65d4dc827d8b15b2b26f5cd5a32462e11d10272aba55eef29e779f409f55a14a

Analysis

max time kernel
156s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 14:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e093c71c4600b6c3e681f0862c989e31.exe
Size

182KB
MD5

e093c71c4600b6c3e681f0862c989e31
SHA1

999004405e6becb2dab6329712bc20663edfd078
SHA256

65d4dc827d8b15b2b26f5cd5a32462e11d10272aba55eef29e779f409f55a14a
SHA512

5e0a24fcf61e131ebe4384506911d6d2616a632734433c083ca792c2b9f6b55bb24f3a4617ebbd09bb281b48fe6be289bf73bb84a660df3cf204185ae772576b
SSDEEP

1536:hW6PBjwxwIyV1sUzFagR2LTL7nguPw9uVgA53+RrKJs2zjFS3ldkBOLLaVqI240+:hW6PV6XH7nguPnVgA53+GpOc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oelolmnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccpcja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apggckbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeodhjmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noppeaed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddjpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnfmqng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnnccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oelolmnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npepkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njedbjej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmhhefi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edeeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aefjii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cljobphg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pahilmoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chlflabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbhoeid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcalieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmfbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnkfmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfjcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfjcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doccpcja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nabfjpak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlolpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbldphde.exe

Executes dropped EXE 64 IoCs

pid	Process
2280	Nlcalieg.exe
4800	Nabfjpak.exe
2276	Njmhhefi.exe
388	Njpdnedf.exe
2068	Oeheqm32.exe
3940	Oejbfmpg.exe
1724	Oelolmnd.exe
4996	Olicnfco.exe
620	Pahilmoc.exe
3064	Plpjoe32.exe
3964	Phfjcf32.exe
1768	Pocpfphe.exe
2908	Qeodhjmo.exe
4564	Aafemk32.exe
2648	Anmfbl32.exe
3048	Aefjii32.exe
3676	Anaomkdb.exe
4576	Bnfihkqm.exe
3840	Bhnikc32.exe
656	Bohbhmfm.exe
2932	Bddjpd32.exe
4320	Cndeii32.exe
3844	Cleegp32.exe
4488	Chlflabp.exe
2564	Cljobphg.exe
5040	Dmohno32.exe
1376	Dbnmke32.exe
2060	Ddnfmqng.exe
3336	Ekkkoj32.exe
3416	Eokqkh32.exe
4500	Gehbjm32.exe
852	Gfodeohd.exe
5032	Ifmqfm32.exe
2436	Iomoenej.exe
4168	Jmbhoeid.exe
5068	Johnamkm.exe
4060	Jphkkpbp.exe
696	Jlolpq32.exe
1356	Kflide32.exe
3300	Kfnfjehl.exe
3612	Kgnbdh32.exe
988	Lmdnbn32.exe
4708	Mogcihaj.exe
4932	Npepkf32.exe
944	Oghghb32.exe
1904	Ocohmc32.exe
3208	Pplobcpp.exe
5020	Pffgom32.exe
5044	Pmpolgoi.exe
1948	Phfcipoo.exe
2864	Pmblagmf.exe
1756	Qaqegecm.exe
1520	Qdoacabq.exe
3524	Qodeajbg.exe
888	Aogbfi32.exe
4656	Afbgkl32.exe
1652	Apaadpng.exe
4336	Bkgeainn.exe
3156	Bkibgh32.exe
1272	Bogkmgba.exe
700	Bahdob32.exe
3248	Bdfpkm32.exe
3944	Cdkifmjq.exe
1112	Cncnob32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gfodeohd.exe	Gehbjm32.exe
File created	C:\Windows\SysWOW64\Johnamkm.exe	Jmbhoeid.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Kemooo32.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Ocdglf32.dll	Njmhhefi.exe
File created	C:\Windows\SysWOW64\Oeheqm32.exe	Njpdnedf.exe
File created	C:\Windows\SysWOW64\Jpnakk32.exe	Iehmmb32.exe
File created	C:\Windows\SysWOW64\Ipimhnjc.dll	Qmdblp32.exe
File created	C:\Windows\SysWOW64\Amoljp32.dll	Aafemk32.exe
File created	C:\Windows\SysWOW64\Dmohno32.exe	Cljobphg.exe
File created	C:\Windows\SysWOW64\Dbnmke32.exe	Dmohno32.exe
File created	C:\Windows\SysWOW64\Lindkm32.exe	Lpepbgbd.exe
File opened for modification	C:\Windows\SysWOW64\Nqaiecjd.exe	Nfldgk32.exe
File opened for modification	C:\Windows\SysWOW64\Afappe32.exe	Apggckbf.exe
File created	C:\Windows\SysWOW64\Oejbfmpg.exe	Oeheqm32.exe
File created	C:\Windows\SysWOW64\Mbnnhndk.dll	Pahilmoc.exe
File created	C:\Windows\SysWOW64\Aogbfi32.exe	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Edeeci32.exe	Doccpcja.exe
File opened for modification	C:\Windows\SysWOW64\Cpljehpo.exe	Binhnomg.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cncnob32.exe
File opened for modification	C:\Windows\SysWOW64\Cnjdpaki.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Mleggmck.dll	Lpepbgbd.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Pahilmoc.exe	Olicnfco.exe
File created	C:\Windows\SysWOW64\Aagdnn32.exe	Afappe32.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Modpib32.exe	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Gipbmd32.dll	Nqaiecjd.exe
File opened for modification	C:\Windows\SysWOW64\Dmohno32.exe	Cljobphg.exe
File opened for modification	C:\Windows\SysWOW64\Npepkf32.exe	Mogcihaj.exe
File created	C:\Windows\SysWOW64\Eglfjicq.dll	Fqgedh32.exe
File opened for modification	C:\Windows\SysWOW64\Kpiqfima.exe	Kiphjo32.exe
File opened for modification	C:\Windows\SysWOW64\Nfnamjhk.exe	Nqaiecjd.exe
File opened for modification	C:\Windows\SysWOW64\Bbaclegm.exe	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Pplobcpp.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Kplmliko.exe	Kakmna32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdai32.exe	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Modpib32.exe	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Ojemig32.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Jdnoeb32.dll	Aabkbono.exe
File opened for modification	C:\Windows\SysWOW64\Aagdnn32.exe	Afappe32.exe
File opened for modification	C:\Windows\SysWOW64\Aefjii32.exe	Anmfbl32.exe
File created	C:\Windows\SysWOW64\Qfmfefni.exe	Qmdblp32.exe
File created	C:\Windows\SysWOW64\Hhdjkflc.dll	Afockelf.exe
File opened for modification	C:\Windows\SysWOW64\Njpdnedf.exe	Njmhhefi.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Ihbponja.exe	Iahgad32.exe
File created	C:\Windows\SysWOW64\Igkilc32.dll	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Apnndj32.exe
File opened for modification	C:\Windows\SysWOW64\Cleegp32.exe	Cndeii32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbhoeid.exe	Iomoenej.exe
File created	C:\Windows\SysWOW64\Bkgeainn.exe	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Lcfidb32.exe	Lindkm32.exe
File created	C:\Windows\SysWOW64\Abhqefpg.exe	Aagdnn32.exe
File opened for modification	C:\Windows\SysWOW64\Iomoenej.exe	Ifmqfm32.exe
File opened for modification	C:\Windows\SysWOW64\Jpnakk32.exe	Iehmmb32.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Kiphjo32.exe	Jpgdai32.exe
File opened for modification	C:\Windows\SysWOW64\Bhnikc32.exe	Bnfihkqm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6728	6520	WerFault.exe	243

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pocpfphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll"	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndeii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll"	Hbldphde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aafemk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgoakc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pocpfphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbhoeid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbqppqg.dll"	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banjnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e093c71c4600b6c3e681f0862c989e31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjhab32.dll"	Jphkkpbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njpdnedf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boplohfa.dll"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emcnmpcj.dll"	Gehbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll"	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oondonie.dll"	Doccpcja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmefoohh.dll"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfgko32.dll"	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cleegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bohbhmfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plpjoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnnccl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olicnfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kidben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oejbfmpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll"	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjakdno.dll"	Kemooo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aogbfi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 2280	3916	e093c71c4600b6c3e681f0862c989e31.exe	93
PID 3916 wrote to memory of 2280	3916	e093c71c4600b6c3e681f0862c989e31.exe	93
PID 3916 wrote to memory of 2280	3916	e093c71c4600b6c3e681f0862c989e31.exe	93
PID 2280 wrote to memory of 4800	2280	Nlcalieg.exe	94
PID 2280 wrote to memory of 4800	2280	Nlcalieg.exe	94
PID 2280 wrote to memory of 4800	2280	Nlcalieg.exe	94
PID 4800 wrote to memory of 2276	4800	Nabfjpak.exe	95
PID 4800 wrote to memory of 2276	4800	Nabfjpak.exe	95
PID 4800 wrote to memory of 2276	4800	Nabfjpak.exe	95
PID 2276 wrote to memory of 388	2276	Njmhhefi.exe	96
PID 2276 wrote to memory of 388	2276	Njmhhefi.exe	96
PID 2276 wrote to memory of 388	2276	Njmhhefi.exe	96
PID 388 wrote to memory of 2068	388	Njpdnedf.exe	97
PID 388 wrote to memory of 2068	388	Njpdnedf.exe	97
PID 388 wrote to memory of 2068	388	Njpdnedf.exe	97
PID 2068 wrote to memory of 3940	2068	Oeheqm32.exe	98
PID 2068 wrote to memory of 3940	2068	Oeheqm32.exe	98
PID 2068 wrote to memory of 3940	2068	Oeheqm32.exe	98
PID 3940 wrote to memory of 1724	3940	Oejbfmpg.exe	99
PID 3940 wrote to memory of 1724	3940	Oejbfmpg.exe	99
PID 3940 wrote to memory of 1724	3940	Oejbfmpg.exe	99
PID 1724 wrote to memory of 4996	1724	Oelolmnd.exe	100
PID 1724 wrote to memory of 4996	1724	Oelolmnd.exe	100
PID 1724 wrote to memory of 4996	1724	Oelolmnd.exe	100
PID 4996 wrote to memory of 620	4996	Olicnfco.exe	101
PID 4996 wrote to memory of 620	4996	Olicnfco.exe	101
PID 4996 wrote to memory of 620	4996	Olicnfco.exe	101
PID 620 wrote to memory of 3064	620	Pahilmoc.exe	102
PID 620 wrote to memory of 3064	620	Pahilmoc.exe	102
PID 620 wrote to memory of 3064	620	Pahilmoc.exe	102
PID 3064 wrote to memory of 3964	3064	Plpjoe32.exe	103
PID 3064 wrote to memory of 3964	3064	Plpjoe32.exe	103
PID 3064 wrote to memory of 3964	3064	Plpjoe32.exe	103
PID 3964 wrote to memory of 1768	3964	Phfjcf32.exe	104
PID 3964 wrote to memory of 1768	3964	Phfjcf32.exe	104
PID 3964 wrote to memory of 1768	3964	Phfjcf32.exe	104
PID 1768 wrote to memory of 2908	1768	Pocpfphe.exe	105
PID 1768 wrote to memory of 2908	1768	Pocpfphe.exe	105
PID 1768 wrote to memory of 2908	1768	Pocpfphe.exe	105
PID 2908 wrote to memory of 4564	2908	Qeodhjmo.exe	106
PID 2908 wrote to memory of 4564	2908	Qeodhjmo.exe	106
PID 2908 wrote to memory of 4564	2908	Qeodhjmo.exe	106
PID 4564 wrote to memory of 2648	4564	Aafemk32.exe	107
PID 4564 wrote to memory of 2648	4564	Aafemk32.exe	107
PID 4564 wrote to memory of 2648	4564	Aafemk32.exe	107
PID 2648 wrote to memory of 3048	2648	Anmfbl32.exe	108
PID 2648 wrote to memory of 3048	2648	Anmfbl32.exe	108
PID 2648 wrote to memory of 3048	2648	Anmfbl32.exe	108
PID 3048 wrote to memory of 3676	3048	Aefjii32.exe	109
PID 3048 wrote to memory of 3676	3048	Aefjii32.exe	109
PID 3048 wrote to memory of 3676	3048	Aefjii32.exe	109
PID 3676 wrote to memory of 4576	3676	Anaomkdb.exe	110
PID 3676 wrote to memory of 4576	3676	Anaomkdb.exe	110
PID 3676 wrote to memory of 4576	3676	Anaomkdb.exe	110
PID 4576 wrote to memory of 3840	4576	Bnfihkqm.exe	111
PID 4576 wrote to memory of 3840	4576	Bnfihkqm.exe	111
PID 4576 wrote to memory of 3840	4576	Bnfihkqm.exe	111
PID 3840 wrote to memory of 656	3840	Bhnikc32.exe	112
PID 3840 wrote to memory of 656	3840	Bhnikc32.exe	112
PID 3840 wrote to memory of 656	3840	Bhnikc32.exe	112
PID 656 wrote to memory of 2932	656	Bohbhmfm.exe	113
PID 656 wrote to memory of 2932	656	Bohbhmfm.exe	113
PID 656 wrote to memory of 2932	656	Bohbhmfm.exe	113
PID 2932 wrote to memory of 4320	2932	Bddjpd32.exe	114

C:\Users\Admin\AppData\Local\Temp\e093c71c4600b6c3e681f0862c989e31.exe
"C:\Users\Admin\AppData\Local\Temp\e093c71c4600b6c3e681f0862c989e31.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\SysWOW64\Nlcalieg.exe
  C:\Windows\system32\Nlcalieg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\Nabfjpak.exe
    C:\Windows\system32\Nabfjpak.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\SysWOW64\Njmhhefi.exe
      C:\Windows\system32\Njmhhefi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Windows\SysWOW64\Oeheqm32.exe
        
        C:\Windows\system32\Oeheqm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Oelolmnd.exe
        
        C:\Windows\system32\Oelolmnd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Olicnfco.exe
        
        C:\Windows\system32\Olicnfco.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Pahilmoc.exe
        
        C:\Windows\system32\Pahilmoc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2564

C:\Windows\SysWOW64\Dmohno32.exe
C:\Windows\system32\Dmohno32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5040
- C:\Windows\SysWOW64\Dbnmke32.exe
  C:\Windows\system32\Dbnmke32.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- - C:\Windows\SysWOW64\Ddnfmqng.exe
    C:\Windows\system32\Ddnfmqng.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:2060
  - - C:\Windows\SysWOW64\Ekkkoj32.exe
      C:\Windows\system32\Ekkkoj32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:3336
    - - C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        5⤵
        Executes dropped EXE
        
        PID:3416
      - C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        7⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        14⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        15⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        17⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:560
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        23⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        24⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        25⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        27⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        35⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        42⤵
        
        PID:856
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3684
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        45⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        46⤵
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        47⤵
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3544
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        49⤵
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        53⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        54⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        55⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        57⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        58⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        60⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        61⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        63⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        64⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        67⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        68⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        69⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        72⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        76⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        77⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        78⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        83⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        85⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        86⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        87⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        88⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        90⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        91⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        94⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        97⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        101⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        103⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        104⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        106⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        107⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        108⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        110⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        111⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        114⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        115⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        118⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        122⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 400
        123⤵
        Program crash
        
        PID:6728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 6520 -ip 6520
1⤵
PID:6556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aafemk32.exe

Filesize
182KB

MD5
24a41f797d3d2907193b61d134d5c79a

SHA1
be30a9e25e02c0df3caaf78eabe76d487965221a

SHA256
90f202aae324e4cfc071e8d2dbd6fdb0b714651b6e2329ecbf78dd5d0fd9cca5

SHA512
6a0faa7c35219f64a7ceee2f68a95992eead33472bcc14c7b7e1930c756f8c3eb4ef5095d92e575cd44abda7c7838830a4336d5ba2b81f56d3efffd40a44027f

Download Submit
C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
182KB

MD5
49cf88611700e365076885d14489a125

SHA1
81848c88d883b9ae471672d2b8022e87b7fa3fa1

SHA256
07f20e61e1a23fd831acb7c231a5c398859ed09c4231db2b452145619bcbda84

SHA512
e892c4dd03daee3457b562b9b30e714d3897bc13687726ffba5370abdd6df6fe5ac4f8ac5a19519380bc7fa3b0f472ca5c110cf463f9f9a3683b987d29e46013

Download Submit
C:\Windows\SysWOW64\Aefjii32.exe

Filesize
182KB

MD5
75fe4a007db6e51963ed927a7f81995b

SHA1
131e809e84853f47ae228cc848d7658f5f671a60

SHA256
e8435bba3a3fd4dc3c01c0464fa2afa96a74d54c7a913164b438874d7bda192d

SHA512
62e17e8ace9a8725623739e54413f51b8e41519559b4df86bcfbda38f4c79c71ef2068fbc2a18ff29a25203eb4a7a812391dea2e5180b67dc278826696bf27df

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
182KB

MD5
fe3af53c9a6a7f570f5dd8a03749e52c

SHA1
5973d784d27165c4a2e32e80dec87039e674d906

SHA256
883e4b03228ca0fe1399f36677f38b105273af28d70b1728912c3bddf4fb3e97

SHA512
7600bcc5c3bc5ecc29884df0bc1f8726003d63f938b1e103164229b60f9ff1c31b34e78ed106e83b270c90a82c488d7ed1f334c04cda5f0bb599fd0c6984e27d

Download Submit
C:\Windows\SysWOW64\Anmfbl32.exe

Filesize
182KB

MD5
8e0d6b5f639c44296fc2c2a586df7997

SHA1
19593ee2fa3b0fcd18d018aba11e16b11779f7fb

SHA256
1e6eaf36d43d3a83aefba7cc6785f5e3b5f42d30ffa9318599ce864a52338e4f

SHA512
627e01b2411b8c7ddaf2d89d1806930a316643ae0cbfe063ea57b74e6071c61593c66b7dabe1cfefe865f5b724a68fc2f828c9131232aefc1220dee586b1448b

Download Submit
C:\Windows\SysWOW64\Aogbfi32.exe

Filesize
182KB

MD5
f31eba9d4c681f9a10d137d2c046d19e

SHA1
091790b91535af464ab05c11b5c6522a156a0141

SHA256
1ca666fe9805853183b443cde9497dd70e38d4a8f293a3d04852bebd1ac279ee

SHA512
f9a58c63c7e1bb2058c333cdddcb57f0d25651cce4080333bbaa555fa3599da0a9bdad16775387ee2999b56ad5d8393441b48e6b390094796d807985b4de0ae2

Download Submit
C:\Windows\SysWOW64\Bddjpd32.exe

Filesize
182KB

MD5
0abb5acac7e6a3fad7d612089ab91b86

SHA1
e9dee169d6405cae96f26aba5b933744e6b6d166

SHA256
90b2f92bedc851a6ec01e61e4b40df263bfc3d76748a1310520a32f13bcd9855

SHA512
71d787fff80a9e79f1ccf7d80a8e26a605be17b8930333fc5330012e01ccdb5e6ee9feeaab00c2b3d2096126f29f5eba4b76d7a52beff00757969051dcb1d226

Download Submit
C:\Windows\SysWOW64\Bhnikc32.exe

Filesize
182KB

MD5
0b53df78c53f04877547274a660e749f

SHA1
bdbfe37af4459626a1c334f337b29dff3428ae05

SHA256
c289ca4f634337dd1a666fac338d1b858b986cfe6067cd6d28980b90c125056f

SHA512
609e50ee5bfd7d459fb459d9ce2004c274b47372ef9427e1312bd05ac1e745a82bb5c5eb367160ffea79aa671ccb7c4400d9c33c0c3cce6e2209ce58da59e8cc

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
182KB

MD5
4b50f39b4aa085100c7645312ee02287

SHA1
910dbf5168dd7ec92eb7ec0f51d24d62e7cf601b

SHA256
9829a1cdb28db960fcef340d9cbd307a08bed8af1ad98dc3d6b13d4dac478886

SHA512
4ec98f75cbbfbf54014792e3c7206460c5e9e568ba1d2e5336cf1448e7c4006ff08932b3559b11e43407e0ce121abecc4e63ab0d1cf84ae2660f86657c37a293

Download Submit
C:\Windows\SysWOW64\Bnfihkqm.exe

Filesize
182KB

MD5
ab14ba39b5f147f5ee6bba60a093205d

SHA1
b8ed8148ea390569007a1403a245b58cc95daae2

SHA256
09d10a1961c33b8f54a66a07ffc714e8f36aa80f828e74c0d20d2c4bfa2b73f0

SHA512
c54f8da684744f879fa7fc602470a1b4979c4203674cf73e1f9b30d4a9a2688a0b482edb8f47693f9a8e46a2237b9233c71d672aa06055d97e2a6f32e17fb3e8

Download Submit
C:\Windows\SysWOW64\Bohbhmfm.exe

Filesize
182KB

MD5
452838e2b5913dd93ec656b5ca05bc86

SHA1
c08fbf638a3bc8e7b6022d2a55e78d8752a5ed1f

SHA256
880106c3afdd76910bfe6a8e6cdb2bbb6d948265bbda1c7f823cb775341cb93d

SHA512
4507ced1f07bfd79447534a1799db96d34c58b1b9df326b8a3eefdc3eccc5a5e14347e5921dfa9a13fe01e31939d331aac3fbc97f905feac29ce1b73e15e70e0

Download Submit
C:\Windows\SysWOW64\Chlflabp.exe

Filesize
182KB

MD5
73071dfbddcbe5b16ebc3ea51536b4cb

SHA1
2aad069b5b8c19f1477f18f0a82f424ffa4a4899

SHA256
64dba7110cb9696cea4bb9c0449de043b9fe2426ea36774cfeaa145ebdd6630f

SHA512
b6e5b58cd660a2db0126282913e6bc990e72651a5246e989acbea46610b1cde06bfab48ee7f1c093488625fbbb6530b0171ae780a5594d3f6a368412e99edcf6

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
182KB

MD5
a1f7e18a9b91f1a8b9cca64903df693f

SHA1
deab6a32cc49601ddf84a3ee4c7e632c418e0760

SHA256
39da4fa3b77672022f7e7d497461470b8f861228a3758600900067cbae1c58d0

SHA512
f0a698e01743b18274d94b5eb7c4a040b995b10592969e317ab63959e455485ae5ea08e78a8e632bf2a1c35381cf7a1ee2bbdf2eb35a965e20ce0fa11cd20321

Download Submit
C:\Windows\SysWOW64\Cljobphg.exe

Filesize
182KB

MD5
0f31b6b783775aea278649bfb89e42d8

SHA1
d254bbd09e8a27031fc9e740735206642926d533

SHA256
d7d5e404642baf6b6fe6b270dc0d04efe1c78d4e2afab8ae6a3f45854fe8fe91

SHA512
8bc407b2c86148795379db6ed9220cc384687e45bfb89887a4079cadf5b272fd8c7458303168c06840b655eebf03c1980a03eb8490da1a29f59cb31864da9f76

Download Submit
C:\Windows\SysWOW64\Cndeii32.exe

Filesize
182KB

MD5
900b2c219668c6e187a6976a1a698086

SHA1
c4b242fc0566c5b982c37746a5157cecaaef8fcc

SHA256
63cd5020c8d675c55ac8acb3826089afad303596393764d1436fc9dbd30a22b5

SHA512
8b8440d105d5e0f49048ecc2b1851af84282ecdfdf9d177d8b65141ae618e129f3cafac8a33b34e7f3dcc086e11930605ff45ddedf5b13b710e30e1a7f312a41

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
182KB

MD5
4b53aed3e05751c1af2ca8643e5fe726

SHA1
d0b64f98e16ffd817ff04d8508e5ddf94e0de6c0

SHA256
bb6c04e21e281e293e43b4e48600e7c850531f299f79921535d54d6b0eccdbcd

SHA512
c3fb38e91520306993b301dbf42e76f3a3f15b314f0701f3a0ceb7ba0edeeadef4fffd90b7aafeeac94546298ecb7a223ed31796a2d1089ea2b70a07b6271bfb

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
182KB

MD5
c2206098001d74dafdda7f9de0cf060c

SHA1
f552e270fdcd4a39e14b45ba5065ad9f07f72a15

SHA256
67e096a7195d0cfd4541f66fe4c856ac4d11d48ffb3fb1de014bf2c3ade18d6d

SHA512
be1e7b522ca04eb9e4a2fc86fd549f1479c31d5292fb94165def53e6cec728b7dab3548523110a748896fb0fc309e8e6309565375483b2f648ec96d56bc0a6eb

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
182KB

MD5
188505f73798ecc988d63a869c4d344f

SHA1
a669ac3dde59d2d7c2768cb2c80b0c995d3b997b

SHA256
eb6e85a54790edfd4a211c4e86c2a447d9a65949d26b42faf5be6584b79cc984

SHA512
2a491d7bdf14f45fc724f96d192f3beb421487cff9c34db9f9778341d0262d0da1be354df7bf217f967493ad10a8655f0816188e380b87044a06495ae6ccc1f7

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
182KB

MD5
d69e372955f4d17ff42056baf41335e1

SHA1
01f5df637d154106702c065d7a11509b0e8d9c72

SHA256
2154c79ce0ff2162670a489056fea99f151a8d52c346dc6c01ee8a61b7812633

SHA512
f314229f4a6da7af620c34f9b6c14a1cbcbba7eac2aae678a34271c8bd357af44f93e63232a6d188f2014d1c774663c901845fd13705dd61c17281e418b3323b

Download Submit
C:\Windows\SysWOW64\Ekkkoj32.exe

Filesize
182KB

MD5
64c08869099c92aa2e5d726b8fe1a4c5

SHA1
a70c02fcdf67424e3ef1a9382912dceae5ee83fe

SHA256
7399e2ea141a43138054d42725088248c891e8a0dbba5446ce70b5393f4928cc

SHA512
5ae159205cbddc43a01eb9720c7c31e9046f75434e573aad6207c2368ae3e641714de37ce76161820e9af5a61337db00922538ae9c1e8e2671d7afd8f749092f

Download Submit
C:\Windows\SysWOW64\Eokqkh32.exe

Filesize
182KB

MD5
277964e040e1a48a14d11d0ae83a696b

SHA1
483c03f0d92707e5a33c4c8c7004040f4fd46e68

SHA256
ed2828a32b16c7e8e35ca89a9f577e3ed2492c318c01489132efab5688e423e5

SHA512
24825b60d72257f02ea6fd99bde07f7316b7232c5c0e46fd478b23f6994f64f26e9d153726e65d2cb05b5cabf9a8d3d9acc32b711ed70dcb557e011eee23c64c

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
182KB

MD5
3d4521e9581255e0125001ae6d4e3e32

SHA1
8c558bbbd78a6f8ce1588fe4a2b032bec8734138

SHA256
c0aaecfe259de5f7ff0d21ca789647193d9b9fecb91ff1f4b8373c91e3c7c41c

SHA512
17e4f95edbd484085efd50d2b347d7b85a1274450e779af809725e573e44c06a0748be18edbdae3d35708d2eaa517436c2745dd8168bed3023af622dbf0f4e82

Download Submit
C:\Windows\SysWOW64\Gfodeohd.exe

Filesize
182KB

MD5
79661ec4778e484937c71ae65beb72ec

SHA1
58c555bfac8d147d924d64ad8bcf24a0d672c70b

SHA256
bd80792b23b5ad0efd2b80c3f1881d3aa5497ce0d2411c4ee6c57d7889581e95

SHA512
b405d7642ef44566ec715dd4f4a67c2c69e99d2f27c495d5fd42805718175c1ebd565bf9fcacd2b589bc0dd1fcb79af7c0a55725247c37798bb14bfde53624d6

Download Submit
C:\Windows\SysWOW64\Hbenoi32.exe

Filesize
182KB

MD5
ca5f2674a1e4f9307858634811b65ef6

SHA1
1cef8c5608cb84c41b43fd035a02c50095817d95

SHA256
c6364566c710c20ad39e69fd9e0925f8198cb656c679cb83903b8530286fa480

SHA512
79ad3bab52863991a2639810584a6e01e8255ac7334a35aafaf9890c9842bd9756ea287fe5a0f023178d064c1ac36e124fc8181b35a5bfbcfea0dbcc232e41fb

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
182KB

MD5
3d6bfdce974d652e464c9c90ee46407c

SHA1
8c051e7c08d107898c687e5ccee778ffc5d0a69e

SHA256
9c85f1c6fc3f29af7d26e004da78ee7c68b581c22b87c1d8204d9c25bb5c065b

SHA512
ce07174468adaf4933e4a3c2cf6b013625e16ed69106288642fa6dc19456b1f6591c18b0c2d65698d6c86a3f9d9b54cffc8ac50a29b14d1ffcf43e680a6096f9

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
182KB

MD5
bca7a9da3732fbdfbaeb485afe049135

SHA1
802a1b2d7b723b2669b34072720e19e852399663

SHA256
426c52d3e8fd7ca6914bb0d7f059375517cc5e2543f742fa46ec885d2043af95

SHA512
cf727a225578d20c45fa9c70e61f487929492491e7a74460dc5c27b61f5dc111c5b8c1ebc01cb43604b0ea62459441c6d68d1f584787b7632440f956d321f485

Download Submit
C:\Windows\SysWOW64\Nabfjpak.exe

Filesize
182KB

MD5
1bf453e5d3fc21fb2c5ffe7a2f7fbe36

SHA1
bf5edbc3248e04f83e67d2e8db503332f6da7006

SHA256
4af2b278a42498378887c348ca2cf9c1df54fd76b35d0839f9187c2262e2e4bd

SHA512
0b9d5a520a1b1a0b1c9eb986ad1a323c5b7edb1a5a0884daf4273bb228599be8b492a1f9f5a8ab7bbd5824be4f77ceb292f0901abbc54b2df97992e855de7706

Download Submit
C:\Windows\SysWOW64\Njmhhefi.exe

Filesize
182KB

MD5
390ebc9ccf009c096a01fb5f8950dc09

SHA1
28757328250e601f29c7b7843389939ea9bcd27f

SHA256
4ec5c171ae38753a35d59c6ff779fce6c29ca7fbf3493665d442e8ae2f09c5bb

SHA512
3f4756d5716007173c82eebbc09c1043c1291ebc2c8742b186bfe59baf50d465655d06d43b5e0f0d528eecb1bec14e0510ef45e1ae97623b10ae817943eadcb6

Download Submit
C:\Windows\SysWOW64\Njpdnedf.exe

Filesize
182KB

MD5
0aaaf28c2905991ada9eb320a59a1739

SHA1
0420cedcb5fe053054e382f44b2958bc9025297d

SHA256
5d6041d8037e626d060d075eaa3a0358830278de5661f03c381c4f1a4ee573aa

SHA512
451398f11e279eb4e599ca905103734162f571b7731e38a5c966d13d16057c20f1c31ec0f5fba068fd2ba798c881d7632f3aafd5ac4dd62e814cd7a8ba9dd5d3

Download Submit
C:\Windows\SysWOW64\Nlcalieg.exe

Filesize
182KB

MD5
8868d91472f469eaeddceb8f50a98368

SHA1
498552fad232ac7b3857747f4dfae14312dbf97f

SHA256
94899b33c84d59d93f50bf7c5a64282e8fd17fc3848e657d5371fa039fb08e1d

SHA512
af9f1b5c9bb41af7bf63325b7951060811a2823180764ddb8c5453409f72accf6bb78d2e8ef39165c7727f942cfeded7c082c605f32d1da316fc97301c10c338

Download Submit
C:\Windows\SysWOW64\Oeheqm32.exe

Filesize
182KB

MD5
a898b997bce3460530d8d8ee2741bd45

SHA1
bf5e8a7a3bcbc1b94dcd39decb19bf75bceb7473

SHA256
51b430dce2bb51772ab02519bc0101216c96cbdf24ee37cc92843c40c2a5811d

SHA512
9b4d845064209ac8bd52477568a84fcac4133b12c7ace75f225ec934277cfb92b03d463f50f85bc25700db05f87e6c35fe3c12b3e7acc26b6251bedf8f6a1601

Download Submit
C:\Windows\SysWOW64\Oejbfmpg.exe

Filesize
182KB

MD5
0f8fd2b7bf2f20eb0e6f830bc8ed457d

SHA1
7099f69e3504dcd0524bf4dc4f552e532392caef

SHA256
0b6558c0c4d6edb7d1c9b4f35640e64ea44b0c1c88e0b204bcf539b649f6d583

SHA512
e83bccc4e55f445826dc8bdf61878a97b8634a38f9d8c001d02cf21c413eeb88f8e603e7cffa93f6d7e5fbd5ccb79e7221acf10dd93b1d0ac5f6ab1cf36732fd

Download Submit
C:\Windows\SysWOW64\Oelolmnd.exe

Filesize
182KB

MD5
92b5827267d3c4e42dc969a76147c44e

SHA1
e91fece3bbe494ec0c2d360a4869bee6aca637e3

SHA256
a538d5af308380b9fc1be8a3deade3906f8ffe739bbb910c7b41d3fc653698ce

SHA512
0f2318ebdbab9e395af240ec5e6aa2039e40aa142d1f2552694ea7364d4314120992909ab6fc05088fc7b221bc73ef1c96b7ccbf1fb91eb22d08888093121c89

Download Submit
C:\Windows\SysWOW64\Olicnfco.exe

Filesize
182KB

MD5
33f9ee7d7ce80b4c932a6261eee89dfb

SHA1
2c0c0b30f7934e54cf2d8e12d2a1d4ccb9547ccd

SHA256
214c026cd8e93ea76c813e2d379baf5fdae3a08eea2cd00e8133c5d38f1c417a

SHA512
0a5304f8730a1ed373f805f4325ac12a94ec40e90373e35e95064faffaa53096a637f1c80d79a2449e418e98f7ae4ca0567d05d7ffab0252d8ddf391549fcee2

Download Submit
C:\Windows\SysWOW64\Pahilmoc.exe

Filesize
182KB

MD5
32875ec13522e0056feb9f34798c8e03

SHA1
1995895ee75c90d42f7e78cc71a470c9583e0580

SHA256
d033121d26e847bbd6ed64de513fdc02f651af5f387d27c071d3dea36ada9b35

SHA512
06305060824607d4e18ca8694aca47e5afda6a579de23f999844ba2af27b52dca1037c13fd1269a24d12cc7b9dde5a970acff4a030551febca655367d5eb0e02

Download Submit
C:\Windows\SysWOW64\Pblajhje.exe

Filesize
182KB

MD5
71eae9cd8c50262560375409c2532509

SHA1
5ac2a034c1563eb541e053a345448dec2311ef10

SHA256
9b7cf13a724df2266cfea3f1c8de3f5a7991993caf521420ffd898ddd99fd3f6

SHA512
739100a04a7b56c355356b6fb2c3656a429c81f9ef3576addd58132629719a64fa485e2b6500780f60f7f4247c5c24d92acaedd589b7f1a5551b1297bb573c13

Download Submit
C:\Windows\SysWOW64\Phfjcf32.exe

Filesize
182KB

MD5
d6c1422cd432ce62c8af3cb61a10f378

SHA1
6a2c90e9d1c4604cd722e5dce439a5b7a05be114

SHA256
84fa736c16153cdc353332fe4d4d0b54968d5824783746a335129710d96939b1

SHA512
ef0d360276b7c16a12942e7439d762cf3e38acaf5b23b2767a206b04d2f28655664a2bef46db5f27c63110c51e869afaf81902ddf82454aaf86c1074cd277162

Download Submit
C:\Windows\SysWOW64\Plpjoe32.exe

Filesize
182KB

MD5
c48efd269cdf8c6f5002e9b06d4070c3

SHA1
13547acf1328d427890b79b0de0eaf163463d999

SHA256
48f3c602ef3a953869ab6c4439c3d5d7084b1ce1709e3f64ed701dd65bcc226d

SHA512
05236b1a3aafa5e7165c7363c4bf34d7a2bd99d014b51d092eb9e914a53f908989bc859c995cf8f6feb59d3eb46c7a621ef8119ecd5eac8b718985537bf01eea

Download Submit
C:\Windows\SysWOW64\Pocpfphe.exe

Filesize
182KB

MD5
9fbdfe08ebff1bffd0198ca2a29f3b0b

SHA1
5e1f0428953d688ae62853a5f80c34ae26a96b6e

SHA256
c2979b03dc6bc6d0d509e446dcbb89dd80b52a8c4100168fc9053621c371c8ee

SHA512
2ce40b5fa5fd44b303311e273e7ce55702368d42e7b3c00f2b462961caf3d2babce4572ccfe7786ba4e34ceb01ca7d8fd1bb1c5939c93210cc85eca4605d0a7a

Download Submit
C:\Windows\SysWOW64\Qeodhjmo.exe

Filesize
182KB

MD5
c785927d384eb54a11a9fe40728c8f94

SHA1
28bd8f1a64903e89b7bfce3979a10b56ade0ca0b

SHA256
2e22cefdc64fb10a0410fd54e23e5d889b31e1af478de6d72682944fa6cece87

SHA512
87d512735a725a09917514cde1b01154e1c9098ca9f2d86c59e561b1332e30435e1b2d9c284784421084e750a867b506c414b098cc12851eb646323e79cd343a

Download Submit
memory/388-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads