3530dde799cea3ea1e1e88a1347a666989a930029f7d532ace1a8b6a6a92cd71

Analysis

max time kernel
146s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3530dde799cea3ea1e1e88a1347a666989a930029f7d532ace1a8b6a6a92cd71.exe
Size

64KB
MD5

750ca86a1cebb2bcf69fb7d29b44394f
SHA1

ee08f8f7f84dbed1db623c04a0811e0990ac3cfc
SHA256

3530dde799cea3ea1e1e88a1347a666989a930029f7d532ace1a8b6a6a92cd71
SHA512

951b83d0375626ffac72fe33a11a61a2a3d1775293ce573fc4caf713f3a8d88d51157db136c7153e2fb2c5b17c4c1dca7fed2393c4fdfda320f33c0eedc53cdc
SSDEEP

1536:gTa4u5nCAmKwe8w3kXz3iaeC5WyI4rPFW2iwTbW:g235nCFKwDXzSReXXFW2VTbW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljobpiql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdcjlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnnkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hildmn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmggingc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilccoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Galoohke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efkphnbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mejpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijegcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ploknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijegcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfmcfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjeomld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqikmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjmfjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igpdfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idcepgmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcndbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niooqcad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igbalblk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfhkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padnaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfmcfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Milidebi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjpnlbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqkgbcff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipflihfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idcepgmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgnqgqan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjjiej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqkgbcff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joqafgni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opcqnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoplpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emehdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maiccajf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dapkni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maeachag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhafeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocopdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dapkni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedlip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cienon32.exe

Executes dropped EXE 64 IoCs

pid	Process
3268	Olehhc32.exe
2968	Ocopdn32.exe
4460	Oiihahme.exe
2056	Opcqnb32.exe
1200	Ogmijllo.exe
1656	Oljaccjf.exe
4916	Ocdjpmac.exe
880	Ojnblg32.exe
1020	Ollnhb32.exe
4816	Pedbahod.exe
3008	Ploknb32.exe
2248	Pfgogh32.exe
5024	Qfbobf32.exe
2484	Qqhcpo32.exe
1696	Agbkmijg.exe
5052	Aompak32.exe
3248	Afghneoo.exe
4936	Bpnihiio.exe
1104	Cmklglpn.exe
5012	Dmbbhkjf.exe
4004	Dapkni32.exe
1816	Dfmcfp32.exe
2716	Dpehof32.exe
2136	Dfoplpla.exe
1232	Eagaoh32.exe
3620	Ehailbaa.exe
2444	Emnbdioi.exe
3592	Empoiimf.exe
4380	Edjgfcec.exe
4312	Ejdocm32.exe
4228	Efkphnbd.exe
2448	Emehdh32.exe
4780	Edopabqn.exe
856	Ffpicn32.exe
2344	Fdcjlb32.exe
4992	Maeachag.exe
1284	Milidebi.exe
3556	Mhafeb32.exe
1288	Mjpbam32.exe
3104	Majjng32.exe
3724	Mnnkgl32.exe
4736	Mjellmbp.exe
5108	Mejpje32.exe
332	Noeahkfc.exe
1988	Neoieenp.exe
3640	Nafjjf32.exe
888	Nlkngo32.exe
3928	Nahgoe32.exe
528	Niooqcad.exe
2880	Nlnkmnah.exe
568	Nolgijpk.exe
4896	Nhdlao32.exe
3368	Oidhlb32.exe
4796	Ohiemobf.exe
1736	Oocmii32.exe
3804	Ohkbbn32.exe
2544	Embddb32.exe
948	Hildmn32.exe
3396	Ipflihfq.exe
4396	Idahjg32.exe
4564	Igpdfb32.exe
4428	Iinqbn32.exe
1452	Idcepgmg.exe
3176	Igbalblk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ploknb32.exe	Pedbahod.exe
File opened for modification	C:\Windows\SysWOW64\Aompak32.exe	Agbkmijg.exe
File created	C:\Windows\SysWOW64\Fijgdejm.dll	Nhdlao32.exe
File created	C:\Windows\SysWOW64\Kpiqfima.exe	Kedlip32.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Oljaccjf.exe	Ogmijllo.exe
File created	C:\Windows\SysWOW64\Nagbfo32.dll	Oljaccjf.exe
File opened for modification	C:\Windows\SysWOW64\Eagaoh32.exe	Dfoplpla.exe
File created	C:\Windows\SysWOW64\Dobhii32.dll	Opcqnb32.exe
File created	C:\Windows\SysWOW64\Jkiocibf.dll	Lqkgbcff.exe
File opened for modification	C:\Windows\SysWOW64\Pqbala32.exe	Oikjkc32.exe
File created	C:\Windows\SysWOW64\Lqikmc32.exe	Ljobpiql.exe
File created	C:\Windows\SysWOW64\Galoohke.exe	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Fdcjlb32.exe	Ffpicn32.exe
File opened for modification	C:\Windows\SysWOW64\Iciaqc32.exe	Ipjedh32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmgfedl.exe	Jjgchm32.exe
File created	C:\Windows\SysWOW64\Jddnfd32.exe	Jlmfeg32.exe
File created	C:\Windows\SysWOW64\Bfnikd32.dll	Megljppl.exe
File created	C:\Windows\SysWOW64\Ibjqaf32.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Fohoiloe.dll	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Qckcba32.dll	Pqbala32.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fjocbhbo.exe
File opened for modification	C:\Windows\SysWOW64\Oiihahme.exe	Ocopdn32.exe
File created	C:\Windows\SysWOW64\Ejdocm32.exe	Edjgfcec.exe
File created	C:\Windows\SysWOW64\Jlmfeg32.exe	Jgpmmp32.exe
File created	C:\Windows\SysWOW64\Mjahlgpf.exe	Mchppmij.exe
File created	C:\Windows\SysWOW64\Megljppl.exe	Mmpdhboj.exe
File created	C:\Windows\SysWOW64\Jghdlf32.dll	Cmklglpn.exe
File opened for modification	C:\Windows\SysWOW64\Ijegcm32.exe	Iciaqc32.exe
File opened for modification	C:\Windows\SysWOW64\Jlmfeg32.exe	Jgpmmp32.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Ppolhcnm.exe
File opened for modification	C:\Windows\SysWOW64\Egkddo32.exe	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Ogmijllo.exe	Opcqnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jlkipgpe.exe	Jgnqgqan.exe
File created	C:\Windows\SysWOW64\Pqbala32.exe	Oikjkc32.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjfgf32.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Dapkni32.exe	Dmbbhkjf.exe
File opened for modification	C:\Windows\SysWOW64\Mejpje32.exe	Mjellmbp.exe
File opened for modification	C:\Windows\SysWOW64\Ohkbbn32.exe	Oocmii32.exe
File created	C:\Windows\SysWOW64\Aobbbd32.dll	Igpdfb32.exe
File created	C:\Windows\SysWOW64\Ldbhiiol.dll	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Hpkdfd32.dll	Oikjkc32.exe
File opened for modification	C:\Windows\SysWOW64\Empoiimf.exe	Emnbdioi.exe
File opened for modification	C:\Windows\SysWOW64\Kedlip32.exe	Jbepme32.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Gcghkm32.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Nbkdke32.dll	Kmdlffhj.exe
File opened for modification	C:\Windows\SysWOW64\Oikjkc32.exe	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Pnlhmpgg.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Ojnblg32.exe	Ocdjpmac.exe
File opened for modification	C:\Windows\SysWOW64\Ipflihfq.exe	Hildmn32.exe
File created	C:\Windows\SysWOW64\Accailfj.dll	Iciaqc32.exe
File created	C:\Windows\SysWOW64\Iialhaad.exe	Gbbajjlp.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Nlkngo32.exe	Nafjjf32.exe
File created	C:\Windows\SysWOW64\Padnaq32.exe	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Igigla32.exe	Idkkpf32.exe
File created	C:\Windows\SysWOW64\Cdhffg32.exe	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhffg32.exe	Bgdemb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	4896	WerFault.exe	272

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbogk32.dll"	Aompak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggebqoki.dll"	Ffpicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmqinmi.dll"	Mhafeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpehof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbnag32.dll"	Dfoplpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlnkmnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhdlao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfllfd32.dll"	Kjjiej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqhcpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejdocm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnpclpq.dll"	Jnlbojee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knegmo32.dll"	Oiihahme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmieae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleeje32.dll"	Lgepom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcadhpd.dll"	Jjjpnlbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnlbojee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdcjlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlmfeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjejlc32.dll"	Ploknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afghneoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occomh32.dll"	Empoiimf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noeahkfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niooqcad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohkbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdjpmac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocopdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dedaad32.dll"	Ojnblg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcaihm32.dll"	Mjpbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjmdflo.dll"	Lgqfdnah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqikmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiihahme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfbobf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmofee32.dll"	Dfmcfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipflihfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilccoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nolgijpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iciaqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3530dde799cea3ea1e1e88a1347a666989a930029f7d532ace1a8b6a6a92cd71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmklglpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eagaoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmanm32.dll"	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olehhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famcfn32.dll"	Ljaoeini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchppmij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgiemgc.dll"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dapkni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maeachag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjpnlbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmdlffhj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3268	2536	3530dde799cea3ea1e1e88a1347a666989a930029f7d532ace1a8b6a6a92cd71.exe	88
PID 2536 wrote to memory of 3268	2536	3530dde799cea3ea1e1e88a1347a666989a930029f7d532ace1a8b6a6a92cd71.exe	88
PID 2536 wrote to memory of 3268	2536	3530dde799cea3ea1e1e88a1347a666989a930029f7d532ace1a8b6a6a92cd71.exe	88
PID 3268 wrote to memory of 2968	3268	Olehhc32.exe	89
PID 3268 wrote to memory of 2968	3268	Olehhc32.exe	89
PID 3268 wrote to memory of 2968	3268	Olehhc32.exe	89
PID 2968 wrote to memory of 4460	2968	Ocopdn32.exe	91
PID 2968 wrote to memory of 4460	2968	Ocopdn32.exe	91
PID 2968 wrote to memory of 4460	2968	Ocopdn32.exe	91
PID 4460 wrote to memory of 2056	4460	Oiihahme.exe	92
PID 4460 wrote to memory of 2056	4460	Oiihahme.exe	92
PID 4460 wrote to memory of 2056	4460	Oiihahme.exe	92
PID 2056 wrote to memory of 1200	2056	Opcqnb32.exe	93
PID 2056 wrote to memory of 1200	2056	Opcqnb32.exe	93
PID 2056 wrote to memory of 1200	2056	Opcqnb32.exe	93
PID 1200 wrote to memory of 1656	1200	Ogmijllo.exe	94
PID 1200 wrote to memory of 1656	1200	Ogmijllo.exe	94
PID 1200 wrote to memory of 1656	1200	Ogmijllo.exe	94
PID 1656 wrote to memory of 4916	1656	Oljaccjf.exe	95
PID 1656 wrote to memory of 4916	1656	Oljaccjf.exe	95
PID 1656 wrote to memory of 4916	1656	Oljaccjf.exe	95
PID 4916 wrote to memory of 880	4916	Ocdjpmac.exe	96
PID 4916 wrote to memory of 880	4916	Ocdjpmac.exe	96
PID 4916 wrote to memory of 880	4916	Ocdjpmac.exe	96
PID 880 wrote to memory of 1020	880	Ojnblg32.exe	97
PID 880 wrote to memory of 1020	880	Ojnblg32.exe	97
PID 880 wrote to memory of 1020	880	Ojnblg32.exe	97
PID 1020 wrote to memory of 4816	1020	Ollnhb32.exe	98
PID 1020 wrote to memory of 4816	1020	Ollnhb32.exe	98
PID 1020 wrote to memory of 4816	1020	Ollnhb32.exe	98
PID 4816 wrote to memory of 3008	4816	Pedbahod.exe	99
PID 4816 wrote to memory of 3008	4816	Pedbahod.exe	99
PID 4816 wrote to memory of 3008	4816	Pedbahod.exe	99
PID 3008 wrote to memory of 2248	3008	Ploknb32.exe	100
PID 3008 wrote to memory of 2248	3008	Ploknb32.exe	100
PID 3008 wrote to memory of 2248	3008	Ploknb32.exe	100
PID 2248 wrote to memory of 5024	2248	Pfgogh32.exe	101
PID 2248 wrote to memory of 5024	2248	Pfgogh32.exe	101
PID 2248 wrote to memory of 5024	2248	Pfgogh32.exe	101
PID 5024 wrote to memory of 2484	5024	Qfbobf32.exe	102
PID 5024 wrote to memory of 2484	5024	Qfbobf32.exe	102
PID 5024 wrote to memory of 2484	5024	Qfbobf32.exe	102
PID 2484 wrote to memory of 1696	2484	Qqhcpo32.exe	103
PID 2484 wrote to memory of 1696	2484	Qqhcpo32.exe	103
PID 2484 wrote to memory of 1696	2484	Qqhcpo32.exe	103
PID 1696 wrote to memory of 5052	1696	Agbkmijg.exe	105
PID 1696 wrote to memory of 5052	1696	Agbkmijg.exe	105
PID 1696 wrote to memory of 5052	1696	Agbkmijg.exe	105
PID 5052 wrote to memory of 3248	5052	Aompak32.exe	106
PID 5052 wrote to memory of 3248	5052	Aompak32.exe	106
PID 5052 wrote to memory of 3248	5052	Aompak32.exe	106
PID 3248 wrote to memory of 4936	3248	Afghneoo.exe	107
PID 3248 wrote to memory of 4936	3248	Afghneoo.exe	107
PID 3248 wrote to memory of 4936	3248	Afghneoo.exe	107
PID 4936 wrote to memory of 1104	4936	Bpnihiio.exe	108
PID 4936 wrote to memory of 1104	4936	Bpnihiio.exe	108
PID 4936 wrote to memory of 1104	4936	Bpnihiio.exe	108
PID 1104 wrote to memory of 5012	1104	Cmklglpn.exe	110
PID 1104 wrote to memory of 5012	1104	Cmklglpn.exe	110
PID 1104 wrote to memory of 5012	1104	Cmklglpn.exe	110
PID 5012 wrote to memory of 4004	5012	Dmbbhkjf.exe	111
PID 5012 wrote to memory of 4004	5012	Dmbbhkjf.exe	111
PID 5012 wrote to memory of 4004	5012	Dmbbhkjf.exe	111
PID 4004 wrote to memory of 1816	4004	Dapkni32.exe	112

C:\Users\Admin\AppData\Local\Temp\3530dde799cea3ea1e1e88a1347a666989a930029f7d532ace1a8b6a6a92cd71.exe
"C:\Users\Admin\AppData\Local\Temp\3530dde799cea3ea1e1e88a1347a666989a930029f7d532ace1a8b6a6a92cd71.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\Olehhc32.exe
  C:\Windows\system32\Olehhc32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\Ocopdn32.exe
    C:\Windows\system32\Ocopdn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Oiihahme.exe
      C:\Windows\system32\Oiihahme.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\SysWOW64\Opcqnb32.exe
        
        C:\Windows\system32\Opcqnb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\SysWOW64\Ogmijllo.exe
        
        C:\Windows\system32\Ogmijllo.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Oljaccjf.exe
        
        C:\Windows\system32\Oljaccjf.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ocdjpmac.exe
        
        C:\Windows\system32\Ocdjpmac.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Ojnblg32.exe
        
        C:\Windows\system32\Ojnblg32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Ollnhb32.exe
        
        C:\Windows\system32\Ollnhb32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Pedbahod.exe
        
        C:\Windows\system32\Pedbahod.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Ploknb32.exe
        
        C:\Windows\system32\Ploknb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Pfgogh32.exe
        
        C:\Windows\system32\Pfgogh32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Qfbobf32.exe
        
        C:\Windows\system32\Qfbobf32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Qqhcpo32.exe
        
        C:\Windows\system32\Qqhcpo32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Agbkmijg.exe
        
        C:\Windows\system32\Agbkmijg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Aompak32.exe
        
        C:\Windows\system32\Aompak32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Afghneoo.exe
        
        C:\Windows\system32\Afghneoo.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Bpnihiio.exe
        
        C:\Windows\system32\Bpnihiio.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Cmklglpn.exe
        
        C:\Windows\system32\Cmklglpn.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Dmbbhkjf.exe
        
        C:\Windows\system32\Dmbbhkjf.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Dapkni32.exe
        
        C:\Windows\system32\Dapkni32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Dfmcfp32.exe
        
        C:\Windows\system32\Dfmcfp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Dpehof32.exe
        
        C:\Windows\system32\Dpehof32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Dfoplpla.exe
        
        C:\Windows\system32\Dfoplpla.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Eagaoh32.exe
        
        C:\Windows\system32\Eagaoh32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Ehailbaa.exe
        
        C:\Windows\system32\Ehailbaa.exe
        27⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Emnbdioi.exe
        
        C:\Windows\system32\Emnbdioi.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Empoiimf.exe
        
        C:\Windows\system32\Empoiimf.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Edjgfcec.exe
        
        C:\Windows\system32\Edjgfcec.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ejdocm32.exe
        
        C:\Windows\system32\Ejdocm32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Efkphnbd.exe
        
        C:\Windows\system32\Efkphnbd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Emehdh32.exe
        
        C:\Windows\system32\Emehdh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Edopabqn.exe
        
        C:\Windows\system32\Edopabqn.exe
        34⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Ffpicn32.exe
        
        C:\Windows\system32\Ffpicn32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Fdcjlb32.exe
        
        C:\Windows\system32\Fdcjlb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Maeachag.exe
        
        C:\Windows\system32\Maeachag.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Milidebi.exe
        
        C:\Windows\system32\Milidebi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Mhafeb32.exe
        
        C:\Windows\system32\Mhafeb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Mjpbam32.exe
        
        C:\Windows\system32\Mjpbam32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Majjng32.exe
        
        C:\Windows\system32\Majjng32.exe
        41⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Mnnkgl32.exe
        
        C:\Windows\system32\Mnnkgl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Mjellmbp.exe
        
        C:\Windows\system32\Mjellmbp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Mejpje32.exe
        
        C:\Windows\system32\Mejpje32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Noeahkfc.exe
        
        C:\Windows\system32\Noeahkfc.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\Neoieenp.exe
        
        C:\Windows\system32\Neoieenp.exe
        46⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Nafjjf32.exe
        
        C:\Windows\system32\Nafjjf32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Nlkngo32.exe
        
        C:\Windows\system32\Nlkngo32.exe
        48⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        49⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Niooqcad.exe
        
        C:\Windows\system32\Niooqcad.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Nlnkmnah.exe
        
        C:\Windows\system32\Nlnkmnah.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Nolgijpk.exe
        
        C:\Windows\system32\Nolgijpk.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Nhdlao32.exe
        
        C:\Windows\system32\Nhdlao32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Oidhlb32.exe
        
        C:\Windows\system32\Oidhlb32.exe
        54⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Ohiemobf.exe
        
        C:\Windows\system32\Ohiemobf.exe
        55⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Oocmii32.exe
        
        C:\Windows\system32\Oocmii32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Ohkbbn32.exe
        
        C:\Windows\system32\Ohkbbn32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Embddb32.exe
        
        C:\Windows\system32\Embddb32.exe
        58⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Hildmn32.exe
        
        C:\Windows\system32\Hildmn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Ipflihfq.exe
        
        C:\Windows\system32\Ipflihfq.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Idahjg32.exe
        
        C:\Windows\system32\Idahjg32.exe
        61⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Igpdfb32.exe
        
        C:\Windows\system32\Igpdfb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        63⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Idcepgmg.exe
        
        C:\Windows\system32\Idcepgmg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Igbalblk.exe
        
        C:\Windows\system32\Igbalblk.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Inlihl32.exe
        
        C:\Windows\system32\Inlihl32.exe
        66⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Ipjedh32.exe
        
        C:\Windows\system32\Ipjedh32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Iciaqc32.exe
        
        C:\Windows\system32\Iciaqc32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Ijegcm32.exe
        
        C:\Windows\system32\Ijegcm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4580
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        72⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Jjgchm32.exe
        
        C:\Windows\system32\Jjgchm32.exe
        73⤵
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\Jdmgfedl.exe
        
        C:\Windows\system32\Jdmgfedl.exe
        74⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Jjjpnlbd.exe
        
        C:\Windows\system32\Jjjpnlbd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Jgnqgqan.exe
        
        C:\Windows\system32\Jgnqgqan.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Jlkipgpe.exe
        
        C:\Windows\system32\Jlkipgpe.exe
        77⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Jgpmmp32.exe
        
        C:\Windows\system32\Jgpmmp32.exe
        78⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Jlmfeg32.exe
        
        C:\Windows\system32\Jlmfeg32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Jddnfd32.exe
        
        C:\Windows\system32\Jddnfd32.exe
        80⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Jknfcofa.exe
        
        C:\Windows\system32\Jknfcofa.exe
        81⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Jnlbojee.exe
        
        C:\Windows\system32\Jnlbojee.exe
        82⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        83⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        84⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        85⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Kcndbp32.exe
        
        C:\Windows\system32\Kcndbp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        88⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Kmfhkf32.exe
        
        C:\Windows\system32\Kmfhkf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Kdmqmc32.exe
        
        C:\Windows\system32\Kdmqmc32.exe
        90⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        91⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kjjiej32.exe
        
        C:\Windows\system32\Kjjiej32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Kmieae32.exe
        
        C:\Windows\system32\Kmieae32.exe
        93⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        94⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        97⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Lgccinoe.exe
        
        C:\Windows\system32\Lgccinoe.exe
        101⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Ljaoeini.exe
        
        C:\Windows\system32\Ljaoeini.exe
        102⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Lgepom32.exe
        
        C:\Windows\system32\Lgepom32.exe
        104⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Ljclki32.exe
        
        C:\Windows\system32\Ljclki32.exe
        105⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Maiccajf.exe
        
        C:\Windows\system32\Maiccajf.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        108⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        109⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        110⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        111⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        114⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        115⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        116⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        117⤵
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3756
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        119⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        122⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        123⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        124⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4236
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        127⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        128⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        129⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        130⤵
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        131⤵
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        133⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        138⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        139⤵
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1708
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4008
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        145⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        146⤵
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:644
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3772
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        152⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        153⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        154⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        155⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        156⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        157⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        158⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        159⤵
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        161⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        162⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        164⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        165⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        166⤵
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        167⤵
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        170⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        173⤵
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        174⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 400
        175⤵
        Program crash
        
        PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4896 -ip 4896
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afghneoo.exe

Filesize
64KB

MD5
0800770c81a1c22f09236de0a0bf48ae

SHA1
0584214911f009cd8366170a42278552c8a0268d

SHA256
109eac260b67c5e3980e18c2a6574641dbb2e132887a07171ae960f78c8bb48b

SHA512
8fe5aeef890a80cf24b6b4a946511737c7a87c3e63614dac44cb9c4053080f75ad3aa120077a34a181250ba98c6783b57dcfe5140b8a4e6e1b1e87974f4d06de

Download Submit
C:\Windows\SysWOW64\Agbkmijg.exe

Filesize
64KB

MD5
65da6e39f8ae7175aee15a70f849bd32

SHA1
3162f34b9b8678dfa58c5206795562b08d8ca362

SHA256
d4a9f039c8cc1e53f003950cca10762176eccf999e07d1d02b52aa15d842fdf0

SHA512
c2e455cbfad953ae7bc3b4edbcf2446562bb6133daa1540bfc44126332412167e4ef6ee5f642f112d0497df1ed8fbb159941fe233021c6551b46e8788a3ca319

Download Submit
C:\Windows\SysWOW64\Aompak32.exe

Filesize
64KB

MD5
1b6028813c726b4c1992e561290efc4e

SHA1
c0d61a4e495f2b0bde177837d91f783c867e5af6

SHA256
583c091df53227923e64fc2efae6cd3521b0ec7048225ac18ba59dd9a47caf4d

SHA512
6d179c44045f115334212452e844fdd467c754403091b48f215481c8008ad7c865132470048ef14bc537b11fb49ab41ceefaa483d27ecb5643cc2e9c29a29186

Download Submit
C:\Windows\SysWOW64\Bpnihiio.exe

Filesize
64KB

MD5
0236e70d88da203a2250408198c3d4f2

SHA1
df8107b81e8939d2ff9903238e7c5333b7f9a33a

SHA256
3bae1c47dfd93a15706d6ebad7f031d9de93f7643041db5335aa5f2104df6c09

SHA512
36760268436543443fbfb3d5e8056127f261f245cff972cb8f3b3a88e533a1b24354bd4e01abd9bf0d69e3b7e1460590d8eea1f2baeb7bb504bd5d002b724524

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
64KB

MD5
06e6fd4a3ec8d30c3f6d238860d0c3be

SHA1
919f14adacc86a0063022705351073a7d3fe6c68

SHA256
4c96999951a87b9e348913b9d0631b0f9089368b35ad2798685fd46b7479bc24

SHA512
98ff40f7fb0757fb703725d11dd250d2d85f18ea20ba048eec65aca823adfbef7377ca0f7e50841f52cc8df67c23166d52bab58340eedfc9490ee901c8db5d3b

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
64KB

MD5
3e7db080f8e4ff532ace31e17dbfe6e0

SHA1
d7aed9df407f6d4b4d4fa25be48697d84b0863ac

SHA256
5de80a5f8a32a0f10c930a888544aada9bc7a853cea899f8dda6b4cedf685624

SHA512
a60c63665b637f5dd404955f0bfa0af40353bcffeafa003058a59533744f51343c4c5ca214aac187c1acc0a8d92bea2f9fd5b96b9604c1cbf66ea8420c27b9a5

Download Submit
C:\Windows\SysWOW64\Cmklglpn.exe

Filesize
64KB

MD5
98167acb839a62c0e19c638713603fe9

SHA1
bb54867b82ae869a484ac852819db5fe290e8ee8

SHA256
b06933d9b81e2fda627a26a84dabafda19d394bc0c69f3883696fbafb0515553

SHA512
36dcf070ee74effe72cd0125374dfec0f65621fff13817bc9c76cb0d28ce0644fa66f7bc8025b365bccda17a58470bcb172c57609482b0ce908cf3979b2bc73e

Download Submit
C:\Windows\SysWOW64\Dapkni32.exe

Filesize
64KB

MD5
2f5653cf80848123211b70c8e53d34f6

SHA1
797d465cc092389a55985388062f75ef831d997f

SHA256
4816de5ec0fb7ef41e6e6867b6416bb6a71ef4cefb18ec395aed941a40c9a20d

SHA512
ba4230d6c8d770ee54b1790c9233c702eaa41a0710a2beb98e438ee5226cd308cbf2260ce05a90c5a3b2c8a334f9b3469aefd4b1e33dc9b844096b22d89307da

Download Submit
C:\Windows\SysWOW64\Dfmcfp32.exe

Filesize
64KB

MD5
4bc36749e8e0d6fa77fe150279d7b7fb

SHA1
db473b933f1405b3770f6363586b0d05f89552b3

SHA256
2a864ae681416560fb711ee405d28bce4a51ecc663e65ec08ceec5a1ed87e8b0

SHA512
f0d0283ba02d3d5923dcd31e2a5c05516c8a9fe4d2eb20c17f1525bc6226e5d49513eade02661867249547031a52214042a38c608266f466feddc398131ebd21

Download Submit
C:\Windows\SysWOW64\Dfoplpla.exe

Filesize
64KB

MD5
38894f70ebfd9cddef934a0a854d7432

SHA1
15607ca900261e27700c0b191afd9c1fea50cc6d

SHA256
f5b0e0a5ff7a3c941119949d3d2794f3632b98451fda8201f728016779ee648a

SHA512
e9c55a3c6a6f8e14884367b21d518cf89074fa2eaa6a1ab85b8eb167a63a93c3d74ba284d91f5a34888b541d5aa9279913eb09a50feb9135a1272ca061ae4272

Download Submit
C:\Windows\SysWOW64\Dmbbhkjf.exe

Filesize
64KB

MD5
8cb0d419e318abda80902287a5b7ac3b

SHA1
ffbcb386e8b5e6eb5ebb63d87a84f6e12f4d2f38

SHA256
bd2a70154e91aa0ed96c4a64fbb3fd9608995e7f3566a0a937fba8855cb18a14

SHA512
f73c36231324cd1ba7e8ee5f0ee0483113abf83b25787de0d36b12c95eb257513184b8e01eba5d1b73990a148f173080634df799de80a5a6e0af7f5fa2386bf3

Download Submit
C:\Windows\SysWOW64\Dpehof32.exe

Filesize
64KB

MD5
b5c780d1054dadba07698776e5de0d8a

SHA1
4121c8876e1fddc520df97841ed3b7b84f00aa51

SHA256
da03ebb025e56720916c0a3894d266002b9b89760118f2154054881dbf52ac09

SHA512
4975c9f3773cc1f7eb80b8842fa34defca634859659ab9d7866d3efb4286263072fbffe8085f60e531c89b3ca1bb44e2fb399045a42e29ba4eba40e678555ffb

Download Submit
C:\Windows\SysWOW64\Eagaoh32.exe

Filesize
64KB

MD5
ba36b080b773457ad32375488f56225f

SHA1
e279dcfb8f48226490445652399e25a42798de7a

SHA256
6e3c496930cc6241cf38a9604f4292cf92fe32223c5a3c3e56b281bcad01f256

SHA512
0fd06759a5908df92a4a4c808cc49338ecf5dfd81db3110fc5d61f0b9edc701ff28ee8b8f8ee8452fcf7929942f492ff97f7333be149d148b8e5016a1691829e

Download Submit
C:\Windows\SysWOW64\Edjgfcec.exe

Filesize
64KB

MD5
9d09c19528b6544c374cb7f7b1186f74

SHA1
db448b28576ddf01c855ad3285bd6c02c324ccd1

SHA256
c5d4f2f688817ab57b6967cdf3ed062bb619b7ad7f7646e9cec490cb233c9d0f

SHA512
bf1e7fe9913ffe9046344f600e48943586d3e7ed05f21de411e83a93d15b31f3ec2974576b274b27c1326ad178a1d5cd7bba7053faf89244935bfe0303db5bfa

Download Submit
C:\Windows\SysWOW64\Efkphnbd.exe

Filesize
64KB

MD5
94acd0e5d84203458e05f3f731220d23

SHA1
bfebf3d3c7fae84c2fd93451d46dc9456b4cdd17

SHA256
5961648043e1e9015aa4f08bac9d9cdaf98b6fdc169e78e35d007fca6ea28a9f

SHA512
66fc1baca6b857d7b6297f2bbf5b229dab66481d1b1b452816d6f7b561e11167362524bb6dfa51adddee306cb85fa040041acaa089471b498713cfb73f24701c

Download Submit
C:\Windows\SysWOW64\Ehailbaa.exe

Filesize
64KB

MD5
961baf9055f532fc5ec367f9be929419

SHA1
a36e177b4c09b9c5d49989910150ed34734a4f89

SHA256
e3a56936b517c1b74d1163e18cbd2121cb4a6069e08b408dfa2f3ed93673522e

SHA512
4fbbf420cbc8a9a215c68839d1764cd9e95d2bbbfa8bd19764449144bce4a741fe46f056d73709552f4963a11bab2b78e6c9bf33cae26a1393417b482f28e43d

Download Submit
C:\Windows\SysWOW64\Ejdocm32.exe

Filesize
64KB

MD5
6f5c19b6efa0ee4a70ba16aa8ed62156

SHA1
bc54550202fc9b398215e8ce5d2d2c3ac25d896d

SHA256
ebf1a4f39c439c33900990b7eec65e5ea3264e19f76d1d6c942c6032c51f6c90

SHA512
50e8f0952ac6bf5ff6518773b1182c9895e44657e63d3d48b1da051e2a201e03600e1e38519942723a563902ef7fb535d097ac8875286ff379861076b35cb101

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
64KB

MD5
e2675df1d700824d13dff47635405750

SHA1
d161cffd19c864f6d29ac2767b2f65c68f1f9140

SHA256
cc56c80f3868cc25aa4160dde585620de2e5c7d9a797ab1afc93630d21f8b482

SHA512
981436748b747af219e7f5602d5f5e615b3d4be01ba19c0c12283a80d7678eec4f9027ea11e3ebe134a0b5b3116e2b4969808072f6be1a67f1b65a6fe2632796

Download Submit
C:\Windows\SysWOW64\Emehdh32.exe

Filesize
64KB

MD5
53bfe144810c8688ad3af6cc599af040

SHA1
180b22969597c7524f06f079548d9eb46d5b4b77

SHA256
5638e427781ed0b5e47a27db1fb122aa769af6615be11b0943a0ae2cc1df56fd

SHA512
37913c5c6e4af763fdc2a443f6ffa833c681280f9946d3f44f4811f1a93d4fd6658c5ad48145329db44406e84b746d263426d8587745fc6dc9435034127d99d2

Download Submit
C:\Windows\SysWOW64\Emnbdioi.exe

Filesize
64KB

MD5
39e045847e01da9ec1a7c4cabd0d0c44

SHA1
d3df1d2fe929a7b6b27b8bf3ea26348b0ab8a82d

SHA256
e4e8c70440f32db69506e99f16b07cf4be5f81e8b96262408411131b2e41034c

SHA512
3367d2d38750e41ed23d7e4768ddfcc7d545352f417493ed167d1d9554c1e2fcafbb2a133ec03b154b279575f9ed0c3fb1fb2fbc47578fac9e9b0bf2023679e0

Download Submit
C:\Windows\SysWOW64\Empoiimf.exe

Filesize
64KB

MD5
42a65212cd3449126664c63d907b4dae

SHA1
976b01331d1bc323fe64894c7bba8f06ae5dcdfd

SHA256
87fdb56abe1c60af6804955bfca823f15c0caa5a8b6e506018a5734fcb2bf248

SHA512
d8f59dd7eeb97233d7ae84ad6cf26e356035dd730cd5e109033e23f3c75797d2e8adf5d4c8185e739ad1fe91cbeebb25675ab480d2b31de00d27296df9772df5

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
64KB

MD5
0b67b86bceaf11a056b44ecc21e76024

SHA1
5d109e531366f8aad983180762bd532cfe92b982

SHA256
277fef9f1376964ea2e747741ce321afe7d78f2504ece6a4428c0fddd0d4367a

SHA512
71b75166047b0ec163b7d48d662f4c7c4c0e745a57844991cedbc284393419d3f96cacabc6d88b55283712ba53106b3f4f694bed3c185bb3de41d5a9d267b9b1

Download Submit
C:\Windows\SysWOW64\Jjjpnlbd.exe

Filesize
64KB

MD5
5c451eb4027774c6df25e03322450d60

SHA1
0e011b8625fc39d9f25082b4233f4ccf8036d3e1

SHA256
a73639ba8931a5a6eee52aef6c33b1ed5eca4955d6b83b7861ad3afdfe60cfd4

SHA512
0214664e2d8727b06d7261ed9a5f25324485e4edfbb17fcb95a3898e37f5701071a7f26cc6209c3282b10240161b5ed4e83f5f7ec8c90f3ea1bd54f3176b488c

Download Submit
C:\Windows\SysWOW64\Jnlbojee.exe

Filesize
64KB

MD5
df2b3dd4fdc09d0e22d72fa19f232ebd

SHA1
bc508b451ea7cdfaba038b2a6d3dec6374a05ec9

SHA256
b4a16a4c9981012f8c15b0bafd9e5242ec00c963683a492a159cf0dc85043895

SHA512
79c3c49ba319272c1319a55343eaebf83b7f36a0641f1a86893a5aaeb04cba696bb58d394425d9d42d4ccd4b5cfa305e9e4eb70630fecc2e121f037fd5fd9ee4

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
64KB

MD5
a9aca3554e2424ba862abcd842f3d61c

SHA1
b6d727af83addba0c52c28ab2461a95a59579925

SHA256
2fd6aed48f08910791f3dc31cffdf4c840ebd58098a63f9829bee1850283652b

SHA512
b434082307326e219b290e4037219dea6327800dfc46fc66892bdb123ec58de373d47aff763f8d39ce14801a4e2cb33efa294240edad9bd44e4802cb05e3f069

Download Submit
C:\Windows\SysWOW64\Mnnkgl32.exe

Filesize
64KB

MD5
f0d433f95468fa9232444e5da8a3a005

SHA1
419912f4a67f45e5ffb9523677db35c2e53ed98c

SHA256
577327ecdaebd37fffc963027f0341a782c00c0d4a52139e1bf19e75c0f42d62

SHA512
1263ca3eba763e166d4a2a6479d477f4ec25fc85fb9f43be6371beb7eaa9772393d4fb1622d9e2f891af9f6ba1742b9db39de47d87dc583f016a4a01593f5253

Download Submit
C:\Windows\SysWOW64\Nafjjf32.exe

Filesize
64KB

MD5
7c03f2d389bf6ed2dccec8bd0e266b06

SHA1
232391d917922831e3dae6c3aa2f530e8a20286d

SHA256
16bb8ce94b652a0adc299ea8cfaaec581d728f364a3b02d0bbb6248fc3da4294

SHA512
2e597b4f33d9b0081f578a49cc90ed61b619df194335fbc6ad9f79f388a9497c4deeef1b3d951fbdd7170e5d617e80258cd98b160d1f6fdf10d64183a5da1133

Download Submit
C:\Windows\SysWOW64\Ocdjpmac.exe

Filesize
64KB

MD5
7d0d15b832f705cb46cc97fda2cc09cb

SHA1
50bfb2b4cd023071fd83d6921dd0bfe88e1df199

SHA256
6f0d2d4db57da3d603b48c1b3dd7ae118368a27176e371e220f106a9164f9589

SHA512
2dcafb5efe0f46e2fb18db34911c2d7b733935d96d2f239db4df45795fcffcda394c9c39b7e87a4a37c23c7ad818c6f3bd0a8d925305be54dec90cd6d2e35b62

Download Submit
C:\Windows\SysWOW64\Ocopdn32.exe

Filesize
64KB

MD5
441104283afed6633d0505f47e2f494f

SHA1
206a12b10423831dffe15fc33eb81ca211d4a604

SHA256
97ea06070606a3c8145793b69be204993be8db6c067e02b661cc1f81794447a8

SHA512
e55aa92ffa62f65ff613b2f53692ce0d0095ed52ed6149d672605a14e75c525145a6ff16038ccfecbd00e586f0bcc4a7cb8df304095c8d28630d6aa3e8f0b333

Download Submit
C:\Windows\SysWOW64\Ogmijllo.exe

Filesize
64KB

MD5
2d6d4fca1e4c99eb0960721294530947

SHA1
3f94b9619808123de61eccc788875def25f19276

SHA256
4163641a1084cdf4a88ad5dfe4da7eedb52a664e4d90baf0b3a5a24b6159fb4d

SHA512
dcc3d8a4551243de17e20f035da1c3181cd4f9445415d7cff70b5076c07d2f1fb5f60bea608c5e5fe66305be365d7b0603542830862550bdb0459280c150eeb2

Download Submit
C:\Windows\SysWOW64\Oiihahme.exe

Filesize
64KB

MD5
7af458bc85d69dbdf78a5b86c407484f

SHA1
eba39248eb12f7c02c9c2874be7056dada3b17ea

SHA256
4fbd02a8ae5e5139a6f0c0f75454f2c72d749c4ca35c6c594c15de02049de43e

SHA512
30172fc8f58495d70b136ab51ef1cfe0eacf4050eb10b0fa8b3fe0a907cdc823ef8a5dd0afaa172dc4f8b6b1dbd4e7b4969a3ed8004a8d8b39d566b2ee30c93b

Download Submit
C:\Windows\SysWOW64\Ojnblg32.exe

Filesize
64KB

MD5
f37b4556e6fa56dd8d28498ee825a46e

SHA1
376ba7310f4c256c4de5b130a814689a9ab8376f

SHA256
fb472ad574d3ff9465ab75d7faba4768fd3fd5585a6bb51edf4ded75b5913203

SHA512
81aeee8cd8f3d181dab238482e90a22912a88cd9e94a2307508044b2f3564298490c7b5939a1facfa9b5c6ef0e4a02f6d95279515a3039b95a81c1f4c89e432b

Download Submit
C:\Windows\SysWOW64\Olehhc32.exe

Filesize
64KB

MD5
4492a83fe34b9c6e9e6dbf2d4384e750

SHA1
b0571e85c1c176ba9c369d41f6ec4bcdea9e6ebe

SHA256
916f9e9bd3a12f6576c0bc57bac5afbc6588e024c204f3a9adb1e61c7a40b0fa

SHA512
ba5abbfeaffc7c48681a78af7401e32113d0bb28d54299d1ffce647adbe6ce32d1022395b8b7c0bf45771cd715ce0928b220fd57586ed603f5604296662140d2

Download Submit
C:\Windows\SysWOW64\Oljaccjf.exe

Filesize
64KB

MD5
f42dc17e3b2206bb31bb46124f4d4261

SHA1
c2cec47d9be250d99452f28695e1c4041366cbba

SHA256
2c9b19a465b538949df20347467e7854fc2d3d3bc4307069a9da1cefeff98420

SHA512
8a0942bc6ba6ef780b9b24150a969c2bf492fb686e80ba53e932c1dd409e69eb8f3d3ce946dcde86bf71240475b5aa8436bb0ccbc52be4a7ebec628ac552e126

Download Submit
C:\Windows\SysWOW64\Ollnhb32.exe

Filesize
64KB

MD5
37cd479ba507661d4993b36f93845892

SHA1
844dfe83e8f2b46a627626f6ced0c200719863dd

SHA256
2c3181a1e47eac9b1ec3e5e5e220bd62d96c12754f16822db97fb00b094dc825

SHA512
b2caf4079d4f973f3385ab00977de27c875930fd1ac9a470d784d3ad1ad3de1291832e512ffa7612195bd049698d6257825254843a961fe827b61f3f807e7836

Download Submit
C:\Windows\SysWOW64\Opcqnb32.exe

Filesize
64KB

MD5
0583ae429719d3df1f5b2ff1ac753973

SHA1
8be99d171dbee5270411935346494911683c1961

SHA256
81399ea1cd8fcca5004b323747b489309412c394c7ebc4cff6eb88113b3b8dec

SHA512
7dc853af7ec299aea9f90a71ca241c8f0d710cae65bef35438fb67fe54294d3a50b5f10d183194013e256b5ffa63048623c0740560546dd848452e8eebf40864

Download Submit
C:\Windows\SysWOW64\Pedbahod.exe

Filesize
64KB

MD5
cc07b6aba4d1c8f5152c0376d3dff211

SHA1
5924384c76e0aa43bc34042c3f0233f0b1e29793

SHA256
0b2d54d921bab8e26c15b1b8cb6ac467eab657986a90fb1460bdfedc77e24e79

SHA512
07b85cf0eca8a216c5de68ab165932065b07ce541d6ada75bb24aa5e720fba22bbd081fd85843f2cb617b603de137879b0c663e86f81e54536a89b3ba808f928

Download Submit
C:\Windows\SysWOW64\Pfgogh32.exe

Filesize
64KB

MD5
4d92a7e223bff3cd1375f807987fc1b3

SHA1
c5e3a4cd53afc9171d6813e676fdca73106ed81d

SHA256
433356091aa9533538b67a8f0973824b0b09d5a0d2c80763e4cd1bc842bf48c3

SHA512
f4dac9d6a3fa01b33cfc81e8a4675ceb135e2ed1283749e35ad5ba92b671deb7858331cc4b58ec8fed04a9194e77537c122817561fd77720d39ad40af7763beb

Download Submit
C:\Windows\SysWOW64\Ploknb32.exe

Filesize
64KB

MD5
c866756f1ecef2d4aaa4f4133a166c4b

SHA1
d8d648ab957a930e4399bbc9fb4bc29e88f25f60

SHA256
101ec251320efb005daea9c7e1c731a2055fccdb878effcd2128cf0e29b7c997

SHA512
f90e1a048fc37f2e6ed526c57530f06105b3a04aab79617039560de2d94e7ac485db6a980d691437caeab7bdb1d386b5929e9e8f55ba09f21d453b159a5a2b83

Download Submit
C:\Windows\SysWOW64\Qfbobf32.exe

Filesize
64KB

MD5
75e93bf0f590ddc2654649a21f9991da

SHA1
93f4534eab2c53e02f0daed621d01195f9dd9c03

SHA256
0d9f69d65b1103a411ce5a63a88a151580e35de7daa269396f1195ad382b42c3

SHA512
46e0ecf83972a2a4df1ad79c5baa31efd174866cacb339ddbb8dc546f0075c596f175a63ebc2e82bc113e4305cb2a7ce7c60b85c656a9ae70ca8517dcf9f318e

Download Submit
C:\Windows\SysWOW64\Qqhcpo32.exe

Filesize
64KB

MD5
4e276c6543867e190fb91d29e7a835f4

SHA1
60bb105befdf90dc3eeb49e1d2e1d59de0da68b4

SHA256
6a417a089474a88369c6bdb92b2950e94425ec35ed4a478401170ff5e3eadd51

SHA512
1af2385c7353980e838c0b2af34244d67bfacccccd283541381c8de5808c64e136670e8f37a377a7d2d8b992573fe28ae57e5b8832026d0c8e8bfb0355ea786a

Download Submit
memory/856-287-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/880-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1104-165-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1200-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1200-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1232-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1232-211-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1284-308-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1288-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1656-141-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1656-48-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1696-130-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-278-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-186-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2056-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2056-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2136-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2136-203-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2248-102-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2344-300-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2444-307-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2444-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2448-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2484-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2536-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2536-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2716-280-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2716-195-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2968-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2968-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-177-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3104-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3248-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3248-227-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3268-96-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3268-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3556-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3592-249-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3620-220-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3620-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4004-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4004-267-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4228-271-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4312-255-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4312-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4380-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4460-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4460-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4780-279-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4816-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4816-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4916-150-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4916-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4936-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4936-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4992-305-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5012-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5012-253-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5024-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5052-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5052-218-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads