Laofhbmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkcjlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfbfmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agojdnng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbgcch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Begcjjql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enaaiifb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gagebknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepbfj32.dll"	Lhcjbfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjnmobg.dll"	Begcjjql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjipc32.dll"	Koiejemn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloim32.dll"	Fmndkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdmfcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obgeqcnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoeeekec.dll"	Kknhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcdji32.dll"	Dbehienn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglpfmji.dll"	Elhnhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efampahd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einmdadf.dll"	Enaaiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inoeep32.dll"	Fnpmkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcfejfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alhpkldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decnea32.dll"	Bnehgmob.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 4768	1740	66961ad6a3dc7e89aa9f8cda9e935f7c.exe	94
PID 1740 wrote to memory of 4768	1740	66961ad6a3dc7e89aa9f8cda9e935f7c.exe	94
PID 1740 wrote to memory of 4768	1740	66961ad6a3dc7e89aa9f8cda9e935f7c.exe	94
PID 4768 wrote to memory of 696	4768	Oamgcm32.exe	95
PID 4768 wrote to memory of 696	4768	Oamgcm32.exe	95
PID 4768 wrote to memory of 696	4768	Oamgcm32.exe	95
PID 696 wrote to memory of 4880	696	Afkipi32.exe	96
PID 696 wrote to memory of 4880	696	Afkipi32.exe	96
PID 696 wrote to memory of 4880	696	Afkipi32.exe	96
PID 4880 wrote to memory of 1660	4880	Anijjkbj.exe	97
PID 4880 wrote to memory of 1660	4880	Anijjkbj.exe	97
PID 4880 wrote to memory of 1660	4880	Anijjkbj.exe	97
PID 1660 wrote to memory of 1804	1660	Akmjdpac.exe	98
PID 1660 wrote to memory of 1804	1660	Akmjdpac.exe	98
PID 1660 wrote to memory of 1804	1660	Akmjdpac.exe	98
PID 1804 wrote to memory of 3556	1804	Clpppmqn.exe	99
PID 1804 wrote to memory of 3556	1804	Clpppmqn.exe	99
PID 1804 wrote to memory of 3556	1804	Clpppmqn.exe	99
PID 3556 wrote to memory of 3424	3556	Cbihmg32.exe	100
PID 3556 wrote to memory of 3424	3556	Cbihmg32.exe	100
PID 3556 wrote to memory of 3424	3556	Cbihmg32.exe	100
PID 3424 wrote to memory of 3000	3424	Dbehienn.exe	101
PID 3424 wrote to memory of 3000	3424	Dbehienn.exe	101
PID 3424 wrote to memory of 3000	3424	Dbehienn.exe	101
PID 3000 wrote to memory of 3128	3000	Eihcln32.exe	102
PID 3000 wrote to memory of 3128	3000	Eihcln32.exe	102
PID 3000 wrote to memory of 3128	3000	Eihcln32.exe	102
PID 3128 wrote to memory of 2464	3128	Efampahd.exe	103
PID 3128 wrote to memory of 2464	3128	Efampahd.exe	103
PID 3128 wrote to memory of 2464	3128	Efampahd.exe	103
PID 2464 wrote to memory of 2280	2464	Fifomlap.exe	104
PID 2464 wrote to memory of 2280	2464	Fifomlap.exe	104
PID 2464 wrote to memory of 2280	2464	Fifomlap.exe	104
PID 2280 wrote to memory of 3984	2280	Fhnichde.exe	105
PID 2280 wrote to memory of 3984	2280	Fhnichde.exe	105
PID 2280 wrote to memory of 3984	2280	Fhnichde.exe	105
PID 3984 wrote to memory of 3448	3984	Gheodg32.exe	106
PID 3984 wrote to memory of 3448	3984	Gheodg32.exe	106
PID 3984 wrote to memory of 3448	3984	Gheodg32.exe	106
PID 3448 wrote to memory of 3576	3448	Hcipcnac.exe	107
PID 3448 wrote to memory of 3576	3448	Hcipcnac.exe	107
PID 3448 wrote to memory of 3576	3448	Hcipcnac.exe	107
PID 3576 wrote to memory of 1956	3576	Iiokacgp.exe	108
PID 3576 wrote to memory of 1956	3576	Iiokacgp.exe	108
PID 3576 wrote to memory of 1956	3576	Iiokacgp.exe	108
PID 1956 wrote to memory of 1428	1956	Jjjggede.exe	109
PID 1956 wrote to memory of 1428	1956	Jjjggede.exe	109
PID 1956 wrote to memory of 1428	1956	Jjjggede.exe	109
PID 1428 wrote to memory of 1628	1428	Kplijk32.exe	110
PID 1428 wrote to memory of 1628	1428	Kplijk32.exe	110
PID 1428 wrote to memory of 1628	1428	Kplijk32.exe	110
PID 1628 wrote to memory of 4108	1628	Lhcjbfag.exe	111
PID 1628 wrote to memory of 4108	1628	Lhcjbfag.exe	111
PID 1628 wrote to memory of 4108	1628	Lhcjbfag.exe	111
PID 4108 wrote to memory of 4448	4108	Mpchbhjl.exe	112
PID 4108 wrote to memory of 4448	4108	Mpchbhjl.exe	112
PID 4108 wrote to memory of 4448	4108	Mpchbhjl.exe	112
PID 4448 wrote to memory of 4060	4448	Adkelplc.exe	113
PID 4448 wrote to memory of 4060	4448	Adkelplc.exe	113
PID 4448 wrote to memory of 4060	4448	Adkelplc.exe	113
PID 4060 wrote to memory of 1736	4060	Abflfc32.exe	114
PID 4060 wrote to memory of 1736	4060	Abflfc32.exe	114
PID 4060 wrote to memory of 1736	4060	Abflfc32.exe	114
PID 1736 wrote to memory of 1796	1736	Bqdlmo32.exe	115

C:\Users\Admin\AppData\Local\Temp\66961ad6a3dc7e89aa9f8cda9e935f7c.exe
"C:\Users\Admin\AppData\Local\Temp\66961ad6a3dc7e89aa9f8cda9e935f7c.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\Oamgcm32.exe
  C:\Windows\system32\Oamgcm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\Afkipi32.exe
    C:\Windows\system32\Afkipi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\Anijjkbj.exe
      C:\Windows\system32\Anijjkbj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SysWOW64\Akmjdpac.exe
        
        C:\Windows\system32\Akmjdpac.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\SysWOW64\Clpppmqn.exe
        
        C:\Windows\system32\Clpppmqn.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Cbihmg32.exe
        
        C:\Windows\system32\Cbihmg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Dbehienn.exe
        
        C:\Windows\system32\Dbehienn.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Eihcln32.exe
        
        C:\Windows\system32\Eihcln32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Efampahd.exe
        
        C:\Windows\system32\Efampahd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Fifomlap.exe
        
        C:\Windows\system32\Fifomlap.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Fhnichde.exe
        
        C:\Windows\system32\Fhnichde.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Gheodg32.exe
        
        C:\Windows\system32\Gheodg32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Hcipcnac.exe
        
        C:\Windows\system32\Hcipcnac.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Iiokacgp.exe
        
        C:\Windows\system32\Iiokacgp.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Jjjggede.exe
        
        C:\Windows\system32\Jjjggede.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Kplijk32.exe
        
        C:\Windows\system32\Kplijk32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Lhcjbfag.exe
        
        C:\Windows\system32\Lhcjbfag.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Mpchbhjl.exe
        
        C:\Windows\system32\Mpchbhjl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Adkelplc.exe
        
        C:\Windows\system32\Adkelplc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Abflfc32.exe
        
        C:\Windows\system32\Abflfc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Bqdlmo32.exe
        
        C:\Windows\system32\Bqdlmo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Cbknhqbl.exe
        
        C:\Windows\system32\Cbknhqbl.exe
        23⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Dalkek32.exe
        
        C:\Windows\system32\Dalkek32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ebnddn32.exe
        
        C:\Windows\system32\Ebnddn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\Fjpoio32.exe
        
        C:\Windows\system32\Fjpoio32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Feofmf32.exe
        
        C:\Windows\system32\Feofmf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\Gaoihfoo.exe
        
        C:\Windows\system32\Gaoihfoo.exe
        29⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Icmbcg32.exe
        
        C:\Windows\system32\Icmbcg32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Jcfejfag.exe
        
        C:\Windows\system32\Jcfejfag.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Jhjcbljf.exe
        
        C:\Windows\system32\Jhjcbljf.exe
        32⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Koiejemn.exe
        
        C:\Windows\system32\Koiejemn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Kfggbope.exe
        
        C:\Windows\system32\Kfggbope.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Lfqjhmhk.exe
        
        C:\Windows\system32\Lfqjhmhk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Llpofd32.exe
        
        C:\Windows\system32\Llpofd32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Mlialb32.exe
        
        C:\Windows\system32\Mlialb32.exe
        37⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Njmopj32.exe
        
        C:\Windows\system32\Njmopj32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Nlnkgbhp.exe
        
        C:\Windows\system32\Nlnkgbhp.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Njfafhjf.exe
        
        C:\Windows\system32\Njfafhjf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Obhlkjaj.exe
        
        C:\Windows\system32\Obhlkjaj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Pdalkk32.exe
        
        C:\Windows\system32\Pdalkk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Pdchakoo.exe
        
        C:\Windows\system32\Pdchakoo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Agfnhf32.exe
        
        C:\Windows\system32\Agfnhf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Apobakpn.exe
        
        C:\Windows\system32\Apobakpn.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Akgcdc32.exe
        
        C:\Windows\system32\Akgcdc32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Alhpkldp.exe
        
        C:\Windows\system32\Alhpkldp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Anjikoip.exe
        
        C:\Windows\system32\Anjikoip.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Blabakle.exe
        
        C:\Windows\system32\Blabakle.exe
        49⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Bnehgmob.exe
        
        C:\Windows\system32\Bnehgmob.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Ccendc32.exe
        
        C:\Windows\system32\Ccendc32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Cmdhnhkp.exe
        
        C:\Windows\system32\Cmdhnhkp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Dgcoaock.exe
        
        C:\Windows\system32\Dgcoaock.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Dnmgni32.exe
        
        C:\Windows\system32\Dnmgni32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Enaaiifb.exe
        
        C:\Windows\system32\Enaaiifb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Elhnhm32.exe
        
        C:\Windows\system32\Elhnhm32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Febogbhg.exe
        
        C:\Windows\system32\Febogbhg.exe
        57⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Fmndkd32.exe
        
        C:\Windows\system32\Fmndkd32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Fnpmkg32.exe
        
        C:\Windows\system32\Fnpmkg32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Fdmfcn32.exe
        
        C:\Windows\system32\Fdmfcn32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Fndgfffm.exe
        
        C:\Windows\system32\Fndgfffm.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Ilbclg32.exe
        
        C:\Windows\system32\Ilbclg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Iemdkl32.exe
        
        C:\Windows\system32\Iemdkl32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Ioeicajh.exe
        
        C:\Windows\system32\Ioeicajh.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Ieoapl32.exe
        
        C:\Windows\system32\Ieoapl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Jliimf32.exe
        
        C:\Windows\system32\Jliimf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3716
        
        C:\Windows\SysWOW64\Jafaem32.exe
        
        C:\Windows\system32\Jafaem32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\Jefgak32.exe
        
        C:\Windows\system32\Jefgak32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Jekpljgg.exe
        
        C:\Windows\system32\Jekpljgg.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Knfepldb.exe
        
        C:\Windows\system32\Knfepldb.exe
        70⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Kdpmmf32.exe
        
        C:\Windows\system32\Kdpmmf32.exe
        71⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Kfbfmi32.exe
        
        C:\Windows\system32\Kfbfmi32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Loodqn32.exe
        
        C:\Windows\system32\Loodqn32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Lfkich32.exe
        
        C:\Windows\system32\Lfkich32.exe
        74⤵
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Lkhbko32.exe
        
        C:\Windows\system32\Lkhbko32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Lbgcch32.exe
        
        C:\Windows\system32\Lbgcch32.exe
        76⤵
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Mokdllim.exe
        
        C:\Windows\system32\Mokdllim.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:992
        
        C:\Windows\SysWOW64\Megldcgd.exe
        
        C:\Windows\system32\Megldcgd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Mnggnh32.exe
        
        C:\Windows\system32\Mnggnh32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4344
        
        C:\Windows\SysWOW64\Nlpabkba.exe
        
        C:\Windows\system32\Nlpabkba.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Nejbaqgo.exe
        
        C:\Windows\system32\Nejbaqgo.exe
        81⤵
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Nldjnk32.exe
        
        C:\Windows\system32\Nldjnk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Opgloh32.exe
        
        C:\Windows\system32\Opgloh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4500
        
        C:\Windows\SysWOW64\Obgeqcnn.exe
        
        C:\Windows\system32\Obgeqcnn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Pmbcik32.exe
        
        C:\Windows\system32\Pmbcik32.exe
        85⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Pbokab32.exe
        
        C:\Windows\system32\Pbokab32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Pfoamp32.exe
        
        C:\Windows\system32\Pfoamp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Qlpcpffl.exe
        
        C:\Windows\system32\Qlpcpffl.exe
        88⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Aepmjk32.exe
        
        C:\Windows\system32\Aepmjk32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Agojdnng.exe
        
        C:\Windows\system32\Agojdnng.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Bgafin32.exe
        
        C:\Windows\system32\Bgafin32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Blnoad32.exe
        
        C:\Windows\system32\Blnoad32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Begcjjql.exe
        
        C:\Windows\system32\Begcjjql.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Cfpfqiha.exe
        
        C:\Windows\system32\Cfpfqiha.exe
        94⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Cljomc32.exe
        
        C:\Windows\system32\Cljomc32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Clohhbli.exe
        
        C:\Windows\system32\Clohhbli.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Dgieajgj.exe
        
        C:\Windows\system32\Dgieajgj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Djjobedk.exe
        
        C:\Windows\system32\Djjobedk.exe
        98⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Ecpomiok.exe
        
        C:\Windows\system32\Ecpomiok.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Ffahnd32.exe
        
        C:\Windows\system32\Ffahnd32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Ffeaichg.exe
        
        C:\Windows\system32\Ffeaichg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Fcibchgq.exe
        
        C:\Windows\system32\Fcibchgq.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Fpbpmhjb.exe
        
        C:\Windows\system32\Fpbpmhjb.exe
        103⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Gjmmfq32.exe
        
        C:\Windows\system32\Gjmmfq32.exe
        104⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Gagebknp.exe
        
        C:\Windows\system32\Gagebknp.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Gmnfglcd.exe
        
        C:\Windows\system32\Gmnfglcd.exe
        106⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ghcjedcj.exe
        
        C:\Windows\system32\Ghcjedcj.exe
        107⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Hfhgfaha.exe
        
        C:\Windows\system32\Hfhgfaha.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Hjmfmnhp.exe
        
        C:\Windows\system32\Hjmfmnhp.exe
        109⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Iffcgoka.exe
        
        C:\Windows\system32\Iffcgoka.exe
        110⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Impldi32.exe
        
        C:\Windows\system32\Impldi32.exe
        111⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Idjdqc32.exe
        
        C:\Windows\system32\Idjdqc32.exe
        112⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Iophnl32.exe
        
        C:\Windows\system32\Iophnl32.exe
        113⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Ihkila32.exe
        
        C:\Windows\system32\Ihkila32.exe
        114⤵
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Jpfnqc32.exe
        
        C:\Windows\system32\Jpfnqc32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Kaajfe32.exe
        
        C:\Windows\system32\Kaajfe32.exe
        116⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Kknhjj32.exe
        
        C:\Windows\system32\Kknhjj32.exe
        117⤵
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Kdfmcobk.exe
        
        C:\Windows\system32\Kdfmcobk.exe
        118⤵
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\Kkqepi32.exe
        
        C:\Windows\system32\Kkqepi32.exe
        119⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Lnanadfi.exe
        
        C:\Windows\system32\Lnanadfi.exe
        120⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Lhgbomfo.exe
        
        C:\Windows\system32\Lhgbomfo.exe
        121⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Lkenkhec.exe
        
        C:\Windows\system32\Lkenkhec.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Laofhbmp.exe
        
        C:\Windows\system32\Laofhbmp.exe
        123⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Mkcjlf32.exe
        
        C:\Windows\system32\Mkcjlf32.exe
        124⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mbmbiqqp.exe
        
        C:\Windows\system32\Mbmbiqqp.exe
        125⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Mhgkfkhl.exe
        
        C:\Windows\system32\Mhgkfkhl.exe
        126⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Mndcnafd.exe
        
        C:\Windows\system32\Mndcnafd.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Nqdlpmce.exe
        
        C:\Windows\system32\Nqdlpmce.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Ngodlgka.exe
        
        C:\Windows\system32\Ngodlgka.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Nojfic32.exe
        
        C:\Windows\system32\Nojfic32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Okfpid32.exe
        
        C:\Windows\system32\Okfpid32.exe
        131⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 400
        132⤵
        Program crash
        
        PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5820 -ip 5820
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abflfc32.exe

Filesize
323KB

MD5
e6e83331bca099a7a1ae04aa4a1381e5

SHA1
79d692e4d965f6a9be6d8967eaeb94285edab327

SHA256
c82973daad7192e4b513e80c48979c4f463dc6eeed1e5965980bd1c189368c05

SHA512
e978be7108314bb67b736c4787d03cc2213ee46df636e4ae6cc22bd3ececdccd60a93ebcf043a424138c1b9a8f9daf70aa151ef6ecbf3206d2c1ebbeda74b8ee

Download Submit
C:\Windows\SysWOW64\Adkelplc.exe

Filesize
323KB

MD5
3bf5b72dbfc7dde29cb2aeed922dffd6

SHA1
4de5575fa6ea5c7ebfb645ca795b3bd67134e823

SHA256
c1278dbc27d71af15a22a8da692d097c72b2897a318c3256e06a1359abeaa129

SHA512
ccd6e2c369ed91f76ecc805d48a76819a15c3304309e6da0b56cbe9992fc5b58cba190c677aba8e65b64abce07985ac136ee08fa7d71fe34465589b2da325d0f

Download Submit
C:\Windows\SysWOW64\Afkipi32.exe

Filesize
323KB

MD5
4e1081c50db10ef1f3b765e244748c43

SHA1
052a9c9530ac4e54e72d7b22be1b2e5b8d12922b

SHA256
3e95d3747e8b5ffd35b234482858a5b750c0bf13ddd0b76ed519aaa178f5b05e

SHA512
b7020308b8ea5833dd5302eadd8743cbe9be40768d31597a3b3abc6aeaf3d1c21bf4afe250d0bbee4e37de8f3e932eb79a495e09b1aa3787ebc723cc95807c63

Download Submit
C:\Windows\SysWOW64\Akmjdpac.exe

Filesize
323KB

MD5
e003e5810a9ef973f73aa8846addd45e

SHA1
31f1ad768b2c563a4851762bac18b541b8f160d4

SHA256
aeb8d0d3d9b4d7afa49aafb1784036e94e7ad67ed8b57a091b3a7035709e34ce

SHA512
2d3f433a5e85e5da1c380f90cc3dff6595e5570b7c764aa96e9eb4b36b63fdb2b444662753459b5a3e04b063c7e3453bc88548155cd75bd8880ea81ed795421e

Download Submit
C:\Windows\SysWOW64\Anijjkbj.exe

Filesize
323KB

MD5
81dc5e35e3cf205b66e3a736a35c7732

SHA1
0cc188d36ae142ca0fb991dd86be2aa318c1eb92

SHA256
b5b6991cc11d1f68a0e0b0789b22352725a2aaa097c980f928dba944db370fe3

SHA512
5a245048c62073e6ae1bfa6ab327126e96edae3ca6b8673400033d7430dd32c38271f407b2cffeb5aad5d83a0bcf7cfac5d777393136453a8aefdb4c859af162

Download Submit
C:\Windows\SysWOW64\Blnoad32.exe

Filesize
323KB

MD5
7e7b9e0df2b49f565bf0175aca4f3b1c

SHA1
8b5e036b56056b72406e643256be7b1ec7b8d589

SHA256
d20595e0330c643875472ff38d022705011251976c5eecfb71fc83b56a6ac438

SHA512
36c36f58684027af37ee870dc2d4e034ae24f99f6f190fedfe5eca502325bf8b1dad36665015b8778b2482307d3d30518f0d6a9e2560da509acbb506c29e0ffe

Download Submit
C:\Windows\SysWOW64\Bqdlmo32.exe

Filesize
128KB

MD5
62477a3cca4776b92da2c310873fc338

SHA1
c6b9f150abdbb9461ff52c9f1f24f310e9856cca

SHA256
8e8a72c3d7e0bb7edf045e7d91384f9affa59f22ee09eaed1bffc9f40cc9b026

SHA512
398a76306378eb3509aab5c4a8fa4ef5d0bca93fdfa4e82a8bd8590ef2a75306ca72ca0a1b3d8e382c77be07ce243acf8cf3fb58d70ef20505de110ed6804f6d

Download Submit
C:\Windows\SysWOW64\Bqdlmo32.exe

Filesize
323KB

MD5
1361ebb7ec620d0ebe472dc9829d1a4c

SHA1
6f4b03460995cd2c5da93e8b5c0eec26028d858a

SHA256
8b8180121f7de3cbde9962c0fa68a121a80af43eb357b8e024ed19d209aebc6a

SHA512
50f8bcb84b6d20b7ae45139f019a9d8cf3a6aabba2dc8b76086e20a9e678c3e94387722db3a3803f84f95d749ac56056028a23226338e9ab11a60510b1bce893

Download Submit
C:\Windows\SysWOW64\Cbihmg32.exe

Filesize
323KB

MD5
7f7a9f69d0d8bb3f9494042c606934cd

SHA1
3a054d254fd7f42964828e76cb4487f274d0c4ad

SHA256
bdbe9513b9522f0a4ddb18bba9c55d0327a2cd3312bef1ea6cfcdc679b1f86be

SHA512
c3eac012ad18e33ad4705359061cc0ac04554f5e9e1824b25f2a76ffca13ee3f4b4206782aec1f1dee158c527ff9e55d3b76bdfb2f42828a4fb3f24c76d30722

Download Submit
C:\Windows\SysWOW64\Cbknhqbl.exe

Filesize
323KB

MD5
c9e0adfdbc288106b1f9beabf69d9277

SHA1
fe7dfe82e9ad49af4587c8f86461d3f9d3a22a3c

SHA256
d07b9fa728bcb1bec2abdea0d622f96b75e093ae7559a27040dc2e5b05019181

SHA512
50a3c58959a36710f7fdbb9454b76edae10d1a68a7b75b4093477bed93c72d32fa4554e203a9063ef10bc8931a43349f991fe02ba8e4dfb8a524eff7cbef83c4

Download Submit
C:\Windows\SysWOW64\Clpppmqn.exe

Filesize
323KB

MD5
ab42ba0e5eba51a4a311a65df06990d5

SHA1
f79999ddfe248d91e6f806f4c1656e81b2232b2f

SHA256
de5b91b79f21b68f37fa3381f6197e8ce22e0a800624cb737bb8923f8e8b3c58

SHA512
629e65195a766bd07546fe67b55759bed76ef4d8a2b5252765eebd0206a02598b6e821c5c84a31b340eafa25848760f6615459c5e8dad59b43b02b83768b1b94

Download Submit
C:\Windows\SysWOW64\Dalkek32.exe

Filesize
323KB

MD5
0a10f31c4b889d437b4b82a97ea03f42

SHA1
d16f5424c17e1302c138cfe2de572bbb137b7d47

SHA256
a965637727ae47869a2b46ace38bf9dfeed65574682164436db0ec6e61f3aa87

SHA512
6363a8deae1c5a580ec64d6fb344d43f04b31e681a6676231cb83155bc6b1a4b737d09dd5df94b66c9bc0eb763288c90a0bc1b7233331b872d6702ff945d7d7d

Download Submit
C:\Windows\SysWOW64\Dbehienn.exe

Filesize
323KB

MD5
12c339e456d0a5cf27c38875c7ce9ec9

SHA1
4372cbc43f20ed7726742456eb8a1f856679c08e

SHA256
b7d6e06bf6c4fd059f9d09c41c1bc84ba7cf28e9b55d98c4db6f8035253e67bc

SHA512
48f1f68704a4f9d7e1e388a915c59403a4d3175eecfbd60ab6fcfdcad8c63d7301d10b44bc2b2662c09917a15fb06431f76942e2b48ec7f0c554094ee095936c

Download Submit
C:\Windows\SysWOW64\Dijppjfd.exe

Filesize
323KB

MD5
8dcd01be3fadda0168efbc5840b41778

SHA1
b8362edf31b79c84cad979edc88a854e2031ef45

SHA256
1c256597438d811f443f940e73bb8bd30374dcec803e879959a139e326859210

SHA512
a441eea5777bb54b04c536b9eab787a5363aaea1951a94e66342502aed250698e6168c360c7926322e257520d33f0dea0a73093ca61d6555d90987ba356e66b7

Download Submit
C:\Windows\SysWOW64\Ebnddn32.exe

Filesize
323KB

MD5
d988b5a53335337640e0dc272dd38984

SHA1
f3246e2747dd4ef97271a3f450c3e0d14d47c450

SHA256
22a3d73be110524b2f6e40e9426aa2f0a46df65e9297ca393ee4e82e278f0835

SHA512
2453a348a76e6c24be0245c143836353363c8578c611c7da480c8fc68e279b1812cad17c5bdabe4138215691ef8699df653148e8134eb34df0752293563d6148

Download Submit
C:\Windows\SysWOW64\Efampahd.exe

Filesize
323KB

MD5
bf0103e627042cfa2a54083cd4c0266a

SHA1
3f00e3a035f0ecb6595e8d3a4c26ad095753553d

SHA256
47607b08dda8dce30c766d20df992f65b7332e6ad8ea1136730b92acf5772246

SHA512
881722fabafc088d3aa239c53e163389b7fa2590f11df5fd49b06f6f721fcd7274a151db3ccdd4387455c13ea88b068c6420c95bdf426a12bac62e58902526f9

Download Submit
C:\Windows\SysWOW64\Eihcln32.exe

Filesize
323KB

MD5
dc991c198e7d7a94cddb64fa1e148d1f

SHA1
12be563566e2e6652a61b8101b2dc9bcbe5bd2d5

SHA256
2bb662f33e8b8405585ed92508498f8b4b9144aac6963525ab509843e1bc6191

SHA512
9ac7793cde219f965bef776e9ef5b5d33b032d85f1449d8510adc951dff31dc4cad898ebc83b6dabe6b504e2ffd57cd738b50ec9db3b70c6e46dc1a021724ade

Download Submit
C:\Windows\SysWOW64\Feofmf32.exe

Filesize
323KB

MD5
90ae1dbc7e0075823ae144b4d02cc8fb

SHA1
9292e1e815d3b97eb7209023de324fbe64d4b93e

SHA256
f44a82622e44e4e29e351c943492f4397b8f3b18c2d263af89668b6e6a7ceaad

SHA512
096968eea8cfddd763f63867239fbf5ec8f9a6baa337547af2649a5477ec413b9dde9a5098b6728ec91f669cacb597f33d9bbf5f02ee0f54b101b7813ae026b3

Download Submit
C:\Windows\SysWOW64\Fhnichde.exe

Filesize
323KB

MD5
632c7e8318982dde0c8d498ecaa81e6d

SHA1
9537dbc2c752a7ce5ec2676676f67a18ed72a1a5

SHA256
891d7e9a75541c6c5422bc1d1fd8622d5fad56ccdb5401eb41e123e69a9a2546

SHA512
0d6c03cefe82de116ea465b4c8cf59bc3360c1b8648b61b8cfdf508904befd352205d35fc716ebdf73a841ce9df7703b6749b15bd47ba8e29f3b11de5b0759e0

Download Submit
C:\Windows\SysWOW64\Fifomlap.exe

Filesize
323KB

MD5
5258a79d188136292aba592b940eb604

SHA1
5a4b95bc7f40872a96406112aabdb09a28608a64

SHA256
39342052954dfe5b2e1d26b77a5828bdb29c39542c630c97ea2279ea790666ea

SHA512
245e2cb70506740079474cd7f4e41b61a07a5cf176adfb0abfe7836a1ed4c33a93b66d3eb4eebc272cf998beafdf110890ca506cff8d59b35312bf98fa4b7711

Download Submit
C:\Windows\SysWOW64\Fjpoio32.exe

Filesize
323KB

MD5
42d67626b6d9ee1056200a5d22b4ea5f

SHA1
b9c8cacc33a2a9806b694e767f618868d43b3ea1

SHA256
1193c4dfd014d2579093684bd742e4eb1cbb19f0df1a9f5a51789c6cf1754874

SHA512
91aecd353cab03a8497a8f8324c26da3d24a684180d544c30544ac26e39d4cdc41be0a612a66a28ce00432b70cad8761219070df57b3c4ca432e96241d0f5c89

Download Submit
C:\Windows\SysWOW64\Fndgfffm.exe

Filesize
323KB

MD5
f92f6576e887a5315b4278951433b331

SHA1
0e3fcdf82b0dc5503b6cf20bf60c59fbb3594007

SHA256
87d96e2bb9ac027eeb4fbb6026f1d7d847af216aa594a3a914524c8776090ae3

SHA512
761e1d7afaac3983f5aab6207afbb41974b8aa531ec003706beebaaf3b0a9f8bd8e8be9a745c1206e5d466ab71d6f66fd504622ec6b5d3e146ec0364b6efc1ae

Download Submit
C:\Windows\SysWOW64\Gaoihfoo.exe

Filesize
323KB

MD5
80f02a29d5e5c4cba8fd2c92e30de64b

SHA1
c93c59155c9bc3c4a4d9553ec788be692e7f558c

SHA256
134377117b71f1ea734a2430a0fc5304a629f308342688df311fe5b12268e595

SHA512
fc638d495d53f2f6aa8e41748893220a9742d2cd091bb79d1f2d27441dbe910db21422f590bc81d1b93c08993791162f4c37827d2d0c888473190e0888d48461

Download Submit
C:\Windows\SysWOW64\Gheodg32.exe

Filesize
323KB

MD5
94faa52f7356aca5141bf0ddc3dc9fd3

SHA1
22921c638b3f52fc3e091984255d5ec6356f7f6b

SHA256
28e8e96f95c2a0ce7515799504878442ab0560047ac298e0803e7a33a253b7fe

SHA512
50c05fda61c5378e07ce8fb2ce73650967bf4367d01a7696efb5942c1a45b3c1bd37146e6214add3498354ada065564d21f736d67eae5c9e9bb48c8ae88753a8

Download Submit
C:\Windows\SysWOW64\Hcipcnac.exe

Filesize
323KB

MD5
01d028032b8274504c9dffbc1e37c7a1

SHA1
29df0d9a9a48fe9502d1a297636d2c162402a742

SHA256
edf26a0f24a6b26a5143b14b9bffb53e18d182f633433c5e3b0865d385cdf2ee

SHA512
dd462b1ea5747d76d4860daffad60d50c42d48d015c5a7f16f77216b8455c3ac88427945a4700bbf5c0fe01f31cfda5a344f65aefb7227511b91a049237e6a95

Download Submit
C:\Windows\SysWOW64\Icmbcg32.exe

Filesize
323KB

MD5
04dd434bd3ec02b382e01d91734adcf2

SHA1
3239acbe5d14e03b9f8d7220b3faf9b9a8718c5a

SHA256
03d02d003835038550c4fd33a41f2fbffe06c6910d9125883c716e4b873985ed

SHA512
8bfa610c259fdc90ec2b39f6d95649e0179e7341161ff1cdad8d3528edb99f4e3a9added8fbacf1137b928b8703ff62563be5efe4803dbc66fa845426758d1a5

Download Submit
C:\Windows\SysWOW64\Iiokacgp.exe

Filesize
323KB

MD5
26d5e562491b43d1c3f06f8929033d86

SHA1
b9a82ac436da924bc7f9ffc00047100ed4348ba0

SHA256
527eb58475bc24bed907e43ad5f18fd83464e7ee607c24e7c4073ce6288493d1

SHA512
c9e20f93d299e513286e379617a3c8f9d93e526db2370bea88b8d5aaf9374b61475f53851f2f302d83662e2012407c365d7f0926ecb7334eee5b28241bfad884

Download Submit
C:\Windows\SysWOW64\Jcfejfag.exe

Filesize
323KB

MD5
af76834bcbf9e205426f260697baf084

SHA1
26a37f71b6ff67a6ad8719b4b44a656985951dd8

SHA256
26f00e4d1b3539ced942ca4674d02fe13d5750727e957cd756f150899ec7d4b1

SHA512
027ac08a20353dea2c37c213ba82a833109753679aeb7b42259fbe09ef4590ae56c3c6dc00a841f1c3d069881ecb7933a9c25ca0b5f58c88d3bf2f1cd1aeaf35

Download Submit
C:\Windows\SysWOW64\Jhjcbljf.exe

Filesize
323KB

MD5
bbdd9a068bb2910d8f3881af5445d4a0

SHA1
fb50073c5b6c060d7ff4237ac83db768461ce5d0

SHA256
f367aeb24b5bcab2d20a2aaba1e0c55df3439c162033381c975194c76f9f5d49

SHA512
0274aa15241e2c546e7fe9cb4c298b569154f1f568fa65c163a4015efd414f29f1f24edc49213fba8ec88c8072b092d671eac43b35fbc393832ced5a0f5015c4

Download Submit
C:\Windows\SysWOW64\Jjjggede.exe

Filesize
323KB

MD5
b117879185a60c467a932d5d4f99f9d9

SHA1
e2f607f2df7a1e7c503b5f7ce9d8246c659ac2c3

SHA256
5f39f6e80be4da79cf4a52a6e7027e0afc0a42d738e6593ef438ccc251e118d9

SHA512
3b845e1c7ac545b81d98e44fc6cb82eb3abf349b0ff25d2cdd543cab66e865453ba4f9b34663fee7ca69d99cfede367c5ee3337e69039bf8c76845b3119aa902

Download Submit
C:\Windows\SysWOW64\Kfggbope.exe

Filesize
323KB

MD5
4dd25d7262d4b4af21cc0f3b938422cd

SHA1
f5781270eb76e6e4b9cff885c9a14b71ae295c45

SHA256
928ec23c15cbbb31ef304c26255af0e9fd495bcbef36e2d4742e9d1d05211536

SHA512
feade55c9e1f03f5a76f08fa7a9c588d2c4f8d7681c35c1c41c9125684885033c09ceb056b185e84205d4b4975c02038b60792972cea6ed312f80b9d99d55048

Download Submit
C:\Windows\SysWOW64\Knfepldb.exe

Filesize
323KB

MD5
7f4f38789bf1d4a6b7c1865dd27d45c3

SHA1
f5003832cba6fd8cd36184c02a16289df9db95a3

SHA256
fd3ed07e6b808cb15efa6c5814e7c2dcdb445f3e0968307caf8be5a158064434

SHA512
81449c1332883697148783ec4a2978d1604c0d214ad535a668018b5aa7dc45fce01f9be0614002524dcc06e1b33d030e6f588c380f6fbcdcb66f64a8320a1703

Download Submit
C:\Windows\SysWOW64\Koiejemn.exe

Filesize
323KB

MD5
a3e5bbabf64a2977f90f82eb7c898084

SHA1
9f383a84c767cbd96643deaf6229a6bc287322f1

SHA256
de29cdf3583d45874be08084292a477279ee303f79cacb71c3358b09d53bb60a

SHA512
480c073374cdd19b9c660407f4ee03b2c8af79f46bc078a9a155da1a3abc74d1ff9b479813014367975f202df46a1c3912d3c4a48a3e931c17e98cfcc4508721

Download Submit
C:\Windows\SysWOW64\Kplijk32.exe

Filesize
323KB

MD5
ecbda578aaee0e76857e8583a9a938f7

SHA1
901c6a17418f1faeea81f706f6af4d7c0e6fe87d

SHA256
c75513a8c4f5fd6d462c77d70cb0a0fed4886fd68e6f7d4363be1787bc4a63c8

SHA512
a9caf3d3b2e6915ae98dc389f82a2c41f1d5f76eba11f586cbd6bdf1ee48d4879521c17c7131b08e72a255fb0b1b06a83bdce9edabde7583df9b20c52d6dc51c

Download Submit
C:\Windows\SysWOW64\Lhcjbfag.exe

Filesize
323KB

MD5
4e93dcf200538691b5d87c8b3dc02ce1

SHA1
c9b6b12222018cd19fc282a53140a432db7780e6

SHA256
4a5ac16430558dde11b11ace572edb4ee25c9b3a32ec9434e493946f9d36d3b1

SHA512
8a73f7ec78acbc64e0534436fa35a2e1fafbdb02de467a4cd9be31b907fa34325f68304ce834849b3621f7b4370ddfe3a958ef5d33ef4a5940312ac0e2a7b835

Download Submit
C:\Windows\SysWOW64\Llpofd32.exe

Filesize
323KB

MD5
e088d628315670eccba68d0ec2dce32d

SHA1
082ff871329def9417d1054aa57a44ddd8b9072d

SHA256
eebcbe647dcf7c9dc7ef5e1a39492e45fb70e1b999423b1b0968133a8aeb900f

SHA512
38ad04d2dd7f38e0eb3db6e137985fa63e11f4ba88a4c7b16b8588327a636ad8d06a257c91d46e45d7da7c6745eaec8134d7821d9b6f0a97ae511cbe696dbcbf

Download Submit
C:\Windows\SysWOW64\Mpchbhjl.exe

Filesize
323KB

MD5
211b788fdb510a1f931fd6c34a92c3ba

SHA1
14fc9bd8ef5d7221a4f1b23efbfea12d37af8eae

SHA256
0ebde115ea8b8b28561939f89598ff72192ad922d173b83e1fb565d40de32562

SHA512
217a3c6925ce8506d3bb665742815313d8fbc0e1e33cc710ccf6b23257bd39b295bd5143791fc42790c99329c8cee8daa965a0bfebe88a215298c01823ec208e

Download Submit
C:\Windows\SysWOW64\Njfafhjf.exe

Filesize
320KB

MD5
02768cfabfa61c9ce2b6720018784213

SHA1
bad95725a1b670cf487bafdb35f350fc70229cee

SHA256
95cecb457bd653c2bcefd6a4da45e1c27ec3f491efa57aedc454d12002744f1b

SHA512
17619f831c7619643f2d2aa4599c5f6fa4d8b72cdb165c44492704c57101159fd5c4a66ed525bce13866c7aadf2d408db0b21f5209650f1e481ce2e45b7a8ea0

Download Submit
C:\Windows\SysWOW64\Oamgcm32.exe

Filesize
323KB

MD5
6dac84b6ed19e967efa901c11285b76d

SHA1
3d99094831195716f56be13c903167b14066d3f8

SHA256
d6a198d04778c1a17c78982d97a2e3f6b28531a0ce8ed600a5dd57942aa46899

SHA512
99b4a10d6d8426325bce56b4bc26e23f048d8f7d4e01dbdb684871954a809cabe2dc916668f9249d4b079ae004e6bfc1bb66db6ae607fb77210e3ed3aaeb55d3

Download Submit
C:\Windows\SysWOW64\Pbokab32.exe

Filesize
323KB

MD5
95e440fbaed69a449c98447e4c56140e

SHA1
85fbb48db77fbbcb336ad74a49b01da6420d10ff

SHA256
22f557d9fad939a6b58f86988d91a91b3085994a255368d6bc4364b22b8849d7

SHA512
71f0bf1d618ee183eb0371753f3fa675c122c411315ccd54de8f1f0151fa3401e2cdf4f86edb76743b9c2022f106c7b6b467581d6762c9e38a0f034ab0f943bc

Download Submit
C:\Windows\SysWOW64\Pdchakoo.exe

Filesize
323KB

MD5
7acf595ac0967b5c65e340ccbe91a012

SHA1
ec1bc87b68218f51c388f0c53ba85b06fdccaab1

SHA256
fe93d198b1ac88f61cdc752c862a2f40f67488694499e12340d4e41252b3768e

SHA512
ef9e13c97211c88c533db0dd8b5748b3ada0330223c2f3139e26a0c0e5755389dd3675be4621159b0842711ecaac1584fceab8d7d2491b190773f76b65f1da07

Download Submit
C:\Windows\SysWOW64\Qlpcpffl.exe

Filesize
323KB

MD5
3b399620566c3b5185f6380557226c14

SHA1
8a171aa980eaad704ac42ac61c53011f155d6bbc

SHA256
f87199bcb7db8d7371f780e5d0478fe55a031d9084eee625a1727413f768b90a

SHA512
848a28eb0850cda3c1e33d5474a3c746bdf6f669895378f96b90701404f19f44f37052f81a747870be0a68e59ce0c3d45e0e19d0ab66b65f677dc071b88a11bc

Download Submit
memory/696-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-654-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-662-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads