ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def

Resubmissions

14/03/2024, 00:33

240314-awl6zaea8y 10

Analysis

max time kernel
172s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Size

297KB
MD5

000226a99db47c5c7a84a0c4137f8af5
SHA1

adbda08e57eec67867639d2766ccbd4035ef5db7
SHA256

ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def
SHA512

6818d0488dfcad502825c7db2ef8b4a8bb43193948e74a2781fee20df17d6a412244abe670e93d84b306b2b0d60c6068ee4d75fb1f5fc445a3623693f5a9b3dc
SSDEEP

6144:Tyt069Npui6yYPaIGckXBVbHmtswcoEe0g8IkQs4UAcoEwMY0g8IkQs4UAcoEwMo:+tzpV6yYPoBVgsPpV6yYPHGlm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qlomemlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimmil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkgeipah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhklgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhennm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmipdq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aljmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmapc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedhoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obhlkjaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppepkmhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbecljnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcofbifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olgnnqpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkhbko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojdnbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagdgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flpkcbqm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olgnnqpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdoofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqakln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phekliab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gllajf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmhggbgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkhfek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghpooanf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdchakoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djegekil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekekcjih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adohmidb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chnlbndj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkcqdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgjhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omgjhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppoijn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbglgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhgjcmfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkeakl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pidamcgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlfeeelm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkfop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obhlkjaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkodak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ickcaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bloflk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edkddeag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiinoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidamcgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aneppo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijedehgm.exe

Executes dropped EXE 64 IoCs

pid	Process
860	Gnqfcbnj.exe
4380	Lpfgmnfp.exe
3880	Qjfmkk32.exe
4088	Dafppp32.exe
3700	Dgcihgaj.exe
4988	Dahmfpap.exe
3088	Iimcma32.exe
2536	Lhgkgijg.exe
4712	Omfekbdh.exe
4796	Pimfpc32.exe
2136	Ddhomdje.exe
60	Djegekil.exe
4784	Dcnlnaom.exe
1840	Ddmhhd32.exe
4628	Ecbeip32.exe
1520	Fjeplijj.exe
2928	Fdkdibjp.exe
4480	Fqbeoc32.exe
3548	Fbaahf32.exe
1516	Mdghhb32.exe
3876	Nheqnpjk.exe
3492	Nhgmcp32.exe
3108	Ncmaai32.exe
2532	Nkhfek32.exe
3912	Nkjckkcg.exe
440	Ohqpjo32.exe
3784	Ocfdgg32.exe
2312	Ohcmpn32.exe
3036	Obkahddl.exe
3276	Omaeem32.exe
4576	Obnnnc32.exe
656	Omcbkl32.exe
4832	Pmeoqlpl.exe
5056	Pfncia32.exe
560	Pfppoa32.exe
4360	Pmjhlklg.exe
3008	Pbgqdb32.exe
2664	Pmmeak32.exe
1256	Pfeijqqe.exe
3624	Pkabbgol.exe
5028	Qifbll32.exe
3556	Qckfid32.exe
1440	Qihoak32.exe
4944	Jmgmhgig.exe
4752	Jeneidji.exe
788	Jglaepim.exe
4688	Jmijnfgd.exe
4248	Khonkogj.exe
3484	Kagbdenk.exe
3404	Khcgfo32.exe
4964	Kmppneal.exe
3460	Khfdlnab.exe
1108	Bgfhnpde.exe
528	Cbglgg32.exe
3384	Gllajf32.exe
4456	Gcfjfqah.exe
1976	Hhaope32.exe
4504	Hokgmpkl.exe
1340	Hhckeeam.exe
2156	Hcipcnac.exe
3880	Hhehkepj.exe
452	Iqmplbpl.exe
1828	Ijedehgm.exe
1060	Igieoleg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lbgcpb32.dll	Faamghko.exe
File created	C:\Windows\SysWOW64\Dnonap32.dll	Gkeakl32.exe
File created	C:\Windows\SysWOW64\Mcgckb32.dll	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Igieoleg.exe	Ijedehgm.exe
File opened for modification	C:\Windows\SysWOW64\Hcipcnac.exe	Hhckeeam.exe
File opened for modification	C:\Windows\SysWOW64\Ppffec32.exe	Npcaie32.exe
File opened for modification	C:\Windows\SysWOW64\Ommjnlnd.exe	Lkhbko32.exe
File created	C:\Windows\SysWOW64\Oggepi32.dll	Fejebdig.exe
File opened for modification	C:\Windows\SysWOW64\Aagdgd32.exe	Liikiccg.exe
File created	C:\Windows\SysWOW64\Pnkibcle.dll	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Kmppneal.exe	Khcgfo32.exe
File created	C:\Windows\SysWOW64\Kkmapc32.exe	Chnlbndj.exe
File opened for modification	C:\Windows\SysWOW64\Pfgopnbo.exe	Jnifbmfo.exe
File created	C:\Windows\SysWOW64\Nhgmcp32.exe	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Ncmaai32.exe	Nhgmcp32.exe
File created	C:\Windows\SysWOW64\Edefnf32.dll	Fiheheka.exe
File created	C:\Windows\SysWOW64\Gbcffk32.exe	Glinjqhb.exe
File opened for modification	C:\Windows\SysWOW64\Pbbnbkpe.exe	Plifea32.exe
File created	C:\Windows\SysWOW64\Nlfeeelm.exe	Jjopmh32.exe
File opened for modification	C:\Windows\SysWOW64\Bgfhnpde.exe	Khfdlnab.exe
File created	C:\Windows\SysWOW64\Iqmplbpl.exe	Hhehkepj.exe
File opened for modification	C:\Windows\SysWOW64\Nhgmcp32.exe	Nheqnpjk.exe
File opened for modification	C:\Windows\SysWOW64\Hikkdc32.exe	Hcabhido.exe
File created	C:\Windows\SysWOW64\Abfqbdhd.exe	Mcnhfb32.exe
File created	C:\Windows\SysWOW64\Jmgmhgig.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Qhnpleki.dll	Ghpooanf.exe
File created	C:\Windows\SysWOW64\Cboeco32.dll	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
File created	C:\Windows\SysWOW64\Khfdlnab.exe	Kmppneal.exe
File created	C:\Windows\SysWOW64\Iibaeb32.exe	Hedhoc32.exe
File created	C:\Windows\SysWOW64\Famhhb32.dll	Oplmdnpc.exe
File opened for modification	C:\Windows\SysWOW64\Qkmqne32.exe	Pdchakoo.exe
File created	C:\Windows\SysWOW64\Bcgjjgkh.dll	Bloflk32.exe
File opened for modification	C:\Windows\SysWOW64\Ickcaf32.exe	Hfemkdbm.exe
File created	C:\Windows\SysWOW64\Fmfbakio.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Fpqifh32.dll	Ohqpjo32.exe
File opened for modification	C:\Windows\SysWOW64\Ppepkmhi.exe	Pdoofl32.exe
File created	C:\Windows\SysWOW64\Cqkgbc32.dll	Ppepkmhi.exe
File created	C:\Windows\SysWOW64\Dchkpa32.dll	Hikkdc32.exe
File created	C:\Windows\SysWOW64\Ikgahofh.dll	Olgnnqpe.exe
File opened for modification	C:\Windows\SysWOW64\Fiheheka.exe	Faamghko.exe
File created	C:\Windows\SysWOW64\Ejngcgpo.dll	Ickcaf32.exe
File created	C:\Windows\SysWOW64\Gfomcn32.dll	Pfncia32.exe
File created	C:\Windows\SysWOW64\Gkcjcf32.dll	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Hfncib32.dll	Agfnhf32.exe
File created	C:\Windows\SysWOW64\Ilnbch32.exe	Fejebdig.exe
File opened for modification	C:\Windows\SysWOW64\Mmhggbgd.exe	Ljcejhnh.exe
File opened for modification	C:\Windows\SysWOW64\Hhckeeam.exe	Hokgmpkl.exe
File opened for modification	C:\Windows\SysWOW64\Anccjp32.exe	Agfnhf32.exe
File created	C:\Windows\SysWOW64\Anccjp32.exe	Agfnhf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Fkiapn32.exe	Fiheheka.exe
File opened for modification	C:\Windows\SysWOW64\Pimfpc32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Cnjjednc.dll	Aljmal32.exe
File created	C:\Windows\SysWOW64\Pifghmae.exe	Ommjnlnd.exe
File created	C:\Windows\SysWOW64\Aapkgh32.dll	Jglaepim.exe
File created	C:\Windows\SysWOW64\Fbjcplhj.exe	Flpkcbqm.exe
File created	C:\Windows\SysWOW64\Hnhbbmim.dll	Pimmil32.exe
File opened for modification	C:\Windows\SysWOW64\Gkgeipah.exe	Fpagdj32.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Pidamcgd.exe	Oplmdnpc.exe
File opened for modification	C:\Windows\SysWOW64\Fkgbli32.exe	Celelf32.exe
File opened for modification	C:\Windows\SysWOW64\Gnqfcbnj.exe	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghpooanf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdlbpldg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mphoob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aagdgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijedehgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhbbmim.dll"	Pimmil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abfqbdhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilnbch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gnqfcbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbiql32.dll"	Hcabhido.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pifghmae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Flddoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Facjlhil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcabhido.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjopmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbecljnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojhnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjjednc.dll"	Aljmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phekliab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmhggbgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmppneal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgjkl32.dll"	Pfgopnbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdaao32.dll"	Hokgmpkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhaae32.dll"	Giddddad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppepkmhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aapkgh32.dll"	Jglaepim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgfhnpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldafk32.dll"	Hfemkdbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlfeeelm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olgnnqpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkcjajig.dll"	Pdchakoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejgcpn32.dll"	Edkddeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpkcm32.dll"	Mphoob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhehkepj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnfnl32.dll"	Obfpejcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkkmj32.dll"	Pbbnbkpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edefnf32.dll"	Fiheheka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhackbjl.dll"	Ghdhja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloebh32.dll"	Qlomemlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejngcgpo.dll"	Ickcaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phekliab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll"	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khonkogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhbbojn.dll"	Flpkcbqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmbjcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gginjc32.dll"	Hhehkepj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiinoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cllkcbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mphoob32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 860	4636	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe	88
PID 4636 wrote to memory of 860	4636	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe	88
PID 4636 wrote to memory of 860	4636	ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe	88
PID 860 wrote to memory of 4380	860	Gnqfcbnj.exe	91
PID 860 wrote to memory of 4380	860	Gnqfcbnj.exe	91
PID 860 wrote to memory of 4380	860	Gnqfcbnj.exe	91
PID 4380 wrote to memory of 3880	4380	Lpfgmnfp.exe	92
PID 4380 wrote to memory of 3880	4380	Lpfgmnfp.exe	92
PID 4380 wrote to memory of 3880	4380	Lpfgmnfp.exe	92
PID 3880 wrote to memory of 4088	3880	Qjfmkk32.exe	94
PID 3880 wrote to memory of 4088	3880	Qjfmkk32.exe	94
PID 3880 wrote to memory of 4088	3880	Qjfmkk32.exe	94
PID 4088 wrote to memory of 3700	4088	Dafppp32.exe	95
PID 4088 wrote to memory of 3700	4088	Dafppp32.exe	95
PID 4088 wrote to memory of 3700	4088	Dafppp32.exe	95
PID 3700 wrote to memory of 4988	3700	Dgcihgaj.exe	97
PID 3700 wrote to memory of 4988	3700	Dgcihgaj.exe	97
PID 3700 wrote to memory of 4988	3700	Dgcihgaj.exe	97
PID 4988 wrote to memory of 3088	4988	Dahmfpap.exe	98
PID 4988 wrote to memory of 3088	4988	Dahmfpap.exe	98
PID 4988 wrote to memory of 3088	4988	Dahmfpap.exe	98
PID 3088 wrote to memory of 2536	3088	Iimcma32.exe	99
PID 3088 wrote to memory of 2536	3088	Iimcma32.exe	99
PID 3088 wrote to memory of 2536	3088	Iimcma32.exe	99
PID 2536 wrote to memory of 4712	2536	Lhgkgijg.exe	101
PID 2536 wrote to memory of 4712	2536	Lhgkgijg.exe	101
PID 2536 wrote to memory of 4712	2536	Lhgkgijg.exe	101
PID 4712 wrote to memory of 4796	4712	Omfekbdh.exe	102
PID 4712 wrote to memory of 4796	4712	Omfekbdh.exe	102
PID 4712 wrote to memory of 4796	4712	Omfekbdh.exe	102
PID 4796 wrote to memory of 2136	4796	Pimfpc32.exe	104
PID 4796 wrote to memory of 2136	4796	Pimfpc32.exe	104
PID 4796 wrote to memory of 2136	4796	Pimfpc32.exe	104
PID 2136 wrote to memory of 60	2136	Ddhomdje.exe	105
PID 2136 wrote to memory of 60	2136	Ddhomdje.exe	105
PID 2136 wrote to memory of 60	2136	Ddhomdje.exe	105
PID 60 wrote to memory of 4784	60	Djegekil.exe	106
PID 60 wrote to memory of 4784	60	Djegekil.exe	106
PID 60 wrote to memory of 4784	60	Djegekil.exe	106
PID 4784 wrote to memory of 1840	4784	Dcnlnaom.exe	107
PID 4784 wrote to memory of 1840	4784	Dcnlnaom.exe	107
PID 4784 wrote to memory of 1840	4784	Dcnlnaom.exe	107
PID 1840 wrote to memory of 4628	1840	Ddmhhd32.exe	108
PID 1840 wrote to memory of 4628	1840	Ddmhhd32.exe	108
PID 1840 wrote to memory of 4628	1840	Ddmhhd32.exe	108
PID 4628 wrote to memory of 1520	4628	Ecbeip32.exe	109
PID 4628 wrote to memory of 1520	4628	Ecbeip32.exe	109
PID 4628 wrote to memory of 1520	4628	Ecbeip32.exe	109
PID 1520 wrote to memory of 2928	1520	Fjeplijj.exe	110
PID 1520 wrote to memory of 2928	1520	Fjeplijj.exe	110
PID 1520 wrote to memory of 2928	1520	Fjeplijj.exe	110
PID 2928 wrote to memory of 4480	2928	Fdkdibjp.exe	111
PID 2928 wrote to memory of 4480	2928	Fdkdibjp.exe	111
PID 2928 wrote to memory of 4480	2928	Fdkdibjp.exe	111
PID 4480 wrote to memory of 3548	4480	Fqbeoc32.exe	112
PID 4480 wrote to memory of 3548	4480	Fqbeoc32.exe	112
PID 4480 wrote to memory of 3548	4480	Fqbeoc32.exe	112
PID 3548 wrote to memory of 1516	3548	Fbaahf32.exe	113
PID 3548 wrote to memory of 1516	3548	Fbaahf32.exe	113
PID 3548 wrote to memory of 1516	3548	Fbaahf32.exe	113
PID 1516 wrote to memory of 3876	1516	Mdghhb32.exe	114
PID 1516 wrote to memory of 3876	1516	Mdghhb32.exe	114
PID 1516 wrote to memory of 3876	1516	Mdghhb32.exe	114
PID 3876 wrote to memory of 3492	3876	Nheqnpjk.exe	115

C:\Users\Admin\AppData\Local\Temp\ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe
"C:\Users\Admin\AppData\Local\Temp\ef2561077a3317c25f011cc183aef3fde328ace3e211dfbe398eaf7511358def.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\Gnqfcbnj.exe
  C:\Windows\system32\Gnqfcbnj.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\Lpfgmnfp.exe
    C:\Windows\system32\Lpfgmnfp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\Qjfmkk32.exe
      C:\Windows\system32\Qjfmkk32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        24⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        26⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        28⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        31⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        34⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        36⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        37⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        41⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        42⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Jmgmhgig.exe
        
        C:\Windows\system32\Jmgmhgig.exe
        45⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Jeneidji.exe
        
        C:\Windows\system32\Jeneidji.exe
        46⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Jglaepim.exe
        
        C:\Windows\system32\Jglaepim.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Jmijnfgd.exe
        
        C:\Windows\system32\Jmijnfgd.exe
        48⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Khonkogj.exe
        
        C:\Windows\system32\Khonkogj.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Kagbdenk.exe
        
        C:\Windows\system32\Kagbdenk.exe
        50⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Khcgfo32.exe
        
        C:\Windows\system32\Khcgfo32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Kmppneal.exe
        
        C:\Windows\system32\Kmppneal.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Khfdlnab.exe
        
        C:\Windows\system32\Khfdlnab.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Bgfhnpde.exe
        
        C:\Windows\system32\Bgfhnpde.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Cbglgg32.exe
        
        C:\Windows\system32\Cbglgg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\Gllajf32.exe
        
        C:\Windows\system32\Gllajf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Gcfjfqah.exe
        
        C:\Windows\system32\Gcfjfqah.exe
        57⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Hhaope32.exe
        
        C:\Windows\system32\Hhaope32.exe
        58⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Hokgmpkl.exe
        
        C:\Windows\system32\Hokgmpkl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Hhckeeam.exe
        
        C:\Windows\system32\Hhckeeam.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Hcipcnac.exe
        
        C:\Windows\system32\Hcipcnac.exe
        61⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Hhehkepj.exe
        
        C:\Windows\system32\Hhehkepj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Iqmplbpl.exe
        
        C:\Windows\system32\Iqmplbpl.exe
        63⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Ijedehgm.exe
        
        C:\Windows\system32\Ijedehgm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Igieoleg.exe
        
        C:\Windows\system32\Igieoleg.exe
        65⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Npcaie32.exe
        
        C:\Windows\system32\Npcaie32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ppffec32.exe
        
        C:\Windows\system32\Ppffec32.exe
        67⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Bqnemp32.exe
        
        C:\Windows\system32\Bqnemp32.exe
        68⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Bhennm32.exe
        
        C:\Windows\system32\Bhennm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4820
        
        C:\Windows\SysWOW64\Bjfjee32.exe
        
        C:\Windows\system32\Bjfjee32.exe
        70⤵
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Bhgjcmfi.exe
        
        C:\Windows\system32\Bhgjcmfi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1452
        
        C:\Windows\SysWOW64\Bjkcqdje.exe
        
        C:\Windows\system32\Bjkcqdje.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3192
        
        C:\Windows\SysWOW64\Flpkcbqm.exe
        
        C:\Windows\system32\Flpkcbqm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Fbjcplhj.exe
        
        C:\Windows\system32\Fbjcplhj.exe
        74⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Flddoa32.exe
        
        C:\Windows\system32\Flddoa32.exe
        75⤵
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Faamghko.exe
        
        C:\Windows\system32\Faamghko.exe
        76⤵
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Fiheheka.exe
        
        C:\Windows\system32\Fiheheka.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Fkiapn32.exe
        
        C:\Windows\system32\Fkiapn32.exe
        78⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Facjlhil.exe
        
        C:\Windows\system32\Facjlhil.exe
        79⤵
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Glinjqhb.exe
        
        C:\Windows\system32\Glinjqhb.exe
        80⤵
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Gbcffk32.exe
        
        C:\Windows\system32\Gbcffk32.exe
        81⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Ghpooanf.exe
        
        C:\Windows\system32\Ghpooanf.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Gbecljnl.exe
        
        C:\Windows\system32\Gbecljnl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Gedohfmp.exe
        
        C:\Windows\system32\Gedohfmp.exe
        84⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Ghdhja32.exe
        
        C:\Windows\system32\Ghdhja32.exe
        85⤵
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Giddddad.exe
        
        C:\Windows\system32\Giddddad.exe
        86⤵
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Gkeakl32.exe
        
        C:\Windows\system32\Gkeakl32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Hifaic32.exe
        
        C:\Windows\system32\Hifaic32.exe
        88⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Hcofbifb.exe
        
        C:\Windows\system32\Hcofbifb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4672
        
        C:\Windows\SysWOW64\Hiinoc32.exe
        
        C:\Windows\system32\Hiinoc32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Hcabhido.exe
        
        C:\Windows\system32\Hcabhido.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Hikkdc32.exe
        
        C:\Windows\system32\Hikkdc32.exe
        92⤵
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Hkodak32.exe
        
        C:\Windows\system32\Hkodak32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4940
        
        C:\Windows\SysWOW64\Hedhoc32.exe
        
        C:\Windows\system32\Hedhoc32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Iibaeb32.exe
        
        C:\Windows\system32\Iibaeb32.exe
        95⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Olgnnqpe.exe
        
        C:\Windows\system32\Olgnnqpe.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ojhnlh32.exe
        
        C:\Windows\system32\Ojhnlh32.exe
        97⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Omgjhc32.exe
        
        C:\Windows\system32\Omgjhc32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Oinkmdml.exe
        
        C:\Windows\system32\Oinkmdml.exe
        99⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Obfpejcl.exe
        
        C:\Windows\system32\Obfpejcl.exe
        100⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ojmgggdo.exe
        
        C:\Windows\system32\Ojmgggdo.exe
        101⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Obhlkjaj.exe
        
        C:\Windows\system32\Obhlkjaj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Oplmdnpc.exe
        
        C:\Windows\system32\Oplmdnpc.exe
        103⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Pidamcgd.exe
        
        C:\Windows\system32\Pidamcgd.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Ppoijn32.exe
        
        C:\Windows\system32\Ppoijn32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Pmbjcb32.exe
        
        C:\Windows\system32\Pmbjcb32.exe
        106⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Pdlbpldg.exe
        
        C:\Windows\system32\Pdlbpldg.exe
        107⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Pdoofl32.exe
        
        C:\Windows\system32\Pdoofl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Ppepkmhi.exe
        
        C:\Windows\system32\Ppepkmhi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Pmipdq32.exe
        
        C:\Windows\system32\Pmipdq32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Pdchakoo.exe
        
        C:\Windows\system32\Pdchakoo.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Qkmqne32.exe
        
        C:\Windows\system32\Qkmqne32.exe
        112⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Qlomemlj.exe
        
        C:\Windows\system32\Qlomemlj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Agfnhf32.exe
        
        C:\Windows\system32\Agfnhf32.exe
        114⤵
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Anccjp32.exe
        
        C:\Windows\system32\Anccjp32.exe
        115⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Aneppo32.exe
        
        C:\Windows\system32\Aneppo32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Adohmidb.exe
        
        C:\Windows\system32\Adohmidb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Agndidce.exe
        
        C:\Windows\system32\Agndidce.exe
        118⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Aljmal32.exe
        
        C:\Windows\system32\Aljmal32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Akkmocjl.exe
        
        C:\Windows\system32\Akkmocjl.exe
        120⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Aphegjhc.exe
        
        C:\Windows\system32\Aphegjhc.exe
        121⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Bloflk32.exe
        
        C:\Windows\system32\Bloflk32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Hmlicp32.exe
        
        C:\Windows\system32\Hmlicp32.exe
        123⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Lkhbko32.exe
        
        C:\Windows\system32\Lkhbko32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Ommjnlnd.exe
        
        C:\Windows\system32\Ommjnlnd.exe
        125⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Pifghmae.exe
        
        C:\Windows\system32\Pifghmae.exe
        126⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Pimmil32.exe
        
        C:\Windows\system32\Pimmil32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Cllkcbnl.exe
        
        C:\Windows\system32\Cllkcbnl.exe
        128⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Plifea32.exe
        
        C:\Windows\system32\Plifea32.exe
        129⤵
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Pbbnbkpe.exe
        
        C:\Windows\system32\Pbbnbkpe.exe
        130⤵
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Chnlbndj.exe
        
        C:\Windows\system32\Chnlbndj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:708
        
        C:\Windows\SysWOW64\Kkmapc32.exe
        
        C:\Windows\system32\Kkmapc32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Mcnhfb32.exe
        
        C:\Windows\system32\Mcnhfb32.exe
        133⤵
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Abfqbdhd.exe
        
        C:\Windows\system32\Abfqbdhd.exe
        134⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Becipn32.exe
        
        C:\Windows\system32\Becipn32.exe
        135⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Edkddeag.exe
        
        C:\Windows\system32\Edkddeag.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Fkjfloeo.exe
        
        C:\Windows\system32\Fkjfloeo.exe
        137⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Hfemkdbm.exe
        
        C:\Windows\system32\Hfemkdbm.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Ickcaf32.exe
        
        C:\Windows\system32\Ickcaf32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Mphoob32.exe
        
        C:\Windows\system32\Mphoob32.exe
        140⤵
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Oqakln32.exe
        
        C:\Windows\system32\Oqakln32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3532
        
        C:\Windows\SysWOW64\Celelf32.exe
        
        C:\Windows\system32\Celelf32.exe
        142⤵
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\Fkgbli32.exe
        
        C:\Windows\system32\Fkgbli32.exe
        143⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Jnifbmfo.exe
        
        C:\Windows\system32\Jnifbmfo.exe
        144⤵
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Pfgopnbo.exe
        
        C:\Windows\system32\Pfgopnbo.exe
        145⤵
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Phekliab.exe
        
        C:\Windows\system32\Phekliab.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Fpagdj32.exe
        
        C:\Windows\system32\Fpagdj32.exe
        147⤵
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Gkgeipah.exe
        
        C:\Windows\system32\Gkgeipah.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1748
        
        C:\Windows\SysWOW64\Jjopmh32.exe
        
        C:\Windows\system32\Jjopmh32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Nlfeeelm.exe
        
        C:\Windows\system32\Nlfeeelm.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Qemoff32.exe
        
        C:\Windows\system32\Qemoff32.exe
        151⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Jcbdph32.exe
        
        C:\Windows\system32\Jcbdph32.exe
        152⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Ojdnbj32.exe
        
        C:\Windows\system32\Ojdnbj32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Fejebdig.exe
        
        C:\Windows\system32\Fejebdig.exe
        154⤵
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Ilnbch32.exe
        
        C:\Windows\system32\Ilnbch32.exe
        155⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Ljcejhnh.exe
        
        C:\Windows\system32\Ljcejhnh.exe
        156⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Mmhggbgd.exe
        
        C:\Windows\system32\Mmhggbgd.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Pdhklgnf.exe
        
        C:\Windows\system32\Pdhklgnf.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4936
        
        C:\Windows\SysWOW64\Akkfop32.exe
        
        C:\Windows\system32\Akkfop32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1460
        
        C:\Windows\SysWOW64\Ekekcjih.exe
        
        C:\Windows\system32\Ekekcjih.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1936
        
        C:\Windows\SysWOW64\Fbmoabde.exe
        
        C:\Windows\system32\Fbmoabde.exe
        161⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Liikiccg.exe
        
        C:\Windows\system32\Liikiccg.exe
        162⤵
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Aagdgd32.exe
        
        C:\Windows\system32\Aagdgd32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Dkidme32.exe
        
        C:\Windows\system32\Dkidme32.exe
        164⤵
        
        PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagdgd32.exe

Filesize
297KB

MD5
536c62fc87315aa3511211d61605efb8

SHA1
cc1650052d966d8acb42a00d9f010f6205751fba

SHA256
06e303aabbf3fdacaa99cca4f5b36ea8cd4912c5e1c66aefb6fc3bbe44ba47d9

SHA512
f14a2ed98b9556d099868ef8a05da85049a58e775f1eb1b40a0bbed09ccdb1e253e1870858b0e89fb74c9c26c7bd48861dbc93e1d47ce65752bae46efa850908

Download Submit
C:\Windows\SysWOW64\Becipn32.exe

Filesize
297KB

MD5
6d7cc28bf7f178f4d2b44bf2cf02020f

SHA1
caace81e16ae769533a2c7778a885427eb1ad3da

SHA256
a8e1ebc6e73cabc57b45d3e9d7774df8fa0e953a5f11acf85523ce619b43cd26

SHA512
1f42417bff0cff027801f5e195df50897baa9256f767b89cda133b0c58d33e668a06e25828d82f35728e234e0f47dd6acc68c6d382f88b8fca76554562b96d52

Download Submit
C:\Windows\SysWOW64\Bjfjee32.exe

Filesize
297KB

MD5
d63551c9b8ff827c06a326747a65b50d

SHA1
eb3bf9146d76c9cc094cfcf1f07d2d0cbc42797b

SHA256
f4e2a569f58b0978cd2d50d1290ed7ff3d227adf2c6eaa8c5136dc18192a9fea

SHA512
e9ec535719d9392d7069609892e0e4badaf0864342aa3225c53e15071a6fe4a9590ba3106fc9b286c81d807c01edf178b05ba8f2fa0c33552f3cddb37ddb6c90

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
297KB

MD5
f9f959f79f737e54517164c140f9ea63

SHA1
8c777ba68956a238bd2f0dbf9f4ece4161537d40

SHA256
c286f80710a74ff23e257788bce22c825190445f84f6f3b7f74523e3013e44fe

SHA512
5b98d264206035189940142ac92e624c47655fbded85238194bca95f20df05b3f99884aba7ef1e6bd6d83f123327a9ce52c5aceda3be9a620bdf1c24f7835c08

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
297KB

MD5
51187bc70e6c4a714c99e53f22b9bf30

SHA1
19275c0bdf665af3f1c5b3031db08a4617cfa4c2

SHA256
0b5fcf02e075630e55f0c48034cb33515ee205eb4173d5b70665606460484fc0

SHA512
fd47e3205bbef56b9635d1f8e9c4db151bfa5484dee828cb8dbbc2a654cc2f561232c9545fdb6a082c044ed72dc61740b5d0311780f507721bad7c44374fffef

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
297KB

MD5
6d3e456ef6cf38304c675157e3057c7e

SHA1
3cd56a7345dcdf21ecd1ae3549fdfcac3731b918

SHA256
7fab3cff691b1f97cd28aaeb9310deed7fa9042bea1cd3fdac3676fb3827507c

SHA512
85f14925e264ca1f8936eca25c670614ece4de293a9fdcfdf85bb721217b74251a6e088ff308c88d345fd8933e2eb5a988d6c00d5e399efad78987228ac1c0ab

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
297KB

MD5
1dd4ac3a453f7fad80266603f47d03ef

SHA1
e4e7eb044fb3cf45b616e39a22584bea7d9c516d

SHA256
10810606a19f252969a02c7cb0e16d56c5ff74d621cc23897d237d6461c063c8

SHA512
009f0e374021ceb04886e1afc6176f88f9830f6324ea4bbfb6adbfe263c051f79cda3c2e31bb878346382dc9d5da7c4e4439d0588240308be1bc2d4d2988bda1

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
297KB

MD5
07e43fe7fb2923c22dbdd9e9396b83f3

SHA1
e0536cf65f62b66b02a815287b83f4719c879574

SHA256
9f07c834193519e78d910af91bd7a5e5b251acb2b943cd4bbe5bc3c80d558a0a

SHA512
1b7dc6758f0585abb35be2bc2c5e6a04505f8e3c90cdca60c69cdde6c7d54bb093d3559185740d3ac1e682a046e663026ac8c6d0454374f424aa2134250d1172

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
297KB

MD5
7f29d34fc2f5e085ac17ea804b5a7a51

SHA1
12614dfcce4d56715515e1dda013923238454490

SHA256
96e4c51e19628dc82763e0521ccf65185f744140c54940b833d950b9042453b2

SHA512
73d5c5c29694b12336f991c087d9efce13535ae0c9e1e6aba93550abbad8f49f918e4c2b6b53e5924d82c73b5b35d82010e50e809903308554bc331e1d3f5fe5

Download Submit
C:\Windows\SysWOW64\Djegekil.exe

Filesize
297KB

MD5
3d820a205366c6d5d70cb899f42a0bdd

SHA1
2ce2e822f9399d00515ba046f5200afb8a68ee31

SHA256
eb64bb867d150fbfb8d84dfa983e4de5162afd47eca0e505090735f1033b154f

SHA512
15f943554e88eb46272176c783668619957e875ea53bcea1a68ed358d2a03585821f4e300f060ca4b2248e0d200aa9ee12f2ee2d2182c728e6ee8266c579d9bb

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
297KB

MD5
d6507b3dce7ed1aef95e450218190beb

SHA1
aefc28dc28335b27f613d065d183e176f9b3a3ad

SHA256
725d5464eb841abfe0e06d93283c7fb885a6901f97e1f76c82165836cbbfffd3

SHA512
0b9c93baa9630a3480dec10ac9ee3d0c3c19bac2d9b623934d494654775e68a268c1f111de20554dd3e8191cb98aab04d914c45c99e4e087c2f49d5852b678f1

Download Submit
C:\Windows\SysWOW64\Ekekcjih.exe

Filesize
297KB

MD5
553a9f97502c789fa244aba203bd8393

SHA1
a2b086a295b467defb5508716ffcdea6bb3a627a

SHA256
f70301010f5d0074151166391f798b9f089ba41cb3b75cec69d9bf14b0e0ae81

SHA512
2f87ad11eeb6db5ba81455a3cd5cf0df24c96887982c62afd96a5342f30d47c2e9a00fe51ad0b52a2c88c12e769d92aa467329263e3667a11caf746e533590e7

Download Submit
C:\Windows\SysWOW64\Fbaahf32.exe

Filesize
297KB

MD5
84280324539e622ad205049ee8f15904

SHA1
886847b26059c4b9069ca770e614cd7da3197782

SHA256
05051d8cf68d9e22e7b6291ce2ff5529ef35918c5d74ac4f23b6d856db42aafc

SHA512
638be18acd1e38c6cc0c41d6a468b2615b233528c79f8fd43b8499101de999a858c4c22fb2679ff4ee35a155a6c77bd405465d524a7712610a0598fba049e3a4

Download Submit
C:\Windows\SysWOW64\Fbjcplhj.exe

Filesize
297KB

MD5
d0d24115b25cff497b1ef098508b4aba

SHA1
80fec24152e2a5e1132852b978361b18925725e2

SHA256
5a78992e967bbe5f73da6ac4ce566471fad2d463d6666dc284b97c835f299d9e

SHA512
186f27f990dede4048c2e3fcf11655c0030db1d45b05bcf4c5ab6cfc5ba27b7dc636cb957261aea883b1360e503f83d402f1cd3ad016ed526b6ceeef8ea45791

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
297KB

MD5
3b4c2b213e4420e90533647b2a34cb1b

SHA1
b5b5757017c391ad6d77e3dbf7de9d89f55b9a5d

SHA256
47c67cabb3d4fdd0011e7ee8b38d9f2dd3542d1ea4b0ccb1f7c516a2cd7a0ee4

SHA512
a13823b5bec7b1b535b42a459e2465256be2c4eca6744f4f360bb19c968425065818305d8c7ca6ebfd282c9985bcdeb4b51f01b3e38d0a5b0a0b5ab1e0b77ffc

Download Submit
C:\Windows\SysWOW64\Fjeplijj.exe

Filesize
297KB

MD5
e45eed8f9b2ea433ccd6475f38924a83

SHA1
a6febe431c36b364228315fe434c9085e0ab050e

SHA256
3607808d9232c487957daedd2fbbfe7611bf63b4ddde57520ed16ee6df219382

SHA512
660bf343a11468009fe5e2ac0de4e09b5353efd0f4561c0b38d96c6c15c18c5b0376bf084f40cb03a7b7c889dca1d660227b1a2ff23902dcc77467aef4752080

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
297KB

MD5
dbc7b68d68ba2a72c20eb998dbae53fd

SHA1
ca7820b87727cef13c64fdcb207218de01aa4fae

SHA256
5c954195cc70ed7e2450889cea7139613d79d5529558700154b1ef8bb28cae0b

SHA512
76688fa777d58d96d898c51fa41e1870e7b8632e681019c569a0bbe9d7e7e93a99ff9266027da2fcd6d7a61c4662c14ffc1958ae1765061abce7fcf767ff2a5f

Download Submit
C:\Windows\SysWOW64\Gelfeh32.dll

Filesize
7KB

MD5
d98a79cc7f5c3f1d3e252c2471a59517

SHA1
4c50dcc949a717b1301024229ded26223981f941

SHA256
1e81a715b59ec9374fc6b28cf22352023cedc4db6314eb551de8ae5d36405d2c

SHA512
1daa9ff27e4102501ec416afd39527e059436250a680b87e9cb05a42f4c2bf79c104aaba40c63aa83da43afd220f2ba052a3e0a8de391636f7dc02979dd5308b

Download Submit
C:\Windows\SysWOW64\Ghdhja32.exe

Filesize
297KB

MD5
1eb8f729e4774759a8a72f95f5572f6d

SHA1
3cfb0cf4bb9a6e7907bd8db42c15942204a6a8bf

SHA256
6722a7b2c97ba25ef14f1fb33d7dda294ec3d0a883250f087db295470d50d3a9

SHA512
80613e31a9031e5ac742d53ef0f2f2e24eb3f7be5bdb3bf7e8e12915289cfcfae26e528a34906c2f160c22eed8837fff13db673d0e165e016a746ea53acee2fa

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
297KB

MD5
0f1335a15dcae98cce6ca1a7c536fe30

SHA1
492471d9a4d9700454f2984847e96c73e87c6e5f

SHA256
49082750d8367899e72ed3c9592c9e6b3395a8f3d9e40ffa8a2e37b9fc291b60

SHA512
4479a1f7efa3e768217616b2cabd648aa4e1b98c34552ba3cdb12fca9a89c984161c54f3607ce848347117ad2ee596d5d7d2358e7894b08afd81660c4ed1cec8

Download Submit
C:\Windows\SysWOW64\Hedhoc32.exe

Filesize
297KB

MD5
0ec6149949f539761bf0664b31baebe0

SHA1
e884e74dd3e37470af4d3b442b8ba389d91d336e

SHA256
992f953b1dab642f936ef41058bab6f3a29e1cb51e5790c7fd05694fa4f86a2f

SHA512
0d32af10496fc6e24b9af67b0bba1f9cba39cb7f0d94388a876e11e5f6d1b530169cb63f17c9a77dc8f83cb1cf626e36772b9d536c22b606a0fb2755d8e7d611

Download Submit
C:\Windows\SysWOW64\Hfemkdbm.exe

Filesize
297KB

MD5
14e02b55b2039669e30d44d3d120811e

SHA1
baf3578a5c826401e02aa9e143eaa3c120355375

SHA256
f9105f0c882ebfe35f6e7aeacd7891b7432e8df2051afd95c16a1284d15b33a7

SHA512
0e5dbc9813d1872c7fc59301546d7627f8fee9b6b37182d799cedbda47e6c4f02068f8bc6cc118fe885fd2157e182dfe6edfc2f21451425b3af75af1007057f7

Download Submit
C:\Windows\SysWOW64\Hkodak32.exe

Filesize
297KB

MD5
a2c40c3d5ffc708a815b3e47b785729b

SHA1
1c29b125bf231b92add1ddb91eca7dc6c53e2b44

SHA256
19498ac43b417a8b09b24c03b1c5b187f6e3c57879f4ce488da3e7415ce6cf95

SHA512
00d491a5e6f614a226cc8d8c28e5b7462313792a7946d23adc29eb9fc42d4c57a90e9ef6cb2cf02a1350f6c3f889d8a08464432c8a93d2d52314b91140f8d66e

Download Submit
C:\Windows\SysWOW64\Iimcma32.exe

Filesize
297KB

MD5
65fd58b0e4a6345ea2158fd27a26616b

SHA1
8c4c2b122bdb9f8b712238abcf4d1900c4110aae

SHA256
a5f9c0b3ff61f2fe42dd9b91d7141d7f4d17d36fed10a69ac70276b21a221a1a

SHA512
27cbdaffd5d92f32bb39cfb6b62c40cbc6ebab399a357c1671b68270ec936e323d068a9b5d13b0b4076210753808568ea19e94e4972a5058373dce1d1db10824

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
297KB

MD5
e485e93bb80111ac3cce6abe66cb1ac4

SHA1
10185caceb3267195c68c75701c1e64052f374c3

SHA256
f80ab7c3051b48b97ebe331a09a92cf7771b577e42b33f82a288dd6fa01a028d

SHA512
5ffe6eeb3f9dcbc3d4408863921a802a0eb26f856ce3e8b28c5bfff49fb319e065b89ec52e1c8774b145fa12904517003ad197d02ee22792a647a5737a2abbab

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe

Filesize
297KB

MD5
95a469a349e521eb1cf7b69b1f23ba3c

SHA1
3172dfa5e71c3b75611d9bcd16432c9ab70aa331

SHA256
d7a6f54525a7884ee21be3ef58a4a2b1710fd9d0e86f259efd34b5614e776715

SHA512
dbfce199834690d468f8a7d5cb2c19b792d2cca63b598dfdc712e91e68bbba067d1c23b7e8e4f3ccd9761af1d725a5531c38fbb1f8f316a585dce174c3e5dea0

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
297KB

MD5
eba79b4a8d35587c0bbe0f4c1b0f8677

SHA1
f2462b2a2b04aeb8a8f163cb3e248ad4850846b9

SHA256
c5c7eccdb53ab4068321fd0cd41555f851ce2c5ae2aec1dfa74f15412c03f605

SHA512
e92c428eb01e09781e009ae527e9d50c031f1c5cd50cd88135051263f89865ca760ed37018546f648af309310903e5a250a910ae0c5d894fecb8374ff74f1148

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
297KB

MD5
c4e9e9bf4e1ff300105fa8a20df06677

SHA1
e749f185dc09170c844697445e9f0c62e58e5f94

SHA256
ac38e06dd2564c2e692013b3e5cd1fa2c9a2f4bc4b91b4ac010da1221e981d60

SHA512
153d6e1db45de3e69153b10d34ba63dddce137cd6542f32002149981df00d01ea02890b9fa218c33a1384e51616acf8883b3819420e6321c592d1936eef9cf83

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
297KB

MD5
2075c1d559031bda1352473a2aae39fa

SHA1
2af4d9471c5d5d212466bb24e378f181d2a09e7b

SHA256
b57173710b22db0068952b5fe811de03f43f85c7cedb02237d21e9ce89dda6e7

SHA512
8ebb41f7a1c22932a4de656e852675a89fffcde5e7460d3de7e0d9d7b30471478fd994ad1cb9ce3aa9e435baa6d5f2146e18289620391160f4a79d2597be923f

Download Submit
C:\Windows\SysWOW64\Nhgmcp32.exe

Filesize
297KB

MD5
76d3d57eec754abee15e77524e5c38df

SHA1
1f1e590af61f5a78fb6eb0444155a9ea9190e5d5

SHA256
93450b5bedcb1ba35433a724760b39332ca05e3b8d94d240fef66a10b1f2318e

SHA512
09ab8b8a8621754734942e94d094f7cc970e0c8604d34a4cc21a5f72ac0f7ec8fe0f8608058a324746fdc9862a9106b173b3d6245df07010803a7b0ca1b2e7bb

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
297KB

MD5
b42a9c4cdd535f732cccc612d375b77d

SHA1
7c324a87f515ec6a36d950158124e04077f78b45

SHA256
44c622d1cfc0c75e137c15cb506cbfa430083c3f399859adb39a3d7169d971f3

SHA512
738a06203b34d3c88d6b18b038b8e77fa425da06c300c0139c1b2a243bae144cf7be385971810214e798a2493b033e03b5cea00bc9c82a3f4d7b25a4ea89a556

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
297KB

MD5
4febc2cebde6a021c90a205f9507f0fa

SHA1
5fef64e3489389ef560a5bf699e9f3cb1a28bd5c

SHA256
58e7f00f71429e8bd9dec7177c7740b50b2bc31068b3142bc33bd56faee52f80

SHA512
74a31664b4e19a24fd9eb7b9559357cb86c9800c86b096a15f7161097bee9f6c8ac8e977e9475647e6c85089d7531778a3f56f1a5432559312f6cc4a8240b6ad

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
297KB

MD5
c1fbc6321f8ce5797756edef85922f37

SHA1
13853e2fd59281fda496090a45f6b0a1fc97ef85

SHA256
d63b220f5594c5783702b7ab12fe45bf0e6eb8a2c6d8703a2d81e638069671cf

SHA512
02043604e5621730a600f4b8c564c0caf79f866a782936432fd167c691658ecb3e893f896d72da1a46fa21adfcbd2d9e17c80facd4f23de2b8f49a91b3e92b93

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
297KB

MD5
2b13f103ec6333ead485072ff073f741

SHA1
9d27f95cc09477e49bc97849a0e44a3bd29d165a

SHA256
ca709c66ccde920414778913903328ad2832c94a058bc4f0d1f3295c0134771f

SHA512
5763a07ce7552b5547ebb91931dfcde1f4e86b12338db2cf8e42bc7a0201113cef51dcbdfbcfe014c89c9a89f7c8786af070ad8399fbb171d3b871f294d7e2b4

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
297KB

MD5
d6f9d740f5126bdbcf672c3d8eeb4ba1

SHA1
0956a85ba07481dbb5a413ed67553f483fbc9fbc

SHA256
3754efae2fc6a316dace09f380afb89a423eea46ef481b2dbdb962e56e24c977

SHA512
f403fd58a80395400db25805b4dd03647c8186a7818aef207d38629cc251ad167deced74b5b3b16821aefc247b90b567a50c52acc114708e94ec2f7269f833c9

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
297KB

MD5
3acfc2c88c9e8adbb7906dbff1d96b7f

SHA1
622b3925cdbd5eca573fc26554286bfb00149eb4

SHA256
297c499a05385ef44cfa4e4f679004d4a83e3d12db4fab3c167e98844464da5f

SHA512
2689db81b02a4a121f4934cb6c0fbca95004714235391d1671392fe600062e253c286150bdf4bd11c7a9f57bb0c05c5dffc53ca6e21a428629677db15a807cd1

Download Submit
C:\Windows\SysWOW64\Ohqpjo32.exe

Filesize
297KB

MD5
f9b00a7a55f74eb39f5277361df1ca18

SHA1
06e20150f72df6d4b50083ff14373bef7872fe77

SHA256
61080947dc0400b1c1567127dcb101731c9c2695439cf0ef80a0d66a29436c62

SHA512
50f7a46f495d19f4c3ed9d47924043921a2e0d26e33d9c66e874e795c693f3deccffca8b95b3fc0057300249b7cc74b951a9a06a93fe64551746436efb5f5513

Download Submit
C:\Windows\SysWOW64\Omaeem32.exe

Filesize
297KB

MD5
065c765138a7fa7579897a368831b5de

SHA1
6d3a4185313d4127557e1f2f4f1f45ace206b949

SHA256
cefdd3f541f0f50a9080d00fd8c81a36d13966a5f3128c9953d7bc089d9a9fee

SHA512
e6bb81584bba74fdcc50ec24eb2f6921d6034fb14c125f1290cf951963b94c132a0cb496fa77ad910b2fa2a8bf622d3701297ef25e3863ec7de99ce790a575f5

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
297KB

MD5
8a954476ca1ef7900714654283f11c60

SHA1
7bee8a45e02e57057f4576c17809ddee247b9ff7

SHA256
fce7990388a7b0441e512a536c6fd9bd80721577eb1772c8b747c9aa42fdb11a

SHA512
d2e79ad23e35e1c9a1ab17928ff42add340f3c7251d4db1558d320ff41c05705fde3f43cd5d990b7157efe4e27b4fcf0860ec12af97e3eb988e69eeaf3ae508a

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
297KB

MD5
c777cc13ccccf2cee350502f086fc30c

SHA1
b0cd1d4efee2a50ae62fb310eda8e4481c8f72cd

SHA256
41186116fc09f24d5853c99591d3a787b3e71fbf61445753553bf4a4eb4649d3

SHA512
0b7a2be4e84e85f66707619ab610aa13d5330a94fc968d4c07987cba8422899211f71879a5db0a9b7f863ff75394c4b058d82fe493f1293896ec6f2d660895e5

Download Submit
C:\Windows\SysWOW64\Phekliab.exe

Filesize
297KB

MD5
d82bccc822338e1705b26541b8bd06ee

SHA1
e0ef0e3cd5677f20f4e0c63fd96613075a628cc5

SHA256
eab090b172b416e0f906431a97583d8c557fecd235f2cb701dbe6134e35f40c9

SHA512
96388670daa6e2372415d624a72f164af05c7e2aff1c8fe696ebbcb42fabccbecc6843d53cb4c70007ceee11e0a16bf81cd85f80e7978a86af5a4597ce4097b9

Download Submit
C:\Windows\SysWOW64\Pifghmae.exe

Filesize
297KB

MD5
cc177e97c35ebd24f4d5bf5df1a948cb

SHA1
8d627b409ba8d645ffa0d4cab4236e9d6c3ea08d

SHA256
44ccdcc9138bbf19f122341b1096a2905cd950596119dc880aac7acb644c8a27

SHA512
6c6d76009ce7241db13e4fa66c113d2a2d8bccc0eb27e4d9a7c9a478ea2c95d27e41cd6b071d657257193ff456513accd3c4249113543fee3d34acd3f18dfaa2

Download Submit
C:\Windows\SysWOW64\Pimfpc32.exe

Filesize
297KB

MD5
cccbb7170638760488ad8d84f1879cfd

SHA1
77779bbf1c15b77cc27c3481a6f974fd9c123513

SHA256
a74aa307e2144918071fa8eb5cc763f427d5c3fa98888e90a16e0b1759a141f3

SHA512
7ea265c7524acff725aeda8de682e6fa9dcf20d6ce4fe09e232f4128570ad2467537b49978202ea7b95245e55ae0d2d6ef1f7e57b67b646b511bf878abe4bdec

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
297KB

MD5
154cc5fd0182c45c49383b8111b99512

SHA1
afb699ede046260d08995cdd871cc92a89acb6c2

SHA256
54685f40b755b1d7c25397c856ab48b2f182b7c8f5893c2f0b4c52a70d1137dd

SHA512
998736dbd1c30588dc38c49b65cf3c341f311135cf080c7c822cdf6ca390848b14c30d645b1b2cd8bed9e17106a1bf4e042c0246b4d0ea457e884fc8c57b7f6d

Download Submit
memory/60-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/788-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads