009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe
Size

303KB
MD5

147f34cda32f4a464022a3ea08654e5a
SHA1

a7a6f17b8f862569ff11e45fe98dc56a836934fc
SHA256

009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1
SHA512

2396d14ea2efd02e517f37cef94e64c699bf6a015a9bde817d29df26d6364f5826277da068858afc6460dee6774a609a2a94b4151f97731310a1b7f5537139ef
SSDEEP

6144:EuL71pfeI5CPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSpaH8m34:JLhptFHRFbeE8mo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfidb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggmmlamj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poidhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nchhfild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidehpea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkddo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igmoih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjoif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiiflaoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfbjdnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnonkq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpochfji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkholi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jldkeeig.exe

Executes dropped EXE 64 IoCs

pid	Process
3396	Mgloefco.exe
1804	Ocohmc32.exe
2700	Pjkmomfn.exe
4472	Pjdpelnc.exe
3480	Qjfmkk32.exe
1728	Qfmmplad.exe
3412	Akkffkhk.exe
2692	Aaldccip.exe
1920	Baannc32.exe
3644	Bhpofl32.exe
1800	Chiblk32.exe
4528	Cdpcal32.exe
1932	Cgqlcg32.exe
2520	Dafppp32.exe
4380	Dhbebj32.exe
3436	Dnonkq32.exe
1168	Dkcndeen.exe
3628	Dgjoif32.exe
3748	Ddnobj32.exe
2476	Ebdlangb.exe
440	Egened32.exe
1568	Eiekog32.exe
216	Fganqbgg.exe
5100	Ggmmlamj.exe
3392	Hhdcmp32.exe
1096	Hnnljj32.exe
2920	Hlblcn32.exe
816	Hihibbjo.exe
3468	Ibqnkh32.exe
3552	Ieagmcmq.exe
4948	Iahgad32.exe
3692	Ilphdlqh.exe
1592	Joqafgni.exe
4424	Jldbpl32.exe
4732	Jihbip32.exe
2284	Jikoopij.exe
2460	Johggfha.exe
2448	Jllhpkfk.exe
3512	Klndfj32.exe
5096	Kbhmbdle.exe
408	Keifdpif.exe
3988	Kapfiqoj.exe
4580	Kcoccc32.exe
5068	Kadpdp32.exe
1940	Lpepbgbd.exe
5136	Lllagh32.exe
5176	Lcfidb32.exe
5220	Lchfib32.exe
5260	Llqjbhdc.exe
5300	Lpochfji.exe
5340	Mhjhmhhd.exe
5380	Mablfnne.exe
5420	Mlhqcgnk.exe
5460	Mjnnbk32.exe
5500	Mcfbkpab.exe
5540	Mqjbddpl.exe
5580	Nfgklkoc.exe
5620	Noppeaed.exe
5656	Nhhdnf32.exe
5712	Ncmhko32.exe
5748	Ojnfihmo.exe
5792	Ookoaokf.exe
5836	Obnehj32.exe
5876	Opbean32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Apjdikqd.exe	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Fbaahf32.exe	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Mgloefco.exe	009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe
File created	C:\Windows\SysWOW64\Dhbebj32.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Pfhmjf32.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Pnnggcqk.dll	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Nohjfifo.dll	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Acccdj32.exe	Aimogakj.exe
File created	C:\Windows\SysWOW64\Pfqdbl32.dll	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Dahfkimd.exe
File created	C:\Windows\SysWOW64\Jakjcj32.dll	Hjfbjdnd.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Akkffkhk.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Cgpfqchb.dll	Jihbip32.exe
File created	C:\Windows\SysWOW64\Pnkibcle.dll	Pbcncibp.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Bfkbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Bpjmph32.exe	Bdcmkgmm.exe
File opened for modification	C:\Windows\SysWOW64\Cdhffg32.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Dgjoif32.exe	Dkcndeen.exe
File created	C:\Windows\SysWOW64\Kapfiqoj.exe	Keifdpif.exe
File created	C:\Windows\SysWOW64\Mjpnkbfj.dll	Llqjbhdc.exe
File created	C:\Windows\SysWOW64\Nbdenofm.dll	Nlgbon32.exe
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Oloipmfd.exe	Ofdqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Ilphdlqh.exe	Iahgad32.exe
File created	C:\Windows\SysWOW64\Lpochfji.exe	Llqjbhdc.exe
File opened for modification	C:\Windows\SysWOW64\Lpochfji.exe	Llqjbhdc.exe
File created	C:\Windows\SysWOW64\Hhdebqbi.dll	Dkbgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Mklfjm32.exe	Lhgdmb32.exe
File created	C:\Windows\SysWOW64\Ngkpgkbd.dll	Namegfql.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Jabphdjm.dll	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Hlblcn32.exe	Hnnljj32.exe
File created	C:\Windows\SysWOW64\Ebpmamlm.dll	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Ckcdlpbd.dll	Eiekog32.exe
File opened for modification	C:\Windows\SysWOW64\Mqjbddpl.exe	Mcfbkpab.exe
File created	C:\Windows\SysWOW64\Pafpga32.dll	Qiiflaoo.exe
File opened for modification	C:\Windows\SysWOW64\Janghmia.exe	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Fganqbgg.exe	Eiekog32.exe
File opened for modification	C:\Windows\SysWOW64\Pbcncibp.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Indkpcdk.exe	Igjbci32.exe
File created	C:\Windows\SysWOW64\Aafjpc32.dll	Aidehpea.exe
File created	C:\Windows\SysWOW64\Jldkeeig.exe	Janghmia.exe
File opened for modification	C:\Windows\SysWOW64\Jldkeeig.exe	Janghmia.exe
File created	C:\Windows\SysWOW64\Klmnkdal.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Pkholi32.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Jikoopij.exe	Jihbip32.exe
File created	C:\Windows\SysWOW64\Jllhpkfk.exe	Johggfha.exe
File opened for modification	C:\Windows\SysWOW64\Aimogakj.exe	Abcgjg32.exe
File opened for modification	C:\Windows\SysWOW64\Okmpqjad.exe	Odbgdp32.exe
File created	C:\Windows\SysWOW64\Bllolf32.dll	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Pekihfdc.dll	Johggfha.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Pjdpelnc.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Mablfnne.exe	Mhjhmhhd.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Mjnnbk32.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Bailkjga.dll	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Iapjgo32.exe	Hjfbjdnd.exe
File created	C:\Windows\SysWOW64\Omaeem32.exe	Obkahddl.exe
File created	C:\Windows\SysWOW64\Pbimjb32.exe	Piaiqlak.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Mgloefco.exe
File opened for modification	C:\Windows\SysWOW64\Jldbpl32.exe	Joqafgni.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfodpbqp.dll"	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnkhjdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Baannc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmapeg32.dll"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohnnkjk.dll"	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peaggfjj.dll"	009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhcmpgk.dll"	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkqjp32.dll"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggmmlamj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllolf32.dll"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnnljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabphdjm.dll"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcokoo32.dll"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnkhjdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaodd32.dll"	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iponmakp.dll"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfbjdnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddlig32.dll"	Hnkhjdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loopdmpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnonkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Omaeem32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 3396	2120	009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe	97
PID 2120 wrote to memory of 3396	2120	009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe	97
PID 2120 wrote to memory of 3396	2120	009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe	97
PID 3396 wrote to memory of 1804	3396	Mgloefco.exe	98
PID 3396 wrote to memory of 1804	3396	Mgloefco.exe	98
PID 3396 wrote to memory of 1804	3396	Mgloefco.exe	98
PID 1804 wrote to memory of 2700	1804	Ocohmc32.exe	99
PID 1804 wrote to memory of 2700	1804	Ocohmc32.exe	99
PID 1804 wrote to memory of 2700	1804	Ocohmc32.exe	99
PID 2700 wrote to memory of 4472	2700	Pjkmomfn.exe	100
PID 2700 wrote to memory of 4472	2700	Pjkmomfn.exe	100
PID 2700 wrote to memory of 4472	2700	Pjkmomfn.exe	100
PID 4472 wrote to memory of 3480	4472	Pjdpelnc.exe	101
PID 4472 wrote to memory of 3480	4472	Pjdpelnc.exe	101
PID 4472 wrote to memory of 3480	4472	Pjdpelnc.exe	101
PID 3480 wrote to memory of 1728	3480	Qjfmkk32.exe	102
PID 3480 wrote to memory of 1728	3480	Qjfmkk32.exe	102
PID 3480 wrote to memory of 1728	3480	Qjfmkk32.exe	102
PID 1728 wrote to memory of 3412	1728	Qfmmplad.exe	104
PID 1728 wrote to memory of 3412	1728	Qfmmplad.exe	104
PID 1728 wrote to memory of 3412	1728	Qfmmplad.exe	104
PID 3412 wrote to memory of 2692	3412	Akkffkhk.exe	106
PID 3412 wrote to memory of 2692	3412	Akkffkhk.exe	106
PID 3412 wrote to memory of 2692	3412	Akkffkhk.exe	106
PID 2692 wrote to memory of 1920	2692	Aaldccip.exe	107
PID 2692 wrote to memory of 1920	2692	Aaldccip.exe	107
PID 2692 wrote to memory of 1920	2692	Aaldccip.exe	107
PID 1920 wrote to memory of 3644	1920	Baannc32.exe	108
PID 1920 wrote to memory of 3644	1920	Baannc32.exe	108
PID 1920 wrote to memory of 3644	1920	Baannc32.exe	108
PID 3644 wrote to memory of 1800	3644	Bhpofl32.exe	109
PID 3644 wrote to memory of 1800	3644	Bhpofl32.exe	109
PID 3644 wrote to memory of 1800	3644	Bhpofl32.exe	109
PID 1800 wrote to memory of 4528	1800	Chiblk32.exe	110
PID 1800 wrote to memory of 4528	1800	Chiblk32.exe	110
PID 1800 wrote to memory of 4528	1800	Chiblk32.exe	110
PID 4528 wrote to memory of 1932	4528	Cdpcal32.exe	111
PID 4528 wrote to memory of 1932	4528	Cdpcal32.exe	111
PID 4528 wrote to memory of 1932	4528	Cdpcal32.exe	111
PID 1932 wrote to memory of 2520	1932	Cgqlcg32.exe	112
PID 1932 wrote to memory of 2520	1932	Cgqlcg32.exe	112
PID 1932 wrote to memory of 2520	1932	Cgqlcg32.exe	112
PID 2520 wrote to memory of 4380	2520	Dafppp32.exe	113
PID 2520 wrote to memory of 4380	2520	Dafppp32.exe	113
PID 2520 wrote to memory of 4380	2520	Dafppp32.exe	113
PID 4380 wrote to memory of 3436	4380	Dhbebj32.exe	114
PID 4380 wrote to memory of 3436	4380	Dhbebj32.exe	114
PID 4380 wrote to memory of 3436	4380	Dhbebj32.exe	114
PID 3436 wrote to memory of 1168	3436	Dnonkq32.exe	115
PID 3436 wrote to memory of 1168	3436	Dnonkq32.exe	115
PID 3436 wrote to memory of 1168	3436	Dnonkq32.exe	115
PID 1168 wrote to memory of 3628	1168	Dkcndeen.exe	116
PID 1168 wrote to memory of 3628	1168	Dkcndeen.exe	116
PID 1168 wrote to memory of 3628	1168	Dkcndeen.exe	116
PID 3628 wrote to memory of 3748	3628	Dgjoif32.exe	117
PID 3628 wrote to memory of 3748	3628	Dgjoif32.exe	117
PID 3628 wrote to memory of 3748	3628	Dgjoif32.exe	117
PID 3748 wrote to memory of 2476	3748	Ddnobj32.exe	118
PID 3748 wrote to memory of 2476	3748	Ddnobj32.exe	118
PID 3748 wrote to memory of 2476	3748	Ddnobj32.exe	118
PID 2476 wrote to memory of 440	2476	Ebdlangb.exe	119
PID 2476 wrote to memory of 440	2476	Ebdlangb.exe	119
PID 2476 wrote to memory of 440	2476	Ebdlangb.exe	119
PID 440 wrote to memory of 1568	440	Egened32.exe	120

C:\Users\Admin\AppData\Local\Temp\009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe
"C:\Users\Admin\AppData\Local\Temp\009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\Mgloefco.exe
  C:\Windows\system32\Mgloefco.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\SysWOW64\Ocohmc32.exe
    C:\Windows\system32\Ocohmc32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\Pjkmomfn.exe
      C:\Windows\system32\Pjkmomfn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        24⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        26⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        28⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        31⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        33⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        35⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        37⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        41⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        43⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        44⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        46⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        47⤵
        Executes dropped EXE
        
        PID:5136
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5176
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5220
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5300
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        53⤵
        Executes dropped EXE
        
        PID:5380
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        57⤵
        Executes dropped EXE
        
        PID:5540
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        58⤵
        Executes dropped EXE
        
        PID:5580
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        59⤵
        Executes dropped EXE
        
        PID:5620
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        60⤵
        Executes dropped EXE
        
        PID:5656
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        62⤵
        Executes dropped EXE
        
        PID:5748
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5792
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        64⤵
        Executes dropped EXE
        
        PID:5836
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        67⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        68⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        69⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        70⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        78⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        80⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        81⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        82⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        84⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        86⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        87⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        91⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        92⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        94⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        95⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        97⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        98⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        100⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        103⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        105⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        106⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        107⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        108⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        110⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        112⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        114⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        116⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        118⤵
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        119⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        120⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        122⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        124⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        126⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        127⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        128⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        129⤵
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        130⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        131⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        133⤵
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        135⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        136⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        137⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6692
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        139⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        140⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6896
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        142⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        144⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        145⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        146⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        151⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        155⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        156⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        159⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        161⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        162⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        165⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        166⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        167⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        168⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7256
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7296
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        172⤵
        Modifies registry class
        
        PID:7336
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        173⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7432
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7476
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        176⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        177⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        178⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        179⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        180⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        181⤵
        Modifies registry class
        
        PID:7740
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        182⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        183⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        184⤵
        
        PID:7880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:7468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
303KB

MD5
38a30f5bb7c2bb7181b6f955ce12cd73

SHA1
9e833be8c447c17db7426f96b92b8e068336622d

SHA256
db8da18386687277361fd73f88acccd1fdc4a179d3a5ccfc201ac8645b098c43

SHA512
4e85638b75cad4b953ddb5fee7add1d41c4ebdb928237783e79af2f02f82581ddbe8105a692b74cac1d0af7b06dac4d0c289599749535c187db7124d3ce34583

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
303KB

MD5
f1996be231e68e1290c6d3b197e01cfc

SHA1
7750768ef9bcc694e7841b1245aa2a8027c4b09a

SHA256
27a7ed99f820ccdfeef301f576172d62d6fec50181d3374dd2b3b5dfc36d982a

SHA512
3850344d20aa0966b38c1c3cb66823671fde6b27f7fbec89fa623fa94aee2a9773971580b13888a4bc113b0d6f29fd287ecef1bc7a63ea6c83e140d998ffc0cc

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
303KB

MD5
eac975805065753a8363b08a2ef4c5bb

SHA1
3c984b583ad9e389de35e459dc80bfc141fcb3ab

SHA256
8ab6f995e5f6f9de22369fdbc242012e537cb3c8b8ff747e92903251407d83c4

SHA512
b681e4828234200d2bdc2e2292fb198154130a94f1c29f135c7c15b625189b9e6a4120741cac20c8c078ab2f4c0a08bc1f7a1ccd189e2ae8e541c5bc460b5f7a

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
303KB

MD5
e8e3e02c42882cac000e51a90e7d0a9f

SHA1
83b4f4fe400ec0e1fa90867c481cd434ff572a95

SHA256
521fd9596d0ca3ca575ff7b1e5526cf870d3ff0d089bf2b185d7b5128bdd01c4

SHA512
4b22f611708101bfac0ae60ec46a4b18e072913e103a11e8925abca8db167a39b0cdf6ed7d0334dd8fc39b580dde0ad89bf137534f35f957d773bda556db719d

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
303KB

MD5
20eb01cb3f0a7cd92b106ec5986b1fb6

SHA1
8ae37fa8d7fa1db4ad7744505ed8ef6e583dc4cb

SHA256
dbd935866068a65a0df516082e7d9810f0aa39a1d502a42ad3cefcc3dd2d3939

SHA512
fae48151e324142366c4c8c26f87346fc7eae78ba56514f49dcec062497fccc54eedb70c1a9a0708bbdfb8525d33c2ffa490e878bdaf3dc6978ab76a4139537d

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
303KB

MD5
a516c661f961a05629be73fda1e77ba9

SHA1
94a6c788eeaf557ba2a8b3419903c7dcf541f875

SHA256
2dfa3213087a995d8762f9c6e19be693d5927d171a58a6556c6c013da383c5ba

SHA512
00a01e1caf42d91098ee802d4aa5185aa4b95e6df47a42d41eac69a6af2ba7c400ff1c08437f466766ba19a03d695d18385a67f19bdbebf593d7cd731aa88b3b

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
303KB

MD5
ad119a74bbe1081a4bff1705c2b1c0ea

SHA1
cbdd3441a31e70b93c55a92e7a4d40b2d6761932

SHA256
39e2869ac3e63446348378cb7ddc3e0130a0d24983fc1ea59346df078cee56fd

SHA512
2c75e0bd023c11a1d3c9f276be38bb49ffa0ff443ba55633a6c609b2acb6c1d766b6d80ea4a1ffebea454847d6ccb567f6a6aba2286ce1d9ba614e6d81541caf

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
303KB

MD5
550e34f4d3c5b807b6565c58491b0ee5

SHA1
ea1bc1b2b0e2e10adde3be4eb96295e570e48d2f

SHA256
8808e8cf305ce31e1a5e5819d8207b6a5294a0caf7b8d119be406ea888e553b3

SHA512
a36b26ea9e561271aa4f5a0c1c58235b586069ff23b46a215893faf8c3b6a63d86c4427c724da5e81429383079731975f870f5daef7da92b32db53c336beb8fc

Download Submit
C:\Windows\SysWOW64\Ddnobj32.exe

Filesize
303KB

MD5
6842802746ab1044934c0e7671281b0d

SHA1
61a08595337c7d69b36aaa9efb04b8dd6b4412a0

SHA256
48f6a54dea821bb70c4564471060903c01ffff1b2ad34db54ad7d0c6acdc99b2

SHA512
f125775b05b17f65614e34da8eb3d62832c571acaeb9eaece28b9786a225d99c781552ef4e4c1cb609d061098b97b60aba9e10b7b4bc516f5d1be848d46c004d

Download Submit
C:\Windows\SysWOW64\Dgjoif32.exe

Filesize
303KB

MD5
9a5f745937cfc5686e57075fd48387fa

SHA1
60964ac2dbcdbfc1b9aa02cef46b66d61e17d7d9

SHA256
72959be901db2af3c95a076507d809c4dff1465275d6dbd82ec13551b80de960

SHA512
c37b8218855fbfeafb8b2580435cfd4ff7305418dd9594fb0cdd7925be032a5cbefc382fced9cccb113171a5eca89870f4220c5cdc86f40e639632e1a15c4abe

Download Submit
C:\Windows\SysWOW64\Dhbebj32.exe

Filesize
303KB

MD5
6f625537d8e74068238a40ef1f8e8b73

SHA1
d621c56fda9f18532de05ae5427a1457f9685e15

SHA256
0b4704463fb647fece5098463b4eeef70992ed49035a1485419091aab13f43d8

SHA512
ec53b52c080aa88473f63baa1807c55830c76ca080e111595b8a84fa296b22bf57b1e364b87b3e5b6dc4f9551280c1cb478a948f49cb5c4d8cc0f0d4568b485b

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
303KB

MD5
2efef857f10adba01aca5d36f8b7dace

SHA1
fd609eba1144454b4556b00bab586d7a0d6c6d60

SHA256
ef4618fb73a74c5b8fd7992d89540a6e4516c9b37ace784c43029c95806d90dc

SHA512
91ba00c3a94fec4724912b98222e57ec8318a29a433fab7547b38ab947f6aff723c9bcf905f8cae5ade3c5caa07352ef63df186a0b618da4bed673cc3ed0c4aa

Download Submit
C:\Windows\SysWOW64\Dnonkq32.exe

Filesize
303KB

MD5
016e5172ae75f601abc7e2c97181f90a

SHA1
3cf9a7a06028d8bd36792fccb3a1fabdd3e19b91

SHA256
cf719ff6c3c53c80fc30e8252a7fae950bcbe98081e80a7a425f22a41829e6f5

SHA512
ecc400a62b89738e06058f9510c6c0dfef6bb8c36e2674b5e965c98088a6d164a3609ab16d9db9456e1649aa27c60d698bc28252bac0ab6e5a5602865cacf27b

Download Submit
C:\Windows\SysWOW64\Ebdlangb.exe

Filesize
303KB

MD5
b9b1a42202302f649a38c775601c1262

SHA1
1c71ce25c592ba5222957b17316e4a2ac7c767be

SHA256
384ecbaef35190c196396fb70f683406e4a1979f6e19f93843b34ad03ad19c41

SHA512
656a7c607c76f8d68ed3eb31505f840940867b40a98da180ffdab212daa2aaee194d64dc6c59cf6f8b344121837968cb6aaed3d752d9d13f6e0d17e50f9ce4b5

Download Submit
C:\Windows\SysWOW64\Egened32.exe

Filesize
303KB

MD5
0c031e1beb9e48a3819d70b8c5c2ec7f

SHA1
05ceedf538bf5765f902060fbaac1f6957f38e66

SHA256
e64ba12c204cc72aa48072f6c831a91106f89329c29552c17b2763f8835f4ce5

SHA512
20889a90cb8d35b3a85a02dd9cfd768ca5eed79041cb71004c90fdc4fca9291dd24071abad1e6ca16863e55799259056564b6337f4e38da469553b760c98dd99

Download Submit
C:\Windows\SysWOW64\Eiekog32.exe

Filesize
303KB

MD5
424f7be046b2ee914cfef45ed8475e83

SHA1
8d8d960ef8d9d1232e7f8016409c92be8c0a170f

SHA256
3d5d4d3951a03a75d551222cabd7f874a7eb4d13d70b4f4c9c3446ad67a97d1e

SHA512
72a59ff7cb82bdd97ad96eef656e66e4a35bf35b1e5401df5c77c924a0ec06d9232b2d6567b8a5cefa9a7d50f29e13980054b62dde7d9e7aa494d8005bb24d2b

Download Submit
C:\Windows\SysWOW64\Fganqbgg.exe

Filesize
303KB

MD5
a8603860aa465f6a23eccc528db42554

SHA1
005c10337e1f7103d398e9b07bed98d65fd434da

SHA256
82bb665a5dc5c0ad28cf400d17963834b1c01cc4fef6d954e6bf2182e373c4e8

SHA512
69e3c72176a45b5cc9e66ef4f3871c248e51e058baf84bb1db375c1d858165f7d094da26db6701fbcce7edeb5a3edb246a63bf2f363b99810a6f1559e0c577f9

Download Submit
C:\Windows\SysWOW64\Ggmmlamj.exe

Filesize
303KB

MD5
daf963e50730aa02ecb605f0aa5ea455

SHA1
7acaab36f5906466c72c7a395fa2865a52ee57d8

SHA256
a4f42d873547fe9c0ec634790dbc0d215644c1fb2753eb192e593cbfc4d8c4ee

SHA512
d1f079ccc8483a04a324e4bd53c70d5e3f054317ac8378db854f28d3031a5c892020ea74f1954a6341e4696fbd774c743c02102e9aab4382326e379d9942813b

Download Submit
C:\Windows\SysWOW64\Hhdcmp32.exe

Filesize
303KB

MD5
a8705f421a056d06ec7cf4fca32ec9c2

SHA1
72d10e18960706e88bd4fe1c4e4d24df67e885db

SHA256
ff43b474ca44109cf58ba9bd639aebf48bdfc1d903f14db7fe74ea0243173e4b

SHA512
8c707bd9f81c7406b6a11dee92662cf8f91ec3b22d75e9c9d1728bc1a5a452e62a91443530c3f97ffd30e4daa4e916c8863dc4bf2205c828fc4593cce78907b0

Download Submit
C:\Windows\SysWOW64\Hihibbjo.exe

Filesize
303KB

MD5
f9d2bc9ffcf1397578fd6d210ac3c243

SHA1
7619fe185e6c52d44e9483b161ae5d23b0f69a21

SHA256
9115f0227143e2fd8579b917f3e7cfc2fd3d880610c4b43507a2a701f2f1f7ad

SHA512
04485cfdab128a68d2292c2e8bae0fa69380886232a254cd688f946b8fd0f60faeb571ec34a3442cbff4d55d5cd96d1f923c0c904762521bba95457fd5e7abc2

Download Submit
C:\Windows\SysWOW64\Hihibbjo.exe

Filesize
227KB

MD5
8b11436bdc28be1ac9a3711be6b434ac

SHA1
e5a35ee2cf6cb44f0547f62e1b849e2cd895b015

SHA256
c7d66dcad5478f6b22f7a2994b06f18f43645c73dd935a23ee0688cf0c50f0cb

SHA512
91efa3839c066668717e2b521d45b627ffa36afbf9cd557ba0a4ead500b1e6048682d59c8fbf0b93c8be3b19a18f6bdd64a40390df6946d8d66126092fa0bd8e

Download Submit
C:\Windows\SysWOW64\Hlblcn32.exe

Filesize
303KB

MD5
402fdb3404a385e2ec07111c5d2191f5

SHA1
d6d38db81b59bf6ac6db80c1a446d74c9f1be87f

SHA256
51857b78ed86b5a5d98fd32fcbbe2764be03cbfb5f3292c792743a24efdd0ff5

SHA512
fb7c4f8b42f4ca37c5fea3824640966d29d1477610c333f1dbd3590dcbfa97e20d9517c5283936a9c720c450204bf4aede3d49d9702f6b0baf3bde152003885d

Download Submit
C:\Windows\SysWOW64\Hnnljj32.exe

Filesize
303KB

MD5
f11efc567a579984b434e7ce34c2ab08

SHA1
cbb42e4399558470487875dba8c0a19719bfd0be

SHA256
91e54eb4dfafffc70363a8d577b68926aa074cd00ffdf8164f2946bb36284579

SHA512
61d66d15ab5c9fec0a6668b3ac6b784f973f9c1c04b0894f3f01ef8dcbd000e460b1ca736648e35d7db0b783d9ec67025391d1a667d95986ee74ba7a6e459344

Download Submit
C:\Windows\SysWOW64\Iahgad32.exe

Filesize
303KB

MD5
c7bf92752706f50a3c61ce5c19fc26b5

SHA1
8a2bb027409a1bb797aa07749d77f287f18fcc84

SHA256
18b849bc669e1ba334522f7c0b58b68a8b6ba5507923f3b1dcceb25cc08f90cc

SHA512
c5727cc78cf2f6a74e12c99875f3922c7afac9e4ace96d31bb73cc613883d6d14ee4c60ae72feddb7a55263f5956347d1d98afa308e731a3420140e3085acb38

Download Submit
C:\Windows\SysWOW64\Ibqnkh32.exe

Filesize
303KB

MD5
43bf9d061dbff00955a74c5254c257ba

SHA1
3581debea921536e79d07e106e58086051235be1

SHA256
3eb62bacd468e6ebac7b394854587e302c6766011f21eab5d3c7ca35d590afe0

SHA512
b8581251041849121b610efb04a0a72c9e08a0744541488405cb47e6b7fdeae6cf86c85fcee35ee708899a13c35d53b5a2939df25644d3b4cf144accf7dfc6f9

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
303KB

MD5
1210961341e6c2c97c2912291907014b

SHA1
8a7c721503b64bf79c959574c3e7b2012a6fc24f

SHA256
1d58c3d3c2792ca97827726144d4bd7077cbab901ca4fb06a8ea4bed2144ba7d

SHA512
84a8783163065572d1246122f82b8cce3c8218585b0c3d4a0a66fa3c2d262774e4b7b63e03f78f134a8f4bb8e4af6ba53744ab81d3d4215050c0cb19b86c58b9

Download Submit
C:\Windows\SysWOW64\Ilphdlqh.exe

Filesize
303KB

MD5
b04cc56cf1bfcdd451bb644b8e33c950

SHA1
e7654d72526d8362b023f90b2908ee20263a55f3

SHA256
6b9b14e8dd1f778e45d280592a4ba33e7241b85b45848def3007a01e79eddfa6

SHA512
2cc3b680554eb08619db4613c299f89e95283ec23e37ac2764480ccaa5f4a0d89b48cc7be6a5363b4ed6ee9cb1865a3306aa52f9a80d2f9e03cd2ee97df5dde8

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
303KB

MD5
fe3acae4bae26dc23650817619297094

SHA1
34e63f0207bac5a65911b37afa422d39db6af48a

SHA256
9056f9666483b95b4fdc762fce211427a7028b7c65e1efc9ebecf262c2b6cdf0

SHA512
3f8b7eced9c1d24588c8cd57433deb2638a6c55704813cc5754b68c1226cfbfcaa6ab8c9b0ffaab8b120468a1c8c8cd29c1aaaf850308147504b0a3896a843a5

Download Submit
C:\Windows\SysWOW64\Kcoccc32.exe

Filesize
303KB

MD5
7f8b91a3ed9284a582a668880026431e

SHA1
a2279563d9e3754d873fce37023b4f4d78da3829

SHA256
42a0f7bc3a62c1ac7506a229fba592b12489f4b5e5883a32132186cbcd41d694

SHA512
7c9101ec0d57e32a7e7f7faa80a238db8dfc8ffcc90ff42e960d9e12d640c16f58d06c8f63f912e44b5da18200ee186edcbd2a157bafe03abcef2ae60764ca7e

Download Submit
C:\Windows\SysWOW64\Mgloefco.exe

Filesize
187KB

MD5
f76d27ce215bb2426439a9558268241a

SHA1
14f9bc1e752bc4148ab903d28b454023920c3629

SHA256
c857174ed9bea76fe4f027e3a301584801c1af2a2f76f70e3405c4631e7ba5e3

SHA512
cc35011ef5cb56f1e74108d8cc323f13be19e9a4df0f6bd00a56cc85138fd44cf4c30c8eb820689448f54e425246d7ddd599d0e9333faabffe33187d016d09a0

Download Submit
C:\Windows\SysWOW64\Mgloefco.exe

Filesize
303KB

MD5
886eedb920c80b0342efb4c30f648b2b

SHA1
e2181b0eab5d140d46f760726ae8a461c915ef41

SHA256
9ca4494abe7a0c51c6d2914c6b001d34713ff42ea405977319df099094648ef1

SHA512
22486134c56d7fca797d4642f61fb57b2aca94ca0d4be4d07144cd609276298ae27335591cc2147b474aa36e52ad21154253d519a008cae6a756a56e9c9f5562

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
303KB

MD5
ed97d623159c47900055070aa27c8069

SHA1
6a1f0d0b67dafe34176ff10ff4565d04778e34f9

SHA256
ee90affe24b3847ff9c2bb6a9fc6b1ff2bf168bbd06d36a068b23a1c8736a3f0

SHA512
11ed6ad48d124fd4c21642ba49f142948cc309e401b61b3c0d4563fd46aca56bf5f1ede8b0a48cfeb8214c9ff5907f46cdd50d7d418b6ad22b3629608ff7e7e6

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
303KB

MD5
ed5874d83fd4487915d03e546c93ca08

SHA1
1926da8e4f04e4e3582e1bd4778b8f0456bed5b0

SHA256
be89e2eb9d0c90ebacac41dd7ee69416666f12ecbe40f55c1b49e2921654e7f3

SHA512
75b1afe4328a8e4934b2cd762bc38b5d6c3a96eb2849bed85a3b7f4f7a2bcc41cb061027218dbdfc3c36f99d42d9839566816de9835d7c98eb69a2cb60795337

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
303KB

MD5
64f827faacec9aada413c9362a1dde9d

SHA1
9deb6bc0d4fb2dc4a455d665efd6c2b9008b99fc

SHA256
82995b90eb49665d9a899d44bbd6dd65d2e17778d3c8c9e422db74871108d6d2

SHA512
2d0e06cfe32b2784e5fda61febd31115da1f1baa20d4844b19438f3e88008d3a9565b9fed583b0feb6fe09a37cbdd09ceb389357625b05b7a43d1b3824843336

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
303KB

MD5
5fcc5d49ef739c9d6be9c1b2980f43a0

SHA1
1f0e72c0e9b635908ab0a74ac94a8202951afe45

SHA256
e315657a953edc44e71d8141a380aafbda6e7c62c92ac9a9b8e9784cd9a5e7f8

SHA512
d7c7d6ab7658610138413ee40cce0aa37a4430f2e26bb84b375c6fb877625781677f96d9aff2aa16696d8734019ad8f0c3e482065e07dd53598c5b29a9d0465a

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
303KB

MD5
3e63e6dfac9fb0e15b40680afab8fc2b

SHA1
7c48da83ac0684d2f6e582a41a7d8e84ca360e3a

SHA256
919bc53ca1a0e5b95abaea2dd96c7848a76edffe1d703850916398f4e9a5a205

SHA512
3ffee91624af948481c9a1a7ab6e5e1d3aa5e5c4daa24979d7a6f1bfd89df58e7d41101df447c0f6613b1a78299ffd9323fc6769ec019d89f4f9a046e455d95c

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
303KB

MD5
57fb134ee601d2cc128b6fe71e04a860

SHA1
ff3f66c773445aca8a94a274fbfa590dc1969f41

SHA256
38018cc22b4b4ee647da6c6c33aa116bfd637c61d54af2d11297bdba46636291

SHA512
3510aca6f4a1fe3a2635939699a9a7ed0d2d0c24c23afd9f02fb4219aaf70105fffaa22185cf4c7f1c6aab28be29f0e75dead0df3db2a01bfbc71a8563b24f2b

Download Submit
memory/216-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-639-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-646-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-636-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5220-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5260-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5300-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5340-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5380-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5420-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5460-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5500-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5540-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5580-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5620-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5656-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5712-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5748-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads