6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936

Analysis

max time kernel
171s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936.exe
Size

407KB
MD5

d7fd9108ae606afb16e7ca88405d955e
SHA1

72f4222ae633a57900c309ae33552fcceec17aa3
SHA256

6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936
SHA512

8f9a8f40eb8ad07b389a252ec0fc8a9fba719fa94a90746910227ba9dc87362a3972aaa0a4eb1b64aece11695c0a9518a839c30a8d18840330570372af52afe7
SSDEEP

12288:QexVKIZO4pV6yYP4rbpV6yYPg058KpV6yYPS:QexVKMW4XWleKWS

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amoknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnicai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiggln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdgmio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cohdoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjfpfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedjbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehomph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cejaobel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blbabnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhfek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgokdomj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibfmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Madbagif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apkjddke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cikkga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cohdoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cipebqij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eahomk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohahkojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hifcqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgokdomj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amdiei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecjhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikijenab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iqfcmdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlkejgfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihknibbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnfcbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oafacn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgkaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agfnhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cipebqij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnokeqll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljmmnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kchmljab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cicqja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkkdhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljdjnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmdfknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbglgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcflch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boldcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcaefo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgghdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnpibh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldiiio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bedpjdoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbllkohi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jondjmei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdbkcf32.exe

Executes dropped EXE 64 IoCs

pid	Process
1916	Madbagif.exe
3020	Mddkbbfg.exe
4328	Mojopk32.exe
3924	Mdghhb32.exe
3176	Nefdbekh.exe
4944	Namegfql.exe
4788	Nlcidopb.exe
3964	Ndnnianm.exe
4688	Nkhfek32.exe
5008	Nfnjbdep.exe
232	Ohcmpn32.exe
2560	Ochamg32.exe
3220	Ocknbglo.exe
1892	Pbbgicnd.exe
4756	Pfbmdabh.exe
4528	Piceflpi.exe
2504	Qihoak32.exe
3620	Abcppq32.exe
3368	Amkabind.exe
3420	Apkjddke.exe
4300	Amoknh32.exe
3076	Nemchn32.exe
1040	Odbpij32.exe
4068	Oafacn32.exe
4480	Okneldkf.exe
2340	Ohbfeh32.exe
688	Oakjnnap.exe
416	Oookgbpj.exe
3080	Ohgopgfj.exe
5064	Pdeffgff.exe
1872	Qhekaejj.exe
1036	Andqol32.exe
652	Abbiej32.exe
4560	Agobna32.exe
1824	Abdfkj32.exe
4712	Akmjdpac.exe
700	Bgkaip32.exe
4996	Beobcdoi.exe
2308	Bkhjpn32.exe
4468	Bfnnmg32.exe
3460	Bgokdomj.exe
4864	Bnicai32.exe
4332	Cbglgg32.exe
2452	Clpppmqn.exe
3280	Cicqja32.exe
5112	Cnpibh32.exe
3492	Cejaobel.exe
4436	Cldjkl32.exe
4544	Cfjnhe32.exe
1852	Cnebmgjj.exe
4680	Ohkijc32.exe
696	Hcflch32.exe
2196	Pkkdhe32.exe
4288	Agfnhf32.exe
2944	Glompi32.exe
5072	Mejijcea.exe
1556	Mkdagm32.exe
4588	Amdiei32.exe
1108	Fmdcamko.exe
3920	Ldiiio32.exe
2260	Abnnnjfh.exe
1940	Bbecnipp.exe
432	Bedpjdoc.exe
948	Blnhgn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dkedjbgg.exe	Ddklnh32.exe
File opened for modification	C:\Windows\SysWOW64\Hgghdp32.exe	Gmqgjl32.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Piceflpi.exe
File created	C:\Windows\SysWOW64\Pfacfmlb.dll	Clldhljp.exe
File opened for modification	C:\Windows\SysWOW64\Ehomph32.exe	Djfckenm.exe
File created	C:\Windows\SysWOW64\Cibagpgg.exe	Cchikf32.exe
File opened for modification	C:\Windows\SysWOW64\Hcflch32.exe	Ohkijc32.exe
File created	C:\Windows\SysWOW64\Cchikf32.exe	Cipebqij.exe
File opened for modification	C:\Windows\SysWOW64\Eolpfo32.exe	Edgkif32.exe
File created	C:\Windows\SysWOW64\Bdifbc32.dll	Cibagpgg.exe
File created	C:\Windows\SysWOW64\Jmafbj32.dll	Dcaefo32.exe
File opened for modification	C:\Windows\SysWOW64\Djfckenm.exe	Capbaacl.exe
File created	C:\Windows\SysWOW64\Dfjood32.dll	Cnebmgjj.exe
File created	C:\Windows\SysWOW64\Lmlccq32.dll	Fmdcamko.exe
File opened for modification	C:\Windows\SysWOW64\Dhidcffq.exe	Dejhgkgm.exe
File created	C:\Windows\SysWOW64\Gjpmlp32.dll	Dcjfpfnh.exe
File opened for modification	C:\Windows\SysWOW64\Ddklnh32.exe	Qgopplkq.exe
File created	C:\Windows\SysWOW64\Aecloegl.dll	Dejhgkgm.exe
File opened for modification	C:\Windows\SysWOW64\Iqfcmdpj.exe	Ikijenab.exe
File created	C:\Windows\SysWOW64\Bkgokhco.dll	Oafacn32.exe
File created	C:\Windows\SysWOW64\Jicckpjk.dll	Ddbbngjb.exe
File created	C:\Windows\SysWOW64\Ecjhmm32.exe	Ehddpdlc.exe
File created	C:\Windows\SysWOW64\Ikijenab.exe	Ihknibbo.exe
File created	C:\Windows\SysWOW64\Mmcomooj.dll	Mlkejgfj.exe
File created	C:\Windows\SysWOW64\Pdeffgff.exe	Ohgopgfj.exe
File created	C:\Windows\SysWOW64\Gnjmmfin.dll	Eolpfo32.exe
File created	C:\Windows\SysWOW64\Knmicfnn.exe	Jbdliejl.exe
File opened for modification	C:\Windows\SysWOW64\Olphlcdb.exe	Mehcnlie.exe
File created	C:\Windows\SysWOW64\Nnmmnbnl.dll	Ochamg32.exe
File created	C:\Windows\SysWOW64\Odbpij32.exe	Nemchn32.exe
File opened for modification	C:\Windows\SysWOW64\Beobcdoi.exe	Bgkaip32.exe
File opened for modification	C:\Windows\SysWOW64\Piceflpi.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Iaofbqgi.dll	Nemchn32.exe
File created	C:\Windows\SysWOW64\Bqboal32.dll	Ccfmef32.exe
File opened for modification	C:\Windows\SysWOW64\Edgkif32.exe	Eahomk32.exe
File created	C:\Windows\SysWOW64\Hpqkcc32.dll	Ohgopgfj.exe
File opened for modification	C:\Windows\SysWOW64\Mkdagm32.exe	Mejijcea.exe
File opened for modification	C:\Windows\SysWOW64\Behiec32.exe	Bbjmih32.exe
File created	C:\Windows\SysWOW64\Blbabnbk.exe	Behiec32.exe
File created	C:\Windows\SysWOW64\Qgopplkq.exe	Dcjfpfnh.exe
File created	C:\Windows\SysWOW64\Jbdliejl.exe	Jnfcbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ohahkojp.exe	Nnmdfknm.exe
File created	C:\Windows\SysWOW64\Oakjnnap.exe	Ohbfeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ikqqfm32.exe	Ihnkobpl.exe
File created	C:\Windows\SysWOW64\Okneldkf.exe	Oafacn32.exe
File created	C:\Windows\SysWOW64\Andqol32.exe	Qhekaejj.exe
File created	C:\Windows\SysWOW64\Bplmeg32.dll	Cbglgg32.exe
File created	C:\Windows\SysWOW64\Efqigigj.dll	Cldjkl32.exe
File created	C:\Windows\SysWOW64\Cdjmme32.dll	Dkedjbgg.exe
File created	C:\Windows\SysWOW64\Oahmla32.dll	Abcppq32.exe
File opened for modification	C:\Windows\SysWOW64\Edkddeag.exe	Ecjhmm32.exe
File created	C:\Windows\SysWOW64\Gdacoimi.dll	Ikijenab.exe
File created	C:\Windows\SysWOW64\Dehbljnp.dll	Ljmmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Namegfql.exe	Nefdbekh.exe
File opened for modification	C:\Windows\SysWOW64\Madbagif.exe	6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936.exe
File created	C:\Windows\SysWOW64\Amoknh32.exe	Apkjddke.exe
File created	C:\Windows\SysWOW64\Eflmeb32.dll	Cicqja32.exe
File created	C:\Windows\SysWOW64\Dafbhkhl.exe	Dkljka32.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Poackh32.dll	Hnokeqll.exe
File opened for modification	C:\Windows\SysWOW64\Bdgmio32.exe	Nodijffl.exe
File opened for modification	C:\Windows\SysWOW64\Oookgbpj.exe	Oakjnnap.exe
File created	C:\Windows\SysWOW64\Ehomph32.exe	Djfckenm.exe
File created	C:\Windows\SysWOW64\Fagbqjjm.dll	Eibfmp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnhmg32.dll"	Bkhjpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkcnnd32.dll"	Ggfombmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnocj32.dll"	Cohdoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdgmio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cimhlakl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehiadfj.dll"	Olphlcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicckpjk.dll"	Ddbbngjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iqfcmdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agfnhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oookgbpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbjk32.dll"	Cikkga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmlpkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hifcqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cikkga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnokeqll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djfckenm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moicqdae.dll"	Aficoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cldjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcflch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdeffgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfjnhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkidkeeb.dll"	Mejijcea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendcmjg.dll"	Qgopplkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkljka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apkjddke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oafacn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlccq32.dll"	Fmdcamko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahenip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beobcdoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edkddeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Behiec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eddodfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iqfcmdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djelqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkljka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkdllbn.dll"	Gdbkcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abbiej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjood32.dll"	Cnebmgjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkedjbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akggbkke.dll"	Hgghdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqmcoei.dll"	Kkaimj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgcbpfq.dll"	Hmlpkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifiamoa.dll"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloebh32.dll"	Pkkdhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mejijcea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejhgkgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cejaobel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mejijcea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkogmihf.dll"	Cipebqij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgokhco.dll"	Oafacn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abbiej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabbjl32.dll"	Mkdagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agobna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgghdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Behiec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cchikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcaefo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfacfmlb.dll"	Clldhljp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 1916	3228	6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936.exe	91
PID 3228 wrote to memory of 1916	3228	6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936.exe	91
PID 3228 wrote to memory of 1916	3228	6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936.exe	91
PID 1916 wrote to memory of 3020	1916	Madbagif.exe	92
PID 1916 wrote to memory of 3020	1916	Madbagif.exe	92
PID 1916 wrote to memory of 3020	1916	Madbagif.exe	92
PID 3020 wrote to memory of 4328	3020	Mddkbbfg.exe	93
PID 3020 wrote to memory of 4328	3020	Mddkbbfg.exe	93
PID 3020 wrote to memory of 4328	3020	Mddkbbfg.exe	93
PID 4328 wrote to memory of 3924	4328	Mojopk32.exe	94
PID 4328 wrote to memory of 3924	4328	Mojopk32.exe	94
PID 4328 wrote to memory of 3924	4328	Mojopk32.exe	94
PID 3924 wrote to memory of 3176	3924	Mdghhb32.exe	95
PID 3924 wrote to memory of 3176	3924	Mdghhb32.exe	95
PID 3924 wrote to memory of 3176	3924	Mdghhb32.exe	95
PID 3176 wrote to memory of 4944	3176	Nefdbekh.exe	96
PID 3176 wrote to memory of 4944	3176	Nefdbekh.exe	96
PID 3176 wrote to memory of 4944	3176	Nefdbekh.exe	96
PID 4944 wrote to memory of 4788	4944	Namegfql.exe	98
PID 4944 wrote to memory of 4788	4944	Namegfql.exe	98
PID 4944 wrote to memory of 4788	4944	Namegfql.exe	98
PID 4788 wrote to memory of 3964	4788	Nlcidopb.exe	99
PID 4788 wrote to memory of 3964	4788	Nlcidopb.exe	99
PID 4788 wrote to memory of 3964	4788	Nlcidopb.exe	99
PID 3964 wrote to memory of 4688	3964	Ndnnianm.exe	100
PID 3964 wrote to memory of 4688	3964	Ndnnianm.exe	100
PID 3964 wrote to memory of 4688	3964	Ndnnianm.exe	100
PID 4688 wrote to memory of 5008	4688	Nkhfek32.exe	101
PID 4688 wrote to memory of 5008	4688	Nkhfek32.exe	101
PID 4688 wrote to memory of 5008	4688	Nkhfek32.exe	101
PID 5008 wrote to memory of 232	5008	Nfnjbdep.exe	103
PID 5008 wrote to memory of 232	5008	Nfnjbdep.exe	103
PID 5008 wrote to memory of 232	5008	Nfnjbdep.exe	103
PID 232 wrote to memory of 2560	232	Ohcmpn32.exe	104
PID 232 wrote to memory of 2560	232	Ohcmpn32.exe	104
PID 232 wrote to memory of 2560	232	Ohcmpn32.exe	104
PID 2560 wrote to memory of 3220	2560	Ochamg32.exe	105
PID 2560 wrote to memory of 3220	2560	Ochamg32.exe	105
PID 2560 wrote to memory of 3220	2560	Ochamg32.exe	105
PID 3220 wrote to memory of 1892	3220	Ocknbglo.exe	106
PID 3220 wrote to memory of 1892	3220	Ocknbglo.exe	106
PID 3220 wrote to memory of 1892	3220	Ocknbglo.exe	106
PID 1892 wrote to memory of 4756	1892	Pbbgicnd.exe	107
PID 1892 wrote to memory of 4756	1892	Pbbgicnd.exe	107
PID 1892 wrote to memory of 4756	1892	Pbbgicnd.exe	107
PID 4756 wrote to memory of 4528	4756	Pfbmdabh.exe	108
PID 4756 wrote to memory of 4528	4756	Pfbmdabh.exe	108
PID 4756 wrote to memory of 4528	4756	Pfbmdabh.exe	108
PID 4528 wrote to memory of 2504	4528	Piceflpi.exe	109
PID 4528 wrote to memory of 2504	4528	Piceflpi.exe	109
PID 4528 wrote to memory of 2504	4528	Piceflpi.exe	109
PID 2504 wrote to memory of 3620	2504	Qihoak32.exe	110
PID 2504 wrote to memory of 3620	2504	Qihoak32.exe	110
PID 2504 wrote to memory of 3620	2504	Qihoak32.exe	110
PID 3620 wrote to memory of 3368	3620	Abcppq32.exe	111
PID 3620 wrote to memory of 3368	3620	Abcppq32.exe	111
PID 3620 wrote to memory of 3368	3620	Abcppq32.exe	111
PID 3368 wrote to memory of 3420	3368	Amkabind.exe	112
PID 3368 wrote to memory of 3420	3368	Amkabind.exe	112
PID 3368 wrote to memory of 3420	3368	Amkabind.exe	112
PID 3420 wrote to memory of 4300	3420	Apkjddke.exe	113
PID 3420 wrote to memory of 4300	3420	Apkjddke.exe	113
PID 3420 wrote to memory of 4300	3420	Apkjddke.exe	113
PID 4300 wrote to memory of 3076	4300	Amoknh32.exe	114

C:\Users\Admin\AppData\Local\Temp\6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936.exe
"C:\Users\Admin\AppData\Local\Temp\6ea36e66cd66870746d2f2c5680ff64826829b509f3c01d0ac4b210c402e9936.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\Madbagif.exe
  C:\Windows\system32\Madbagif.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\Mddkbbfg.exe
    C:\Windows\system32\Mddkbbfg.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\Mojopk32.exe
      C:\Windows\system32\Mojopk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Nemchn32.exe
        
        C:\Windows\system32\Nemchn32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Odbpij32.exe
        
        C:\Windows\system32\Odbpij32.exe
        24⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Oafacn32.exe
        
        C:\Windows\system32\Oafacn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Okneldkf.exe
        
        C:\Windows\system32\Okneldkf.exe
        26⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Ohbfeh32.exe
        
        C:\Windows\system32\Ohbfeh32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Oakjnnap.exe
        
        C:\Windows\system32\Oakjnnap.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Oookgbpj.exe
        
        C:\Windows\system32\Oookgbpj.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Ohgopgfj.exe
        
        C:\Windows\system32\Ohgopgfj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Pdeffgff.exe
        
        C:\Windows\system32\Pdeffgff.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Qhekaejj.exe
        
        C:\Windows\system32\Qhekaejj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\Andqol32.exe
        
        C:\Windows\system32\Andqol32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Abbiej32.exe
        
        C:\Windows\system32\Abbiej32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Agobna32.exe
        
        C:\Windows\system32\Agobna32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Abdfkj32.exe
        
        C:\Windows\system32\Abdfkj32.exe
        36⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Akmjdpac.exe
        
        C:\Windows\system32\Akmjdpac.exe
        37⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Bgkaip32.exe
        
        C:\Windows\system32\Bgkaip32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Beobcdoi.exe
        
        C:\Windows\system32\Beobcdoi.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Bkhjpn32.exe
        
        C:\Windows\system32\Bkhjpn32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Bfnnmg32.exe
        
        C:\Windows\system32\Bfnnmg32.exe
        41⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Bgokdomj.exe
        
        C:\Windows\system32\Bgokdomj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Bnicai32.exe
        
        C:\Windows\system32\Bnicai32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Cbglgg32.exe
        
        C:\Windows\system32\Cbglgg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Clpppmqn.exe
        
        C:\Windows\system32\Clpppmqn.exe
        45⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Cicqja32.exe
        
        C:\Windows\system32\Cicqja32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Cnpibh32.exe
        
        C:\Windows\system32\Cnpibh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Cejaobel.exe
        
        C:\Windows\system32\Cejaobel.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Cldjkl32.exe
        
        C:\Windows\system32\Cldjkl32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Cfjnhe32.exe
        
        C:\Windows\system32\Cfjnhe32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Cnebmgjj.exe
        
        C:\Windows\system32\Cnebmgjj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Hcflch32.exe
        
        C:\Windows\system32\Hcflch32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Pkkdhe32.exe
        
        C:\Windows\system32\Pkkdhe32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Agfnhf32.exe
        
        C:\Windows\system32\Agfnhf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Glompi32.exe
        
        C:\Windows\system32\Glompi32.exe
        56⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Mejijcea.exe
        
        C:\Windows\system32\Mejijcea.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Mkdagm32.exe
        
        C:\Windows\system32\Mkdagm32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Amdiei32.exe
        
        C:\Windows\system32\Amdiei32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Fmdcamko.exe
        
        C:\Windows\system32\Fmdcamko.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Ldiiio32.exe
        
        C:\Windows\system32\Ldiiio32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Abnnnjfh.exe
        
        C:\Windows\system32\Abnnnjfh.exe
        62⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Bbecnipp.exe
        
        C:\Windows\system32\Bbecnipp.exe
        63⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Bedpjdoc.exe
        
        C:\Windows\system32\Bedpjdoc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Blnhgn32.exe
        
        C:\Windows\system32\Blnhgn32.exe
        65⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\Boldcj32.exe
        
        C:\Windows\system32\Boldcj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3888
        
        C:\Windows\SysWOW64\Bbjmih32.exe
        
        C:\Windows\system32\Bbjmih32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Behiec32.exe
        
        C:\Windows\system32\Behiec32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Blbabnbk.exe
        
        C:\Windows\system32\Blbabnbk.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4688
        
        C:\Windows\SysWOW64\Cikkga32.exe
        
        C:\Windows\system32\Cikkga32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Cohdoh32.exe
        
        C:\Windows\system32\Cohdoh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Cimhlakl.exe
        
        C:\Windows\system32\Cimhlakl.exe
        72⤵
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Clldhljp.exe
        
        C:\Windows\system32\Clldhljp.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Ccfmef32.exe
        
        C:\Windows\system32\Ccfmef32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Cipebqij.exe
        
        C:\Windows\system32\Cipebqij.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Cchikf32.exe
        
        C:\Windows\system32\Cchikf32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Cibagpgg.exe
        
        C:\Windows\system32\Cibagpgg.exe
        77⤵
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Cpljdjnd.exe
        
        C:\Windows\system32\Cpljdjnd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4996
        
        C:\Windows\SysWOW64\Dcjfpfnh.exe
        
        C:\Windows\system32\Dcjfpfnh.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\SysWOW64\Qgopplkq.exe
        
        C:\Windows\system32\Qgopplkq.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Ddklnh32.exe
        
        C:\Windows\system32\Ddklnh32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Dkedjbgg.exe
        
        C:\Windows\system32\Dkedjbgg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dbllkohi.exe
        
        C:\Windows\system32\Dbllkohi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4368
        
        C:\Windows\SysWOW64\Dejhgkgm.exe
        
        C:\Windows\system32\Dejhgkgm.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Dhidcffq.exe
        
        C:\Windows\system32\Dhidcffq.exe
        85⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\Dcaefo32.exe
        
        C:\Windows\system32\Dcaefo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Ddbbngjb.exe
        
        C:\Windows\system32\Ddbbngjb.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Dkljka32.exe
        
        C:\Windows\system32\Dkljka32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Dafbhkhl.exe
        
        C:\Windows\system32\Dafbhkhl.exe
        89⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Eddodfhp.exe
        
        C:\Windows\system32\Eddodfhp.exe
        90⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Eahomk32.exe
        
        C:\Windows\system32\Eahomk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Edgkif32.exe
        
        C:\Windows\system32\Edgkif32.exe
        92⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Eolpfo32.exe
        
        C:\Windows\system32\Eolpfo32.exe
        93⤵
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Ehddpdlc.exe
        
        C:\Windows\system32\Ehddpdlc.exe
        94⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Ecjhmm32.exe
        
        C:\Windows\system32\Ecjhmm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Edkddeag.exe
        
        C:\Windows\system32\Edkddeag.exe
        96⤵
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Qgllpf32.exe
        
        C:\Windows\system32\Qgllpf32.exe
        97⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\Hnokeqll.exe
        
        C:\Windows\system32\Hnokeqll.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Jfbkijdo.exe
        
        C:\Windows\system32\Jfbkijdo.exe
        99⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Nifcnpch.exe
        
        C:\Windows\system32\Nifcnpch.exe
        100⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\Capbaacl.exe
        
        C:\Windows\system32\Capbaacl.exe
        101⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Djfckenm.exe
        
        C:\Windows\system32\Djfckenm.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Ehomph32.exe
        
        C:\Windows\system32\Ehomph32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2444
        
        C:\Windows\SysWOW64\Eibfmp32.exe
        
        C:\Windows\system32\Eibfmp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\Ggfombmd.exe
        
        C:\Windows\system32\Ggfombmd.exe
        105⤵
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Gmqgjl32.exe
        
        C:\Windows\system32\Gmqgjl32.exe
        106⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Hgghdp32.exe
        
        C:\Windows\system32\Hgghdp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Ihknibbo.exe
        
        C:\Windows\system32\Ihknibbo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Ikijenab.exe
        
        C:\Windows\system32\Ikijenab.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Iqfcmdpj.exe
        
        C:\Windows\system32\Iqfcmdpj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ihnkobpl.exe
        
        C:\Windows\system32\Ihnkobpl.exe
        111⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Ikqqfm32.exe
        
        C:\Windows\system32\Ikqqfm32.exe
        112⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\Jnfcbg32.exe
        
        C:\Windows\system32\Jnfcbg32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Jbdliejl.exe
        
        C:\Windows\system32\Jbdliejl.exe
        114⤵
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Knmicfnn.exe
        
        C:\Windows\system32\Knmicfnn.exe
        115⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Kkaimj32.exe
        
        C:\Windows\system32\Kkaimj32.exe
        116⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Kiggln32.exe
        
        C:\Windows\system32\Kiggln32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4340
        
        C:\Windows\SysWOW64\Ljmmnf32.exe
        
        C:\Windows\system32\Ljmmnf32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Mlkejgfj.exe
        
        C:\Windows\system32\Mlkejgfj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Mehcnlie.exe
        
        C:\Windows\system32\Mehcnlie.exe
        120⤵
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Olphlcdb.exe
        
        C:\Windows\system32\Olphlcdb.exe
        121⤵
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ahenip32.exe
        
        C:\Windows\system32\Ahenip32.exe
        122⤵
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Djelqo32.exe
        
        C:\Windows\system32\Djelqo32.exe
        123⤵
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Hmlpkd32.exe
        
        C:\Windows\system32\Hmlpkd32.exe
        124⤵
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Hcmbnk32.exe
        
        C:\Windows\system32\Hcmbnk32.exe
        125⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Nnmdfknm.exe
        
        C:\Windows\system32\Nnmdfknm.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ohahkojp.exe
        
        C:\Windows\system32\Ohahkojp.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4496
        
        C:\Windows\SysWOW64\Hifcqo32.exe
        
        C:\Windows\system32\Hifcqo32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Mgibil32.exe
        
        C:\Windows\system32\Mgibil32.exe
        129⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Bhkfdcbd.exe
        
        C:\Windows\system32\Bhkfdcbd.exe
        130⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Jondjmei.exe
        
        C:\Windows\system32\Jondjmei.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3368
        
        C:\Windows\SysWOW64\Kchmljab.exe
        
        C:\Windows\system32\Kchmljab.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3332
        
        C:\Windows\SysWOW64\Nodijffl.exe
        
        C:\Windows\system32\Nodijffl.exe
        133⤵
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Bdgmio32.exe
        
        C:\Windows\system32\Bdgmio32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Gdbkcf32.exe
        
        C:\Windows\system32\Gdbkcf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Ldfokj32.exe
        
        C:\Windows\system32\Ldfokj32.exe
        136⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Aficoe32.exe
        
        C:\Windows\system32\Aficoe32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcppq32.exe

Filesize
407KB

MD5
d3fc88e33382fe26cd23ac3ff5a1f8e1

SHA1
57b6b34b03ffdcb46aeb35aeff88ae745129110f

SHA256
8527a3774805f704f05fdae53323f5efcc584c4c34b59eb8a4ae6583c91735e4

SHA512
4391274e93325cac98fedc490a0890679fd084b95cc098566df8811ee30a1b96c01f5efc9e5bd59259d03dc12f26635b01036b405efb14e84ee77dcab6f609e4

Download Submit
C:\Windows\SysWOW64\Akmjdpac.exe

Filesize
407KB

MD5
af84ea3d56561aef10f087b702ac43de

SHA1
266db810a14ba286e04ea11492be34f56feeb961

SHA256
0bab75384752d3242f24981a19493011e62acc7d2cd8de5ec9c319b53952e828

SHA512
d624710eb294f43821772ef42bfc479a0974829f002af8ce922fdba225596dae978fe64d869e8990ba90ee0943de5ae8ef79baf8c67bd30e8f3a42c8978f2d58

Download Submit
C:\Windows\SysWOW64\Amkabind.exe

Filesize
407KB

MD5
df3b828d94043f2d14035d71bd926297

SHA1
6896ebf49aefbec539aa1b404ff5099f30268d8c

SHA256
8df9cece86ad008f1e7cd79f11c36d2f09611e926886b2a3dfced57fa2569ed8

SHA512
39d2b447164d1fb17bc1ca54e9b4bbba2a3f09ccbf0e9959c5e706bea57e5800cd72caf69100a9eaf739232670b22fafc106f1550a54da5014855423da11809f

Download Submit
C:\Windows\SysWOW64\Amoknh32.exe

Filesize
407KB

MD5
74fe0bafb781c70d622e37680e9dc6a9

SHA1
341c0a517c20a71427218a3dc8f05adfbd5377f4

SHA256
5386b2c1fc950052a9c97725a14f3196ad7e932e9527d5e6be9f0c0507755af8

SHA512
c5b51b959e65e3417ed99f43205c9d4e3262390991c39bbed13d798e068bab234c1b0030fd93f545f904dd92fa0d2070fa7c1d03ae8e43851ff2d264daa95b4d

Download Submit
C:\Windows\SysWOW64\Andqol32.exe

Filesize
407KB

MD5
5881b4cd33490a60e67305096a4e4248

SHA1
742a4815340a27ea50286683697b922576d33875

SHA256
7a0396b601da7b673a4884b7f5c6ec426a949b34d4f120382677929b50c0a123

SHA512
8b7051daeccd372869df0962c2bd9d0651e4107c6fedb722aaf1c40e904b09c2bb0ebaeeea2b7d24fa330858db291bdf76e8aa7419317e5c2e726557dbfe5725

Download Submit
C:\Windows\SysWOW64\Apkjddke.exe

Filesize
407KB

MD5
67b3941bcc54a6b56ca4314c5161ff3d

SHA1
fec8d307227e85d0b2393d6a00636e335e1d4d9e

SHA256
f550ce50a3feabf04e4c5b6732b470874cbc953bef7b9555bc16a29c4dd6600f

SHA512
50dc9a27943c2ce4d671c94149805448cef9013f8719e122df1cc68c1b7c4ac2e495e8e7b27b0a670ac04f84fbb2f1a85a9689c15e8a079ae167953af4e193be

Download Submit
C:\Windows\SysWOW64\Blbabnbk.exe

Filesize
407KB

MD5
3f3b7fc3c5ac7b2806397e73977f7d24

SHA1
eaafa9eff783f70e6dcc2a891a847d2401ccd468

SHA256
1b36bd4017d4dbc16289c0113e93a428a3d80d3b4af8f76623cb60127b71568d

SHA512
30f61502a4e1f13a7705e3ae7452198b24d022da1c90ff53644a21b354d2c36173b1453f872a9c2f3bd1bf5428f58b7254678a03c1a554f920e52dc8f5ecc944

Download Submit
C:\Windows\SysWOW64\Cikkga32.exe

Filesize
192KB

MD5
89fb3a5fe7c118b8b2518e077be86d3f

SHA1
99496376784573c873590dfe05415348adc465ad

SHA256
2edddb13403f57746b0b0116bd1801697d5ca43dd5004904dd09dfc12f8fcdf2

SHA512
fba6087ec295197e489b0ca24c7600c0a4ddd7ee28b50811c889ba866e8896ae1859d009a593f3ccc401fe0bb42761e3a526bea5281a74ae1030a7aa604f889f

Download Submit
C:\Windows\SysWOW64\Cipebqij.exe

Filesize
407KB

MD5
9237a923f57e954d384c27a12830e27b

SHA1
948bb1f6ff1538b03ca03f93d0f8aef75d861e5a

SHA256
92727da47fd1bcec66617aa7319d605d9f17bbfa02fd8ea6ff7c90f0b3f08aea

SHA512
c22138ce7c84f58a0ec95e5f00fcca04d872abfc4de64591ca7dd6fc4f1b112b1f4a4734dacf3a4a290fac3f1878496423b50e7b4142d6f10a8500972cc01a66

Download Submit
C:\Windows\SysWOW64\Dcjfpfnh.exe

Filesize
407KB

MD5
bb6b79c45409d0ca54556bf4d3060fa5

SHA1
8259fce7c8614fcd2b8f407274f3dfd901620589

SHA256
79dd8a628410527e2892e1f07459a828f6c32e12f5362137140353df5ae42859

SHA512
eec3366902a5a9ce86962a64410d3f5849c59a599ab6738f3ee1fedec51102ad80d4db451ce1c682d7543dd74c039ce9c8dfba9abba7da3832866d2ab25fd2fe

Download Submit
C:\Windows\SysWOW64\Eibfmp32.exe

Filesize
407KB

MD5
f5f2badcd51eef89ebc3275581244bd2

SHA1
c0dc8e44c1926fae60c673ed5530d6f7e9838fb9

SHA256
0929bac2ed1636740e82d4f6ae10b98e1e180e4f7c572d2fd0edc0ee367796d6

SHA512
86873c282bc241cf279d62decc8ea9849f6ec0dcb8aac3b0c59f0f56852e460c6ed7652a76a5e7cd6791d64e8de283d8e72f28cbcf68a054cc6ae8814022a9ea

Download Submit
C:\Windows\SysWOW64\Eolpfo32.exe

Filesize
407KB

MD5
3f13f82511e17c8cc2ab36bc30773779

SHA1
25707ece8ed5e41e44594c952e66a0bc38187845

SHA256
cc52c5e02fb73d7e13c39f3373a505102f37aab67a03ed7bfd7ee70a0a5f4012

SHA512
21a6c60d6890e0f9e7e827f34cfc2d89278b8b7037ab4325b3b4eb9ef0c54f345e76201dd969f52a3279696d759f100d3c5dc781d59902caaf24415b78d97fe5

Download Submit
C:\Windows\SysWOW64\Gmqgjl32.exe

Filesize
407KB

MD5
22a30f36a4576b58318575f73b25f142

SHA1
ec1d82ee3cb991e17894ded9ba6ecef6b6c08361

SHA256
54e8993379ae5bfde0a607aa0b8b610d7d4ebb58cb85e7a5be76ad0a28aa05d8

SHA512
98687536e6a2aefa5bf69490abcb4593893484e48ead086fb25d5529b252c7300827ef41cd6d614413abd4c732abff08caddc48174ea630ab37ac7973723d27b

Download Submit
C:\Windows\SysWOW64\Hcmbnk32.exe

Filesize
384KB

MD5
f2f1fbc91b12600e34f352509ef9f6a0

SHA1
bbcec4471c0c489206bf52ccd115385296d9a2ca

SHA256
f5293aab8e7f31d3d00f73ed910881a668a2c8a3e280c1df80055bb899168a16

SHA512
e0a5e45b013bcb95ad8dca6f395eee9285560e6cff74f7dd6744e4e3c331f0cb5d5f0bd358d9e2c6dc5c6cfcd6edd97c143f1d2895a580b4dbe940b5c6ec2a27

Download Submit
C:\Windows\SysWOW64\Ihnkobpl.exe

Filesize
256KB

MD5
2e6a8437d28acd2c4c6f078be4bda874

SHA1
6de5307269cfb8bcd4e480555df1c3fbe22ad4f0

SHA256
4b1e3758f4b5a06bc8a3a356149767e8306e36f9f125461e667e576ad5b1699f

SHA512
620ca75764266b913e1936dd5970ddb46f6ce44c0261308339f9d1077b633441596fdcf41b1dc4cdde9a26a61aff59ea23c7e27001760fdbd3c69f6f107299f3

Download Submit
C:\Windows\SysWOW64\Kkaimj32.exe

Filesize
407KB

MD5
6410eea060f482a57a727d1c34749761

SHA1
ffd8a16ccecc99246df935fce980a8decbd8a03f

SHA256
0dcd92c4edb565eca895453a83fba4c6219815fc10703c2564eb7d50ec44b96b

SHA512
4e89fd35f9d2687bf1f6feb482fcd0692f305bb925cbe683106d448a7ee463459ea0fcba278e16070ea2d58d01d8c8615783e730818d8b48b316ce40bac3b2cf

Download Submit
C:\Windows\SysWOW64\Madbagif.exe

Filesize
407KB

MD5
8cfff8b5d180b3f6168fb79a2007370f

SHA1
ee6c289a046e1d78a6e8ba01400d50bbb6ce5020

SHA256
9f0a7d234095ce8525f7ceff006040fb477c920cd84dc24779c87580f71f81a1

SHA512
5bc3b0fe6b4d65cf3d87c45ad42ef47ca5c4a4957da5b4e0cc85112928bde63538107971672e6b79536481686b18fea9b402d81f33d834681aa7098671a956e4

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
407KB

MD5
b596a63fde4eff2adf0e5b77a0a8c947

SHA1
0a1e9b8a222fd64b0857bd20fb4bb12967005677

SHA256
a5ec0fc9e5f08d90ab82a8dfbc0c0426fecdd505407829eb0a689a19e26aaa5e

SHA512
f7edae8ef475bd1ff5113d400d4496f28b2b515d5cc83b4f724a4ab8bf73ed14be246a683c2d4bf95296df7ed2e0488bdf2d88e9c2310b59233df8c3259673c6

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
407KB

MD5
323d3f02607a13b2d4b679152943ef90

SHA1
2eb5423ca86d56414d22ad2033f4cc8d74bceaef

SHA256
bd3115f59da729a6d2fbfef1c03ec1f63fed0255e69c3d0ad118a31774ebb006

SHA512
e9ef7805f3035110460788c81c032e507f43a26c54500bd428cdf0ea9006baf2af4f3a5dd70648c49082a46e07e57698671ea39ae328bfb7a40a1229c9eb43e5

Download Submit
C:\Windows\SysWOW64\Mgibil32.exe

Filesize
384KB

MD5
d767a5f08c03a35cbb78093d4d07b027

SHA1
d438f4ff7425de8fdbee65d4939c0b821736ffdd

SHA256
ff1aad36ba46749bd82ca33a88cf9ad496671208e63479f649054ec8b774568c

SHA512
9cf0d435decfa5bcf5fa0045bb02a42668f685e0a7cb0082d6276aa3b995bebb458280aadcfb73c6beab0d4f1bac658fba82bdd31fd586bcfe5bf7871e5bd4b3

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
407KB

MD5
c55dd30c1a66eac695f42851944bda2d

SHA1
efbf02e6248653fb29e8acca565bc30f9cbc635a

SHA256
a0115ebe77106b5553fb2bc2f686b4d74989f63867551e2dcb9b9301091438d5

SHA512
1262b48d6e2754911280a39798e2999f4e2951e05ed03bf0326c1932625a9d591cd87fe2641811daa55b2afb9bcc696d7c3583423c80ba8de6fe571048adcc8f

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
407KB

MD5
5be004ddb961daf3685ef36282247bb0

SHA1
d016ac822a5b8ceb359cc4498c31a80b4c3d0458

SHA256
9600b72aef5d58bf2038722ded938715fce125dd658c5f79d7e26d1a88c1dca1

SHA512
9d25fbbb2a2d5d7cb0db7e2a60c7981399f88a55b0c7351fadb78decaf4541933128571a5e69d003870ffd7cdb56789d510bc6061b785a2a81939974e62f9926

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
407KB

MD5
8cbb14a4bce02035a7930bd131d8c271

SHA1
bf106f8405a0632181527bc8dc3a86b489398fb6

SHA256
321daa01ad66e08c77ea8cb6134fa5c9bb57ff32e09690f184408ec13e3f2efe

SHA512
cd54d42056f58855605334c2250697ea1b97820d3230be67ec17b64fc01a4df8e7b0553f99d3bcdd33f25b3406ec438c6429c6ad5e4f2ec13ff61ed8a7d88a52

Download Submit
C:\Windows\SysWOW64\Nefdbekh.exe

Filesize
407KB

MD5
53899eeccb653d01193425ab654338c5

SHA1
218e668ffa2154ca11e47f24b3ec4bc77d187dba

SHA256
e2f6da6dd26a94c8bf3895ff7b36dae167c37f07111eb95efa42d0c56f8b749f

SHA512
71c98854e60c7dff835cf803dea79758331baf8f8156465b063336e9000d8b40877d6d39a5d1bc665df82f0e1a97ebe8615c6a7e45cab88c514301c123fc3c83

Download Submit
C:\Windows\SysWOW64\Nemchn32.exe

Filesize
407KB

MD5
86acc037661d8552461d7dca0145e0b2

SHA1
2a5c15507bf0f39d212ca667aaef28b04b6a8e10

SHA256
7e979b2ba81febb5741b2cd31decc74e7434123c1fa700d73fca0690aaec44a1

SHA512
00d6fe76087dce091ea0d53fb3f68058de7f68f282a423721a4ca2741f9087c6d586c4a9550d45565c4d6a63eae2eddbe4d3a119750f56fdc48387820f442395

Download Submit
C:\Windows\SysWOW64\Nfnjbdep.exe

Filesize
407KB

MD5
50daaf28af0a8a2e0ecbf455d40145b4

SHA1
3bdade7751645e9a4f2c80dcb68fd7b5267cb06a

SHA256
c8b44e3858a1c85166b1017ea1bae608a54d8d018283b1e8cc72653b06fbae5a

SHA512
106f4eb093f8df19fdde8fd6638b818b8f8b26e093ca3ab760c923f2cf611334c46ea014d80228afff5f52ec6ebce0470b7bd485130cebc0b0a970e47d53c743

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
407KB

MD5
39bb41054c727bef816ecd5b73ae5a97

SHA1
c92c1b468e02c1cb27b31aa61369e03e29e02bf0

SHA256
64f270a028007e4fb99bca88b1c79fcf73f599c242afc57bb56b8a2057cc44ac

SHA512
6ca318eeba515438afc57aae9ad5af04cb4cdc7479bf47f70687b3d2b46b86eaf84ff8bfce0835e940500eb83cc4ee9c27cbbd32464c9433b87b68bab947b4dc

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
407KB

MD5
2255dd8c0294e322c6caef213933128d

SHA1
a07c55079e0db0f2380d8c6a691a51cc994839d3

SHA256
8413e94b31b4b29e769364fd079b7248011070fa52d1818bf20b16c79132a3cf

SHA512
3fedc5d5dc1200fbd3ca49a68c6cfca01f2f05482c48f7324510c5190f969bc1ccb542c7f193decef73392459bb82c807a601df152c4fc87599e148acb0a08db

Download Submit
C:\Windows\SysWOW64\Oafacn32.exe

Filesize
407KB

MD5
2b6d72ec8b7b67c65982528dd7e85e6f

SHA1
256874677cf406d06fbb5fc5447cd10fd9146d4d

SHA256
a1ef865980fa6f6f7b9d92fcd32e91c4e03aac635210b7a169ef43f968046fde

SHA512
c4f6ee143360142924646897d211a0012af99d9f8ceaed7cb770c3836b03884451964e459b182557c9794e49f9c318d6f82bf1e3e4f796b6e4f56a100f4aed1d

Download Submit
C:\Windows\SysWOW64\Oakjnnap.exe

Filesize
192KB

MD5
8a8a0529c8a1ea1b1c0eedd20cca720c

SHA1
5b10591eaee89968627db4cb78197cb1a448528a

SHA256
05a89a8f3244bf83681a5bdde9dd9465590718f7bfa2e66d339d360d09fd4aa2

SHA512
23d79e094a0cc81f3445f934b26938f2aef61e893db1317a9cba52aa3546ef066b90b75676473dd09f0a63bf7f3463d76aad421db08cf1db1f94cfc7f68dd9f0

Download Submit
C:\Windows\SysWOW64\Oakjnnap.exe

Filesize
407KB

MD5
870e79015d4e67ea1e9baceb538c420d

SHA1
0dd9509fa04f7f5dd8cdb87cb907e570f520a0fd

SHA256
2b1d831cc89a7541a41ca0f7ebf571ef5b664edf597718c4a82c951eaaa2a706

SHA512
705bb6e56c18d122513a738b0d3d7cc3665354599881dad0ea0e6a454dfb52499805953c438d5eaaeccfec43215952fba1bf4ce490f6990ca88c9e46d9ebc17b

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
407KB

MD5
af5ae27172ba7f2d4116a24a2bd10b2b

SHA1
1115d89371ce484bcff1858bc4d5aa502ea3b880

SHA256
bd3bfbefb343535dde2d64454991dbb9b715e253df234c10036781bc9736f7e5

SHA512
f344b111fd118744fe246e63d3e586ae8127f45a007392ce6880ac4283252cf7ba103126180b55f492539fcd164bfbc1e3d72b8a92d519871807f77b7c76f8a4

Download Submit
C:\Windows\SysWOW64\Ocknbglo.exe

Filesize
407KB

MD5
3d2c41b8047f69af047d91335ff9fb92

SHA1
4c5f519274da7fa05d07cb09ae354179612a636d

SHA256
19549feeeb1bb25459bc6931efafd7d898ae0dd7e8a57156e86b9be8044287f0

SHA512
208921373db7666c57020a937aca946624b2a90272360484b889d96bd78e0be8af69a619eb2976db77892ea48406eebe21f4bcbe844145308972f75452c6ac3a

Download Submit
C:\Windows\SysWOW64\Odbpij32.exe

Filesize
407KB

MD5
f59ca8e8fa32a67527e331578df14319

SHA1
8b161046744df66a1d3c9dad38c8847cc25ca364

SHA256
213356160433e201176071b7e4e89003d8137cd77af90efcccb142160d4e1c66

SHA512
9628d49420c1d5f0899a69f87e86a594cdef1d82ffcc5948b980dfb3663aea51e62e73cb249ed993a1dcfaff640e69a5f928e64d73c849ebd2327bca21e13054

Download Submit
C:\Windows\SysWOW64\Ohbfeh32.exe

Filesize
407KB

MD5
57843973b0e53c77cb2aef15917f16f5

SHA1
c531c87485e55287b9949595b62fc191fc9a8748

SHA256
41816c8c5d0bf84983618f2ecc2342bb6ba50bd8173ec91222ec18b0a2474a7d

SHA512
221216e801dca2a4f87bc33ba919c3575df3122a07b8ec080243ddbeb95800c6f7102343e2a0ed08fd472d3e3347b80a4d0c2eb4e6323b18bb9e6f36882fdff3

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
407KB

MD5
5a349621c67c87c004ca45b21e6af0a0

SHA1
98db113b9ace99bf331d14dbbf0e1524ea39dc1c

SHA256
7128c714684934c235f35df63c20ea688316115cba1defb92914fa4572d5d5e7

SHA512
36b59c161a391ad0a4d87fca294e6be0f93080de390acf4de335bcab257fb521e8ec11cf87f7bfd36a458c165ed6933014cae87d031f79a861ce881db64b17aa

Download Submit
C:\Windows\SysWOW64\Ohgopgfj.exe

Filesize
407KB

MD5
56223bc6ce1d0598fafa602ebae12d21

SHA1
193933747fc8c95d0c34147317ce0ca9e6c2de5d

SHA256
e53f8baeb5c0607170ff394cf461e6c316be5e2165460dac072f3eb5ba431e2b

SHA512
59c78d330928611ff46fdcd0945389946907c92a817d29b5d2a50fc874273128a32ad23091bf51324828402b6a1383fa94ef3cf7d29eec911b5e2e7a9b2c6962

Download Submit
C:\Windows\SysWOW64\Oimlepla.dll

Filesize
7KB

MD5
db1bc47ae567d11ce1c25d5e1febdf48

SHA1
35c09c63c9583ecf1307f146dc0648e0caf3b78c

SHA256
264ecebd44d6e354af382bc97d1a6f86000a9aa2153a5ecfa2432f683a0d17c4

SHA512
dc6f1e8a49d0d045635755880ba80724f405ddc5089fdd37d5133adfde02f4824a2da96cde7cd871fc38d727e071e2cba69a787b78406040b87365cb64a842f3

Download Submit
C:\Windows\SysWOW64\Okneldkf.exe

Filesize
407KB

MD5
aee64b4076a9772fca913c17e9b3b183

SHA1
1582346dd8e9f6ff469e49ae30bf2398d120475d

SHA256
bcaa961a3167967648d53d056859976f2a0c525a504ffe5f622ecc3b9f32c6d8

SHA512
10594d616a8b998d1372549f9b7e4a135102710a0be2b23f7c9983d8d9e7129d8e88ca6cfd7e5414b7fa90c37fe53aa3ee40dd718a0186ecb0e006b4a90cce81

Download Submit
C:\Windows\SysWOW64\Oookgbpj.exe

Filesize
407KB

MD5
bbef08fdba36fcc217dfebcc852146b2

SHA1
143cdc1947bcf6a89f635de9a38510abb2bd1343

SHA256
190a1652c54359fa01d045f3ebc8273f4cb4a599152344a80a2cbf87a7b98a28

SHA512
0f7871594c5b743fc53a4d4b57928ccfc8cea78271b7286e93e4ca1f254e3264e67e8d84af602a2ba53dc62c2599a56596683512072f7437979c97db9298c2d2

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
407KB

MD5
3ce97ba868420911f4d84d014c8bcebe

SHA1
f9d55b915cd3a21097a737b1519e14937fec5b42

SHA256
5066ce273195d235102d1083eb747476793bc6867dc75ab64d882e09292f83a9

SHA512
3c50f952ec642b1e6e92255b6ab331fd48652c1c72532c66e41e30054a7e9ea1700e24c7f22449e247f9c3638dc698dc4c6e3e8b0cd08d70df931ee6a8c229d1

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
407KB

MD5
1b2cb4de4e5aef369e8fbe63762048f0

SHA1
80d93b144c8665cf36ec3f6ca3ed07e7dc2bc87f

SHA256
6a37ef12893d36765ce1ab3136fe3427a9b223220a66a9cab0db089831b0fe47

SHA512
add8fecfd3def445cc239a92a15135398a1ed90eb8fc029b297638fad4a851ae42e2bc3e1fdb03b28de9fa8f52d472cab7f49ceafd555a72b54d4e482f2a1f03

Download Submit
C:\Windows\SysWOW64\Pdeffgff.exe

Filesize
407KB

MD5
602ae1874fe569186a15725b6aee9887

SHA1
9111e69ea936ce5271c2932f18d78c391443614b

SHA256
b8851ef6686f43907324ae8fc2561e0256e2cdddcdaf94cd8745fb33df7e9eba

SHA512
371f488b4aa4de1ce7c35d6e1a5eff65a3de9160cd0ca903389859641cde12be5c8b45da7bd930e0cf449d1302ff99870a305b6c0f936383fed218f656d85810

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
407KB

MD5
539d2845460aa168fc8d4d1ca48f8b75

SHA1
e21fcbdb6e6875f9ea3b416dd2ed3398a2e48d8a

SHA256
fca90b8034923d9587da8ac38a8f2db6495e20d9aa170875e909a67df3a19df2

SHA512
0c136125189b6a2a136d1bb6dc40d9eed6962f4985a951004b6c3ee0402f441631e989ba7e78fad835e02446d525956ff760e662bd72e6ba8c5ab8298abc3754

Download Submit
C:\Windows\SysWOW64\Piceflpi.exe

Filesize
407KB

MD5
1bef5080b8902152116247b9a6bfba74

SHA1
47cbc9379c83a535dc1350a12731b18c7518aea3

SHA256
a9236a654c5b9012d3a9b374ec6c555056239f1ec46eff09e3bc2a95773682a7

SHA512
060069b22c29286a425de673f2761321e59c42dbe7343609778b29c857c29f868060059911b1f29c839e076becdeff2c07ae0b5d49c3c64aa31fae0b3120f442

Download Submit
C:\Windows\SysWOW64\Qgllpf32.exe

Filesize
407KB

MD5
9e8c977b3133f8b1592a99cdd2f69f9f

SHA1
c589ac97b25b46ddf72066250739255ac61fd23e

SHA256
4e63bc82907295cc40db60647b50933c8650e5b91e0fa268fc41da02afde0954

SHA512
ee8e338a611aff1340674fc5cb24d3f2e5b94b05372a5d4292ff8c31ec234ddc1a6c4175b5f01a9997ebb079700eb75032eb836698cbb475ef5e5aa4f3fbf23d

Download Submit
C:\Windows\SysWOW64\Qhekaejj.exe

Filesize
407KB

MD5
4f356941e1bd3f1d19ab9e50cf516085

SHA1
9443e5c491fe72e09904d49f15717cd5022305e7

SHA256
7865fd1c4e6201cbac1838480b1d4c4776002d13d554222d60d0943b96ec00a9

SHA512
e757d7d399c2e11275fb135a8368cb28dd36a724e8635f5d37cd697b30f89d2759ea0ed42601187c8461249579e739a3745f7419dfb17617e51342847fb00b67

Download Submit
C:\Windows\SysWOW64\Qihoak32.exe

Filesize
407KB

MD5
e0dab7370a11c6ba4d9198356c5e0668

SHA1
70d47b3bdfb28336b1f38972eb6d764f80311418

SHA256
251771ca3efd6832160c123fc5ec8978b442f4d3b38872aff58a7854f53bf9d0

SHA512
85fce8d649815a0e2e0c2550779bc9e49b6adb636bb667de9d94dbde9468797d18182de28959776b123eef2b01d4cf13051fe13f1aa3b4c65529b0486171c12e

Download Submit
memory/232-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads