5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a.exe
Size

233KB
MD5

f2c0eb3dbaaed311ce4697a12a0dd62b
SHA1

8d2b4403e0abf07cd4ba87fc1d0356440c2f5147
SHA256

5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a
SHA512

7009751dc6eba86fa0b13773cfeecd4820f84b855cb18fd672c5d8472f37f1a38858269162fa247ef6302f3fb7fe102e79575b31c992adc235d325f34a3348ca
SSDEEP

6144:7cI+MD8XkO7a+zZm856fRKB3A4U2dga1mcyw7I6BjtCYYs2:7F8VX05WHR1mK7fVtXP2

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nblolm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjeiodek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdnbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhpao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhfpbpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmbegqjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jniood32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbnhoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojmcdgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlolpq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjoif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpedeiff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljklo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khlklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hajkqfoe.exe

Executes dropped EXE 64 IoCs

pid	Process
2176	Cdpjlb32.exe
1292	Imkbnf32.exe
5044	Ieidhh32.exe
1988	Jpaekqhh.exe
4584	Jgmjmjnb.exe
3280	Jniood32.exe
4620	Jlolpq32.exe
2432	Kjeiodek.exe
4196	Kpanan32.exe
1300	Lljklo32.exe
1040	Lqmmmmph.exe
3992	Lmdnbn32.exe
4208	Mmfkhmdi.exe
4352	Mqdcnl32.exe
532	Mjlhgaqp.exe
3876	Mfeeabda.exe
2520	Mgeakekd.exe
656	Nmbjcljl.exe
3360	Njfkmphe.exe
3604	Nflkbanj.exe
5080	Nnfpinmi.exe
1004	Nfaemp32.exe
4456	Nceefd32.exe
4780	Omnjojpo.exe
4356	Offnhpfo.exe
4576	Opnbae32.exe
3540	Onocomdo.exe
1596	Omdppiif.exe
4008	Ocaebc32.exe
2312	Pmiikh32.exe
4884	Pjmjdm32.exe
3228	Phajna32.exe
2984	Pdhkcb32.exe
3896	Qdoacabq.exe
2460	Qodeajbg.exe
4316	Aogbfi32.exe
3368	Amlogfel.exe
4980	Adfgdpmi.exe
2252	Aokkahlo.exe
560	Aonhghjl.exe
4844	Ahfmpnql.exe
404	Bdmmeo32.exe
4388	Bdojjo32.exe
2004	Bacjdbch.exe
4516	Bklomh32.exe
1796	Bknlbhhe.exe
1624	Boldhf32.exe
4892	Ckbemgcp.exe
5160	Cgifbhid.exe
5200	Chiblk32.exe
5240	Cacckp32.exe
5280	Cogddd32.exe
5320	Dhphmj32.exe
5360	Dnmaea32.exe
5416	Dgeenfog.exe
5472	Dnajppda.exe
5512	Dgjoif32.exe
5552	Dbocfo32.exe
5592	Dkhgod32.exe
5632	Eqdpgk32.exe
5672	Enhpao32.exe
5716	Eklajcmc.exe
5756	Egened32.exe
5800	Fkfcqb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkbjmj32.dll	Jlolpq32.exe
File created	C:\Windows\SysWOW64\Lakfeodm.exe	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Gmbjqfjb.dll	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Ciipkkdj.dll	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Hiplgm32.dll	Hahokfag.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Dinael32.exe	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Lqmmmmph.exe	Lljklo32.exe
File created	C:\Windows\SysWOW64\Gbfnjgdn.dll	Pmiikh32.exe
File opened for modification	C:\Windows\SysWOW64\Mpapnfhg.exe	Loacdc32.exe
File created	C:\Windows\SysWOW64\Pmhbqbae.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Lmjhab32.dll	Jniood32.exe
File created	C:\Windows\SysWOW64\Icbcjhfb.dll	Oqoefand.exe
File created	C:\Windows\SysWOW64\Dikifc32.dll	Ekgqennl.exe
File opened for modification	C:\Windows\SysWOW64\Mlhqcgnk.exe	Mpapnfhg.exe
File opened for modification	C:\Windows\SysWOW64\Pcegclgp.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Bkkhbb32.exe	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Aldclhie.dll	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Qdoacabq.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Dinael32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Mfbaalbi.exe	Mhoahh32.exe
File opened for modification	C:\Windows\SysWOW64\Epffbd32.exe	Egnajocq.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Edihdb32.exe
File created	C:\Windows\SysWOW64\Ekoglqie.dll	Kjeiodek.exe
File created	C:\Windows\SysWOW64\Ghndhd32.dll	Mgeakekd.exe
File created	C:\Windows\SysWOW64\Oblhcj32.exe	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Piapkbeg.exe
File opened for modification	C:\Windows\SysWOW64\Ajdbac32.exe	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Jniood32.exe	Jgmjmjnb.exe
File created	C:\Windows\SysWOW64\Nmbjcljl.exe	Mgeakekd.exe
File created	C:\Windows\SysWOW64\Eaaiahei.exe	Ekgqennl.exe
File opened for modification	C:\Windows\SysWOW64\Opnbae32.exe	Offnhpfo.exe
File created	C:\Windows\SysWOW64\Bcomgibl.dll	Pmbegqjk.exe
File opened for modification	C:\Windows\SysWOW64\Djgdkk32.exe	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Njgqhicg.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Piapkbeg.exe	Pcegclgp.exe
File opened for modification	C:\Windows\SysWOW64\Bpedeiff.exe	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Nodeaima.dll	Baepolni.exe
File opened for modification	C:\Windows\SysWOW64\Lmdnbn32.exe	Lqmmmmph.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Njedbjej.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Cogddd32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcpfg32.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Ikfbpdlg.dll	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Mfeeabda.exe	Mjlhgaqp.exe
File created	C:\Windows\SysWOW64\Fdflknog.dll	Loacdc32.exe
File created	C:\Windows\SysWOW64\Fbjbac32.dll	Egpnooan.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Njfkmphe.exe	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Ndqojdee.dll	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Nflkbanj.exe	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Jcgmgn32.dll	Phajna32.exe
File created	C:\Windows\SysWOW64\Mckmcadl.dll	Obgohklm.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Offnhpfo.exe	Omnjojpo.exe
File created	C:\Windows\SysWOW64\Bgicnp32.dll	Dgeenfog.exe
File created	C:\Windows\SysWOW64\Hnekbm32.dll	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Njljch32.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Dkhgod32.exe	Dbocfo32.exe
File created	C:\Windows\SysWOW64\Pfhmjf32.exe	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Klekfinp.exe	Khgbqkhj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7752	7680	WerFault.exe	272

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnajppda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjhfcm32.dll"	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiplgm32.dll"	Hahokfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll"	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll"	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnajppda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eciqfjec.dll"	Hihibbjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egnajocq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdmb32.dll"	Dbocfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmbegqjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dajbaika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll"	Kpanan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hahokfag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihmfco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll"	Egened32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgfga32.dll"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjmj32.dll"	Jlolpq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enhpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enhpao32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2176	1184	5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a.exe	96
PID 1184 wrote to memory of 2176	1184	5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a.exe	96
PID 1184 wrote to memory of 2176	1184	5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a.exe	96
PID 2176 wrote to memory of 1292	2176	Cdpjlb32.exe	97
PID 2176 wrote to memory of 1292	2176	Cdpjlb32.exe	97
PID 2176 wrote to memory of 1292	2176	Cdpjlb32.exe	97
PID 1292 wrote to memory of 5044	1292	Imkbnf32.exe	98
PID 1292 wrote to memory of 5044	1292	Imkbnf32.exe	98
PID 1292 wrote to memory of 5044	1292	Imkbnf32.exe	98
PID 5044 wrote to memory of 1988	5044	Ieidhh32.exe	99
PID 5044 wrote to memory of 1988	5044	Ieidhh32.exe	99
PID 5044 wrote to memory of 1988	5044	Ieidhh32.exe	99
PID 1988 wrote to memory of 4584	1988	Jpaekqhh.exe	100
PID 1988 wrote to memory of 4584	1988	Jpaekqhh.exe	100
PID 1988 wrote to memory of 4584	1988	Jpaekqhh.exe	100
PID 4584 wrote to memory of 3280	4584	Jgmjmjnb.exe	101
PID 4584 wrote to memory of 3280	4584	Jgmjmjnb.exe	101
PID 4584 wrote to memory of 3280	4584	Jgmjmjnb.exe	101
PID 3280 wrote to memory of 4620	3280	Jniood32.exe	103
PID 3280 wrote to memory of 4620	3280	Jniood32.exe	103
PID 3280 wrote to memory of 4620	3280	Jniood32.exe	103
PID 4620 wrote to memory of 2432	4620	Jlolpq32.exe	104
PID 4620 wrote to memory of 2432	4620	Jlolpq32.exe	104
PID 4620 wrote to memory of 2432	4620	Jlolpq32.exe	104
PID 2432 wrote to memory of 4196	2432	Kjeiodek.exe	105
PID 2432 wrote to memory of 4196	2432	Kjeiodek.exe	105
PID 2432 wrote to memory of 4196	2432	Kjeiodek.exe	105
PID 4196 wrote to memory of 1300	4196	Kpanan32.exe	106
PID 4196 wrote to memory of 1300	4196	Kpanan32.exe	106
PID 4196 wrote to memory of 1300	4196	Kpanan32.exe	106
PID 1300 wrote to memory of 1040	1300	Lljklo32.exe	107
PID 1300 wrote to memory of 1040	1300	Lljklo32.exe	107
PID 1300 wrote to memory of 1040	1300	Lljklo32.exe	107
PID 1040 wrote to memory of 3992	1040	Lqmmmmph.exe	108
PID 1040 wrote to memory of 3992	1040	Lqmmmmph.exe	108
PID 1040 wrote to memory of 3992	1040	Lqmmmmph.exe	108
PID 3992 wrote to memory of 4208	3992	Lmdnbn32.exe	109
PID 3992 wrote to memory of 4208	3992	Lmdnbn32.exe	109
PID 3992 wrote to memory of 4208	3992	Lmdnbn32.exe	109
PID 4208 wrote to memory of 4352	4208	Mmfkhmdi.exe	110
PID 4208 wrote to memory of 4352	4208	Mmfkhmdi.exe	110
PID 4208 wrote to memory of 4352	4208	Mmfkhmdi.exe	110
PID 4352 wrote to memory of 532	4352	Mqdcnl32.exe	111
PID 4352 wrote to memory of 532	4352	Mqdcnl32.exe	111
PID 4352 wrote to memory of 532	4352	Mqdcnl32.exe	111
PID 532 wrote to memory of 3876	532	Mjlhgaqp.exe	112
PID 532 wrote to memory of 3876	532	Mjlhgaqp.exe	112
PID 532 wrote to memory of 3876	532	Mjlhgaqp.exe	112
PID 3876 wrote to memory of 2520	3876	Mfeeabda.exe	113
PID 3876 wrote to memory of 2520	3876	Mfeeabda.exe	113
PID 3876 wrote to memory of 2520	3876	Mfeeabda.exe	113
PID 2520 wrote to memory of 656	2520	Mgeakekd.exe	114
PID 2520 wrote to memory of 656	2520	Mgeakekd.exe	114
PID 2520 wrote to memory of 656	2520	Mgeakekd.exe	114
PID 656 wrote to memory of 3360	656	Nmbjcljl.exe	115
PID 656 wrote to memory of 3360	656	Nmbjcljl.exe	115
PID 656 wrote to memory of 3360	656	Nmbjcljl.exe	115
PID 3360 wrote to memory of 3604	3360	Njfkmphe.exe	116
PID 3360 wrote to memory of 3604	3360	Njfkmphe.exe	116
PID 3360 wrote to memory of 3604	3360	Njfkmphe.exe	116
PID 3604 wrote to memory of 5080	3604	Nflkbanj.exe	117
PID 3604 wrote to memory of 5080	3604	Nflkbanj.exe	117
PID 3604 wrote to memory of 5080	3604	Nflkbanj.exe	117
PID 5080 wrote to memory of 1004	5080	Nnfpinmi.exe	118

C:\Users\Admin\AppData\Local\Temp\5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a.exe
"C:\Users\Admin\AppData\Local\Temp\5424b224901718b1c2013b89d961c79d6459b2c7d223cf6bb3a04aab51b0e35a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\Cdpjlb32.exe
  C:\Windows\system32\Cdpjlb32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\Imkbnf32.exe
    C:\Windows\system32\Imkbnf32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\SysWOW64\Ieidhh32.exe
      C:\Windows\system32\Ieidhh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        28⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        29⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        32⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        35⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        37⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        39⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        40⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        46⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        48⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        49⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5240
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5320
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5512
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        60⤵
        Executes dropped EXE
        
        PID:5592
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        63⤵
        Executes dropped EXE
        
        PID:5716
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        65⤵
        Executes dropped EXE
        
        PID:5800
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        66⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        68⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        72⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        73⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        75⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        76⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        78⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        85⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        88⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        91⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        92⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        94⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        97⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        98⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        101⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        103⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        104⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        105⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        106⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        108⤵
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        109⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        110⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        112⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        113⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        115⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        116⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        117⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        120⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        121⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        122⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6876
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        125⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        126⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        127⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        130⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        132⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        134⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        135⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        136⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        137⤵
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        140⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        141⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        144⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        145⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        147⤵
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        148⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        149⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6720
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        153⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        154⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        156⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        157⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7176
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        160⤵
        Modifies registry class
        
        PID:7220
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        161⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        162⤵
        Drops file in System32 directory
        
        PID:7304
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        163⤵
        Modifies registry class
        
        PID:7348
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7448
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        166⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        167⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        168⤵
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        170⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 412
        171⤵
        Program crash
        
        PID:7752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 7680 -ip 7680
1⤵
PID:7712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:7240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdpjlb32.exe

Filesize
233KB

MD5
2724ece886cd00a217a633897d414a6f

SHA1
bdd520e00ebcb2aca5a90a9f01915ead5c8899a5

SHA256
ed1e4a29a3113c185b62e3ec9ccfe41da74cdf9e2277648c0c6697ba4c62eb66

SHA512
2e73bfadeeee5b64330866e6a43e4efd77e246c0ab962fad5f8d9d5fb227041c22705caef981a3c0f17874921540ab9d78786806efe98d92699d3f62e0c7af4b

Download Submit
C:\Windows\SysWOW64\Ieidhh32.exe

Filesize
233KB

MD5
925c4ec9e6e7230c7c3d482b3ad987da

SHA1
2779420edcafbe09c25d96d1bc8431c4dc1bc8bf

SHA256
6a8576dfb219b730f61a9d1f72d3fa16f2b0278ac8635a8f5c3bccf1fc82eb1f

SHA512
b4c36970a222cc0c2a8f21045920e731fc870e30cb6754288e8db41d0fc578852a2fc53d1337607797424d38546ff2a6fffaf25120518b5c4386ae6c35087aea

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
233KB

MD5
b43fc796ee2df5c3486759f6149aaf77

SHA1
4be2281d788e4a07df51686b08d07e767b3938f0

SHA256
de96ba956f734f72ee5ab8e90a19a7be0b551db5a74823856722930d619122d0

SHA512
6827d4bfd9812731bbc390106cd30effe59da034d256f88ddb18552b64d7356418bb7b6585b3b85fa64ce91eb233b278a095f22e9df0c38442b565e7baa752d9

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe

Filesize
233KB

MD5
473066d31a174bcf9530af7f5b2fb485

SHA1
31b63548d2873f6a6f2ebd64670b2b34f6a1d82b

SHA256
31e2fb63548ef622fbc1bf4e790bfa10c68b6e3bb3a356cb9569f90705b8cb86

SHA512
0abb7879a9195b49a91ed7f8fb2994c6edd70f13faeb01707813fba7b72773302d6c57ef10bedb889bbf02836f535984d29569dc06473f1c89d44d4132d209e1

Download Submit
C:\Windows\SysWOW64\Jlolpq32.exe

Filesize
233KB

MD5
f8cbf791023f2014660845bf0c7df164

SHA1
da9ce74c9933086806bf66e0f53927c9435ca1c2

SHA256
fbf70bdb9ea4d744525c5198e33c690027b31c27b5c57085bb21c95e5e4da4ac

SHA512
9e260d8b981a4f6cf5f58b218dbb30150b6a89c20b2893bf50474f0b5255deacba3c15cda5fd0f4b659f3188eb8f9fe5d1450edf6062dcac34a10e944d35771b

Download Submit
C:\Windows\SysWOW64\Jniood32.exe

Filesize
233KB

MD5
4e06a9e54ac3d6eae938aadef13586ee

SHA1
bc1bc08dbaa56aca4ecb463e858f66ff0a9470d6

SHA256
1c3fc04648a09562cc0f4b0172b3ad8bcb6f09ac5c3ea214d853918c13bd1853

SHA512
ab7a7fe099b1f803c8548025bd42441a46d8bc6b0ba8acf70c29a76e3e4b32ecdf64c28d0e0e01ce57021a62e08c525271f3663f65d743cad5bf9cdba32756be

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
233KB

MD5
563910fda0155c99cd06be94c3dbac53

SHA1
ac5437c9ddfcd1d96a6673a4db620ed7458dcbeb

SHA256
c66316e4ec9acfb1d3e68a6efb4fd609ac1acfd00c5ec33a7c33dc255eacfffc

SHA512
80713060e6a2015a8e9881e9d5f6933c077733063d2401becb6e40c9c7f60120b5a111e241d96310f3cb11114f9fe3a41385647d23857d818a1b7b5dfee5922c

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
233KB

MD5
bceed5b35b3ec0b33fefd8920d83f49b

SHA1
bd6d5a04fc00799be31327ee619c77f5fedc7db1

SHA256
ef3cd8f954d1bddb35223ea03267ccd2d9b4a1d24cf294fb813931915c68ce90

SHA512
1329df725cda3d59865189803b40b0f48f85ed800966542d81650f27f96f7773046acad4cf31a5b20313877166f312bb4e9ba40fe18cd1bd04156ea527f57be3

Download Submit
C:\Windows\SysWOW64\Kjeiodek.exe

Filesize
233KB

MD5
baf47cc111b68bea1e35554e04eac760

SHA1
fc5236339619d3f05fd1aa1f657d2222c87daa20

SHA256
e2090cbfe63db7e6e65f698b1199353903c83f000595a298ebdc8e0f9d1bcaa3

SHA512
e4a03f12128fcddf60a80f3a69e5bbefb95419bb66152752162a5789670d969fa6dd53f1d7d4dfb243dabeb48131cf60e4e6530c33d6d6cfb84b3feb6b460ecd

Download Submit
C:\Windows\SysWOW64\Kpanan32.exe

Filesize
233KB

MD5
f38c8f7d3a02f3761c0635b72ec53d2e

SHA1
dde2a7da1596a70b8cfd70befa23f979cfbd85d2

SHA256
bd8759d13802b755b06522dcff393229dee1e0d82c89eb87b0cbafe088e0e548

SHA512
3cf73c2ea52c4666be01b710c4e054eef3852be5c328bcf98ab3b0f9e4ad0e73008f5b537bb71e3d10f7af0d389a36041b0e70780d8acb29c02eebf2e965c8b2

Download Submit
C:\Windows\SysWOW64\Lakfeodm.exe

Filesize
233KB

MD5
67cdd5df71520340a79a2eb9ddb7cf05

SHA1
9f58282d627c96abba544e6162e740b409e29b26

SHA256
d54d4af43b97a16079f4419b2f11f0a482efdd51ec25c7d68d686467494e9af2

SHA512
5a8861a1ee65fea121b2696bf35c428cd774fe5bfb35c78b3e34e07a0a76e444c6f68e9b4a7dd62115647558e0a9d7cc4834191e7c458f2e938f798c89fe5a5c

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
233KB

MD5
c3f6d6d947e466df6e3b36448906a5b4

SHA1
cd3ee34e20b178138406015b6b31d6643ec8a0a8

SHA256
ff8718cc71541e25b2acc6f5858e7dd474bbd8902e934dc9546bec71f61bd677

SHA512
29a4ed347dbfdae9eda2ce91e8f9ad91ffc66b4074b8c349251a5ad15663bc05d16f25aae1af91a1efd9ac93078e22a7038d521d52e312308446895f85dafc60

Download Submit
C:\Windows\SysWOW64\Lmdnbn32.exe

Filesize
233KB

MD5
a0d08c66f3a5f917882e142cb439814b

SHA1
3e0d5d99d62c93b57ffe0031ddf715483d3289df

SHA256
d61cff3cd64d7837924619bddd61aebc93d01ff168c539bbc663f3bfa27e70af

SHA512
7f5d47cb5a77ab19515f9191e7b2e033d8bc0a3ebc8ba8d125feeedb4c81d505b779d8113560fddd81db7c9500fefdc95791064eae8702567a869044d38f3af2

Download Submit
C:\Windows\SysWOW64\Lqmmmmph.exe

Filesize
233KB

MD5
1ceaa882774b94aa85e8adff75e47dcb

SHA1
ffeb7fed8e7fb6184f5a0637036c30be8d4246c0

SHA256
8eba73b0f842654958a382ef1a498fec32c0bebad09fdc2dc207215fec922170

SHA512
46e5c098e3cf74fccf60c367fd40874b05a1486b2072f415f74081c6865da6163264e79ae1a03434e13062f7830120b80fa362645d6769118867fede73b65285

Download Submit
C:\Windows\SysWOW64\Mfbaalbi.exe

Filesize
233KB

MD5
8f126481b5e70c3ea4891e2b9516a6ee

SHA1
3a762c2ff5f6b33b328b2451677859800fbd7b7d

SHA256
9d0dd15b64b7e3102ca5199ba71a9ed8f04f5eaa8cae7aade62e9d31683e0e49

SHA512
24e40105ad80fe4fd0b5116ab97b9b4479732ea93c2104fbf44edd72c64daa30447d163ff9719f419012a2db929062c93177936896403c8896512677d9d892b0

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
233KB

MD5
451c14755c6ab4985646c2eddbaec460

SHA1
874067d384b1ca81d99133181a8f09a1dbfbe1c3

SHA256
1f1cd20857b8514c562650967fb7b64acaa03f137b44a2587cf4c9932843238b

SHA512
0ef414b523961022814491b50fe06534f43881f788c993fd44366f16df97fe8b4cc5e55a8c789b6769beabfe5c9c53a29feb06020091bebbfec9466f6e28eea5

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
233KB

MD5
7ba550c2c44c3de51ea51b8cb4be943f

SHA1
4a0c987b887c44cfdd9d57e08c5bb108c6b5498b

SHA256
f4abecf56faa4b75c51957f99116a8116b2d729e36a2f7095c8590f34a4166ab

SHA512
9133be9682f70196cbef8ea8c70d9eb198bb3c014b069ded9fd6c38aa699bfb7d7ab4a4ad5d27119c2ba7d050c58a44470a5908e5d9c297ad73d6f0f2138c9f9

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
233KB

MD5
8a133c6cc668ead571a06f658607a6b9

SHA1
cb78551ff8fd87e6192eb110fb4222d2d90ca74c

SHA256
850b8655b0b1a99ba07f28acc05090ab3b519c8ad29a99ef03314c37e80f6391

SHA512
1d8b5ec8b0830b261ba2517046006a7703008104ad4b716198767cbbb293d23c42ec1a241be0cec7426a8f9912da8ee1e0541e5912898572646f1d16cff8525e

Download Submit
C:\Windows\SysWOW64\Mmfkhmdi.exe

Filesize
233KB

MD5
555ed97f8f5b86984fa0c9358c5341bf

SHA1
82f16d8bb9a9dd3b1c5ed5e9fb0204ed0f68c019

SHA256
b274be125c591ca30adf0b185ff4bc208a277b66153c66d1fbac9524707cd12e

SHA512
31b965c506a4e40d1f0b77a8d6886fe76f1ce46daf0f1edf18132e3955a636c8341ca8b6f33b8b180138d72462cda39503668f2b40687752aa74156ebeb669e2

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
233KB

MD5
03b2328c916e2cdd353ba362be35e85c

SHA1
fcb237c27e25502b4b9527a32868f99fbddaffc7

SHA256
3fefe873df447ef46b9832a83dba7cdf40282a9ed6d596d31292021283e7e519

SHA512
f920b3493bf5da198cf30d0059ae7d5033a086a2fe60523a8d6a1b27804e5ca0063265ed6fbd1a3efd57081b2bf6372a21997c73f7434544281576e86db310e8

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
233KB

MD5
c31251e11fcf721d53755ed61e1f528c

SHA1
ba1ae2b94d9dd6fc99c46e4b6e27da77d6aa8e33

SHA256
484357b47e3236d1376f49f67238025e1863e6cbafb56e27f909b38477d15c86

SHA512
5ac397cd331554ff82700ebde38cc93034e4955a1b688e57ef1acab6e03624f66939417178bd11a03a51ab91a03047095a8502299558dbddb5a0d1941cd449ea

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
233KB

MD5
766cfdf41b91ad70bec5a762a8204406

SHA1
0ffce421ab2c8b0e4d4887f962c817549c2c8bef

SHA256
1865e9c310ed51f80e7a80633b3a1aee74a54d7c63c9c615753fb00452cf0f9c

SHA512
732c2659087ad86b731a7826380fb73c0fe3934825b8fdc9a4f83e856cb0ae64ec9c370f8cc80a42c622b6e16e5da818355406ecfc2d706e947a782846d99172

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
233KB

MD5
3ddab2ee6ba2eb381e4c778023388230

SHA1
d72b65e86be26d3c26598ed4624f48626774fbe5

SHA256
03e5ab25f5ce87625149c106fca80b798ba8909edd7279f689920e58aa07d333

SHA512
0c390934dc85c08ec91871bfc7a2dd6b5a567a4838456d622bd79223ba56186ed78e65624cecec14ca3b9019c62c1a8678f2895291429bca7999148a3f3b71ba

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
233KB

MD5
cad3de6d0a93458a009d963b2ce815de

SHA1
aac77434851852855c03e798229483bd428f9dec

SHA256
ba319a9d9d1c939184bdfb62be1822bcd81c8e4c4ba701b6c77583a3e1a9213e

SHA512
aee1f775e78d5c7cafe31cf74419e8e4bbf1057155e6d000f4e2b9918aecd40c0d238f4ac0fdffac3e0fae23973604b975e589ca49475acd2dcbfd5b3e8aaa9b

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
233KB

MD5
e6bb70478e8d91f6ea9ec14478ec9036

SHA1
696858c1c13fb68ae4510bc434cbe9ede8473dc6

SHA256
0b0ba02c68640e0e249da0e189b557746a6b002c9cbfb50c24404f2344fb3200

SHA512
f2d53dd4a4df3e75d49788c1b588af21f74021420684450b9ef190443bd60364c8b532edbfdd66e8db8c12554ed61053b8cf457fc4b0948e867e6b4c33edcf47

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
233KB

MD5
b1753d895243061b2b6f8b27db9b845f

SHA1
acf582919f256d136df8f68094b6c0c63eb0f74d

SHA256
f76d722d44b32f90be0b049a1e53c9ba407a222647151d73542d57a4de31d4db

SHA512
250c9a1964df68e3107e185b42d6cfeddf7654d6df1ebf7748ac435a1f7f40057c5c086300b2b996159b88995ae088629060c69467c44c6a4209ceccc8e5674b

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
233KB

MD5
91bf9be2eccb505f2b0e5f0ebf86093e

SHA1
bfe4d12acf0be540c8d2e6b5260b476892043b02

SHA256
0d960f6c7d4f5b5474f745b57d3290c01b49d48dbc162a78aad8356bae205960

SHA512
49b25b7ace94e9deda693dba8272c48b6aee9f96b84b938d94afda6fa29c64622cf66580e25999a0e16eca88c991b3ace29ad9ab13142257f2c3953cd6bfb54c

Download Submit
C:\Windows\SysWOW64\Ocaebc32.exe

Filesize
233KB

MD5
00c6aa0b25204eae0de6f771beabd3fc

SHA1
e19e5f126374b6daee152b0c312476ee808f17dd

SHA256
461b270619bb0d991769e3adfe351c03af7b79a7e60d9bef1f098cd8a6f162a0

SHA512
29c10a8d67fe78c617606d32df4711d1d8545efe908894b29c9526552f3f16d18627485da313f917f4f3438a02484c81cd42e197ef303cac2dbe003d477904c8

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
233KB

MD5
f2840d6a60882178c943bb4d31ed4e29

SHA1
8c78981893126c4a635c810eb840bd3e17167505

SHA256
1f01b6295d99f37c13f17d8bf2e4b8c7d9d6d6768e69c6e267246defc8566c94

SHA512
53b88349797c6e188dfd54302de327382fec68d0dd8c220bfa0ab7dc7e9eca667de3a62689122fcf8a4be2bbf5d1f9e9572ea83b931fcca1b7cbc1314652e565

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
233KB

MD5
7a2d07423efc279ebe53c20cfcffb548

SHA1
185ebddf8f7b79660a3337b074e4a86c5e40fbe6

SHA256
07fe3ecfcdd462d1be071ac6f4e1b6b074dcb157a70271644b70f193ee0167d7

SHA512
2497aebb65fa38e4ed224f14144dfe8b3b0e4e8151e1b16f26e0d77f5535e2448d239ab7374fdb8d375d04a928cbcac6e9eed244bc44425e5f6cf47e693792e8

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
233KB

MD5
9661105c1ff02d9a3577ff9ea42d1abd

SHA1
576cb1fae96dfa0b818ceec160beeeaec540ae59

SHA256
84d9e576adbf4fc093ebb2e144d3d31487067adde4e5646ed445a610e85f2be9

SHA512
86fd094de430874651a99896018cd827ef86b5ed19ea3eb0f8927862893e51a0639fd791e09058c92900d0ac7f9a33ff0aaa1f8683eed1da8ee7ee2f2b40c0ec

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
233KB

MD5
353dde98626cf35ae96d865e44de0e4d

SHA1
9116522c3a18d4c08f8babb92b8c55dfeb0e6059

SHA256
e3702c5bb1770e2cae86935800cae265d83bbbe7e3f4538542f85233e33c16c3

SHA512
89532e9741fb3e7595fe8549ec64c51acd8418cfd89ad3ad0137209f47c8486978acf5aeffce757486970bb77773530d1febd6f6c8fa6b5d9f8aba245f277528

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
233KB

MD5
3fad749e567be0ba49e031338cee8774

SHA1
86238585b826471a1e03a178e8e799bd55a0d154

SHA256
840f2119102f3aac50fcff8ea5a88aa3dff143cbaa0c33573b88f47901ead562

SHA512
48114938f06d3b4a9e7d70e6a9efb3e36f8be568913fe490cfa23e43316dc4575caf37f13a16fa99bb2f0ee6e0c299af12b09ae509be2d7836ba40e263800ea5

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
233KB

MD5
c650f58c8c873914d9a0e56788edb7d2

SHA1
b2d70899661bba89dccc3277f9c6b5fc02fd8c47

SHA256
b09b08011fad181d9f57996e3cd2321126f4ce084a5d7fb5ee7d2d4f79dfb3ee

SHA512
e9b916530aad8b9c6520ad9eae975928b1fdfc4500351092935e17d3cfb6ca7cd993616a890e06d4aaf1ccab3023bf25e92ab17c30ccf794995ca9ac2f4fb224

Download Submit
C:\Windows\SysWOW64\Pjdhbppo.dll

Filesize
7KB

MD5
955236a8ac2fd7938a747239f62950aa

SHA1
612aa98dc1bd9ed079058076a44829603819c5ce

SHA256
1c1dd071b3aa598755afbcf3032c53634bab33ba698d6f7bb3dda4f0a78ace54

SHA512
f75c8019a4fc8d0472108d5aaa114581ed03c3d437b69bb473d1b2dd32b55545e52581cb9e6ad117ba4958c8538d4df0ed83c12592c677bc9c1aac3d0898fe65

Download Submit
C:\Windows\SysWOW64\Pjmjdm32.exe

Filesize
233KB

MD5
709c762ec1c555be90534b320d9acf86

SHA1
06747c5309867447ca0dee4c7700ed9588cb98f1

SHA256
041879b716a42877d3e195345f416000dd1e0f1de544eab4dbe1585d18f6ac64

SHA512
3ee77ff5983f6db4a43135fda1596c7662381f4d0b6059dc84e14d38028ab934b9c1ae4380285ec691920851a9ad7e64246b25e1e979dfea79a1a0c09cb1ea92

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
233KB

MD5
6e4548349dd78cf294211f83d537e594

SHA1
ce8ef7c92a643a0ef3aae100f21fc1a6ab48687b

SHA256
2a3fd03308cde8ad24e8c0ab076913fda76666ddb8ce1732a08147c96f0cf19c

SHA512
329400c793b72cf702c43ebb73cc33467e6e574e285aa57d00b7801b0c662f17e55e5f8afeb59920b99dde2238358d94922a2edd5b0a744a79550ef026a07d0f

Download Submit
memory/404-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/560-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/656-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1040-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1184-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2252-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2984-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3280-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3360-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3368-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3540-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3604-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3896-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3992-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4008-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4208-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4352-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4576-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4620-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4844-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4884-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5160-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5200-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5240-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5280-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5320-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5360-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5416-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5472-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5512-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5552-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5592-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5632-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5672-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5716-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5756-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads