a7a114f86d25a98dca72a50907fa34aa402eab2ede6b9d763b80659601066c8b

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7a114f86d25a98dca72a50907fa34aa402eab2ede6b9d763b80659601066c8b.exe
Size

467KB
MD5

bddcc31e77725619eedffff63c2baac5
SHA1

7718fe36112ed4c5de38a8de4e5ded66d49252d4
SHA256

a7a114f86d25a98dca72a50907fa34aa402eab2ede6b9d763b80659601066c8b
SHA512

0cfa0ebaff47f3d3aeced0cf903e878b3ba8cea3a47e0328cfd95eaf514d0b74a5aa7e3b1975afcdcf0a72af5f8b83c9381a28a6f7a5e3e38c22202b8a363db8
SSDEEP

12288:SfIXSYB2o8wE39uW8wESByvNv54B9f01ZmHByvNv5:SfICYB2o8wDW8wQvr4B9f01ZmQvr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egaejeej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpochfji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oaifpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fecadghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lobjni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjjpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edeeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpaihooo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgnbdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnnccl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kocgbend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edeeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcikejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjdikqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgnbdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfjfecno.exe

Executes dropped EXE 64 IoCs

pid	Process
1688	Kjeiodek.exe
1684	Kgkfnh32.exe
4960	Kgnbdh32.exe
3732	Lcgpni32.exe
2420	Lcimdh32.exe
4368	Lqmmmmph.exe
1148	Lfjfecno.exe
3212	Lobjni32.exe
996	Lncjlq32.exe
4372	Mgloefco.exe
4328	Mnhdgpii.exe
1504	Nglhld32.exe
2248	Npiiffqe.exe
4708	Oaifpi32.exe
4600	Ogekbb32.exe
3672	Ofkgcobj.exe
3980	Ogjdmbil.exe
2960	Ohlqcagj.exe
2824	Pfandnla.exe
4824	Pjpfjl32.exe
4020	Pnmopk32.exe
4292	Panhbfep.exe
3332	Qaqegecm.exe
3708	Qpeahb32.exe
1016	Aoioli32.exe
4380	Aokkahlo.exe
3784	Ahdpjn32.exe
4432	Apodoq32.exe
1592	Baannc32.exe
4736	Bacjdbch.exe
3988	Bogkmgba.exe
1616	Bnoddcef.exe
3320	Cponen32.exe
1084	Chiblk32.exe
4412	Cgnomg32.exe
4472	Cpfcfmlp.exe
1476	Dkndie32.exe
3500	Dhbebj32.exe
2056	Dakikoom.exe
2696	Dkcndeen.exe
4256	Doagjc32.exe
4556	Dhikci32.exe
4356	Eqdpgk32.exe
1532	Enhpao32.exe
4560	Egaejeej.exe
2332	Edeeci32.exe
3812	Ekonpckp.exe
2252	Egened32.exe
3920	Enpfan32.exe
2700	Fnbcgn32.exe
5152	Fkfcqb32.exe
5196	Fecadghc.exe
5236	Fohfbpgi.exe
5280	Gnnccl32.exe
5320	Gkaclqkk.exe
5360	Gbnhoj32.exe
5400	Gpaihooo.exe
5444	Ggmmlamj.exe
5488	Gbbajjlp.exe
5524	Hlkfbocp.exe
5564	Hioflcbj.exe
5604	Hbgkei32.exe
5652	Hpkknmgd.exe
5696	Hicpgc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mlcdqdie.dll	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Ekonpckp.exe	Edeeci32.exe
File opened for modification	C:\Windows\SysWOW64\Nciopppp.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Okjpkd32.dll	Fecadghc.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Hpkknmgd.exe	Hbgkei32.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Lncjlq32.exe	Lobjni32.exe
File created	C:\Windows\SysWOW64\Ndjaei32.dll	Dakikoom.exe
File created	C:\Windows\SysWOW64\Fecadghc.exe	Fkfcqb32.exe
File created	C:\Windows\SysWOW64\Pjmnkgfc.dll	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Baepolni.exe	Bbdpad32.exe
File created	C:\Windows\SysWOW64\Aoibcl32.dll	Doagjc32.exe
File created	C:\Windows\SysWOW64\Cfkeihph.dll	Pjcikejg.exe
File created	C:\Windows\SysWOW64\Bpqjjjjl.exe	Bigbmpco.exe
File created	C:\Windows\SysWOW64\Mgqaip32.dll	Cdaile32.exe
File created	C:\Windows\SysWOW64\Nepmal32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Ijikdfig.dll	Aoioli32.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Baannc32.exe
File created	C:\Windows\SysWOW64\Benibond.dll	Jafdcbge.exe
File created	C:\Windows\SysWOW64\Anjcohke.dll	Jbepme32.exe
File created	C:\Windows\SysWOW64\Mlhqcgnk.exe	Mfnhfm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfogbjb.exe	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Nglhld32.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Gnnccl32.exe	Fohfbpgi.exe
File created	C:\Windows\SysWOW64\Lplfcf32.exe	Lpjjmg32.exe
File created	C:\Windows\SysWOW64\Aafjpc32.dll	Aidehpea.exe
File created	C:\Windows\SysWOW64\Nkbjmj32.dll	a7a114f86d25a98dca72a50907fa34aa402eab2ede6b9d763b80659601066c8b.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Egaejeej.exe	Enhpao32.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Mlhqcgnk.exe	Mfnhfm32.exe
File opened for modification	C:\Windows\SysWOW64\Jadgnb32.exe	Jihbip32.exe
File created	C:\Windows\SysWOW64\Lpgmhg32.exe	Lcclncbh.exe
File created	C:\Windows\SysWOW64\Ifncdb32.dll	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Jidinqpb.exe	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Naagioah.dll	Nqmojd32.exe
File opened for modification	C:\Windows\SysWOW64\Pnmopk32.exe	Pjpfjl32.exe
File created	C:\Windows\SysWOW64\Apodoq32.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Kpqgeihg.dll	Pbcncibp.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Dakikoom.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Nlbkmokh.dll	Edeeci32.exe
File created	C:\Windows\SysWOW64\Mpeiie32.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Fhcbhh32.dll	Qcnjijoe.exe
File created	C:\Windows\SysWOW64\Oifoah32.dll	Enhpao32.exe
File opened for modification	C:\Windows\SysWOW64\Hbgkei32.exe	Hioflcbj.exe
File opened for modification	C:\Windows\SysWOW64\Jihbip32.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Gcilohid.dll	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Lcgpni32.exe	Kgnbdh32.exe
File opened for modification	C:\Windows\SysWOW64\Lqmmmmph.exe	Lcimdh32.exe
File created	C:\Windows\SysWOW64\Mgloefco.exe	Lncjlq32.exe
File opened for modification	C:\Windows\SysWOW64\Apodoq32.exe	Ahdpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Edeeci32.exe	Egaejeej.exe
File opened for modification	C:\Windows\SysWOW64\Oikjkc32.exe	Oihmedma.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Pjpfjl32.exe	Pfandnla.exe
File created	C:\Windows\SysWOW64\Kpqfid32.dll	Gkaclqkk.exe
File opened for modification	C:\Windows\SysWOW64\Iialhaad.exe	Ipihpkkd.exe
File opened for modification	C:\Windows\SysWOW64\Kocgbend.exe	Koajmepf.exe
File opened for modification	C:\Windows\SysWOW64\Lhnhajba.exe	Khlklj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6576	6764	WerFault.exe	258

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieppioao.dll"	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edeeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jihbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpqjjjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baannc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egened32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qclmck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jldbpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mliapk32.dll"	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmipm32.dll"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbepme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncepolj.dll"	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijmiq32.dll"	Kjeiodek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkcndeen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll"	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll"	Jidinqpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmafal32.dll"	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgkfnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmcjnkq.dll"	Hpkknmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlglnp32.dll"	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egaejeej.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1688	4696	a7a114f86d25a98dca72a50907fa34aa402eab2ede6b9d763b80659601066c8b.exe	97
PID 4696 wrote to memory of 1688	4696	a7a114f86d25a98dca72a50907fa34aa402eab2ede6b9d763b80659601066c8b.exe	97
PID 4696 wrote to memory of 1688	4696	a7a114f86d25a98dca72a50907fa34aa402eab2ede6b9d763b80659601066c8b.exe	97
PID 1688 wrote to memory of 1684	1688	Kjeiodek.exe	98
PID 1688 wrote to memory of 1684	1688	Kjeiodek.exe	98
PID 1688 wrote to memory of 1684	1688	Kjeiodek.exe	98
PID 1684 wrote to memory of 4960	1684	Kgkfnh32.exe	99
PID 1684 wrote to memory of 4960	1684	Kgkfnh32.exe	99
PID 1684 wrote to memory of 4960	1684	Kgkfnh32.exe	99
PID 4960 wrote to memory of 3732	4960	Kgnbdh32.exe	100
PID 4960 wrote to memory of 3732	4960	Kgnbdh32.exe	100
PID 4960 wrote to memory of 3732	4960	Kgnbdh32.exe	100
PID 3732 wrote to memory of 2420	3732	Lcgpni32.exe	101
PID 3732 wrote to memory of 2420	3732	Lcgpni32.exe	101
PID 3732 wrote to memory of 2420	3732	Lcgpni32.exe	101
PID 2420 wrote to memory of 4368	2420	Lcimdh32.exe	102
PID 2420 wrote to memory of 4368	2420	Lcimdh32.exe	102
PID 2420 wrote to memory of 4368	2420	Lcimdh32.exe	102
PID 4368 wrote to memory of 1148	4368	Lqmmmmph.exe	103
PID 4368 wrote to memory of 1148	4368	Lqmmmmph.exe	103
PID 4368 wrote to memory of 1148	4368	Lqmmmmph.exe	103
PID 1148 wrote to memory of 3212	1148	Lfjfecno.exe	104
PID 1148 wrote to memory of 3212	1148	Lfjfecno.exe	104
PID 1148 wrote to memory of 3212	1148	Lfjfecno.exe	104
PID 3212 wrote to memory of 996	3212	Lobjni32.exe	105
PID 3212 wrote to memory of 996	3212	Lobjni32.exe	105
PID 3212 wrote to memory of 996	3212	Lobjni32.exe	105
PID 996 wrote to memory of 4372	996	Lncjlq32.exe	106
PID 996 wrote to memory of 4372	996	Lncjlq32.exe	106
PID 996 wrote to memory of 4372	996	Lncjlq32.exe	106
PID 4372 wrote to memory of 4328	4372	Mgloefco.exe	107
PID 4372 wrote to memory of 4328	4372	Mgloefco.exe	107
PID 4372 wrote to memory of 4328	4372	Mgloefco.exe	107
PID 4328 wrote to memory of 1504	4328	Mnhdgpii.exe	108
PID 4328 wrote to memory of 1504	4328	Mnhdgpii.exe	108
PID 4328 wrote to memory of 1504	4328	Mnhdgpii.exe	108
PID 1504 wrote to memory of 2248	1504	Nglhld32.exe	110
PID 1504 wrote to memory of 2248	1504	Nglhld32.exe	110
PID 1504 wrote to memory of 2248	1504	Nglhld32.exe	110
PID 2248 wrote to memory of 4708	2248	Npiiffqe.exe	111
PID 2248 wrote to memory of 4708	2248	Npiiffqe.exe	111
PID 2248 wrote to memory of 4708	2248	Npiiffqe.exe	111
PID 4708 wrote to memory of 4600	4708	Oaifpi32.exe	112
PID 4708 wrote to memory of 4600	4708	Oaifpi32.exe	112
PID 4708 wrote to memory of 4600	4708	Oaifpi32.exe	112
PID 4600 wrote to memory of 3672	4600	Ogekbb32.exe	113
PID 4600 wrote to memory of 3672	4600	Ogekbb32.exe	113
PID 4600 wrote to memory of 3672	4600	Ogekbb32.exe	113
PID 3672 wrote to memory of 3980	3672	Ofkgcobj.exe	114
PID 3672 wrote to memory of 3980	3672	Ofkgcobj.exe	114
PID 3672 wrote to memory of 3980	3672	Ofkgcobj.exe	114
PID 3980 wrote to memory of 2960	3980	Ogjdmbil.exe	115
PID 3980 wrote to memory of 2960	3980	Ogjdmbil.exe	115
PID 3980 wrote to memory of 2960	3980	Ogjdmbil.exe	115
PID 2960 wrote to memory of 2824	2960	Ohlqcagj.exe	116
PID 2960 wrote to memory of 2824	2960	Ohlqcagj.exe	116
PID 2960 wrote to memory of 2824	2960	Ohlqcagj.exe	116
PID 2824 wrote to memory of 4824	2824	Pfandnla.exe	117
PID 2824 wrote to memory of 4824	2824	Pfandnla.exe	117
PID 2824 wrote to memory of 4824	2824	Pfandnla.exe	117
PID 4824 wrote to memory of 4020	4824	Pjpfjl32.exe	118
PID 4824 wrote to memory of 4020	4824	Pjpfjl32.exe	118
PID 4824 wrote to memory of 4020	4824	Pjpfjl32.exe	118
PID 4020 wrote to memory of 4292	4020	Pnmopk32.exe	119

C:\Users\Admin\AppData\Local\Temp\a7a114f86d25a98dca72a50907fa34aa402eab2ede6b9d763b80659601066c8b.exe
"C:\Users\Admin\AppData\Local\Temp\a7a114f86d25a98dca72a50907fa34aa402eab2ede6b9d763b80659601066c8b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\Kjeiodek.exe
  C:\Windows\system32\Kjeiodek.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\Kgkfnh32.exe
    C:\Windows\system32\Kgkfnh32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\Kgnbdh32.exe
      C:\Windows\system32\Kgnbdh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        25⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        33⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        34⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        37⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        38⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        48⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        50⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        51⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5280
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        59⤵
        Executes dropped EXE
        
        PID:5444
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        60⤵
        Executes dropped EXE
        
        PID:5488
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        61⤵
        Executes dropped EXE
        
        PID:5524
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        65⤵
        Executes dropped EXE
        
        PID:5696
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        66⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        67⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        68⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        73⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        75⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        76⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        79⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        80⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        81⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        84⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        85⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        86⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        89⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        91⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        95⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        96⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2940
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        99⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        102⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:700
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        107⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        108⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        109⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        110⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        111⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        116⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        117⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        120⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        125⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        129⤵
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        132⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        133⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        134⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        135⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        139⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        140⤵
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        142⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        143⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        145⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        146⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        148⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        151⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        152⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        156⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        158⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 424
        159⤵
        Program crash
        
        PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6764 -ip 6764
1⤵
PID:6364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5256 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:5684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
384KB

MD5
f7ae43d1bfefcfed100d09f0cb347dbb

SHA1
21385fbfe75d1b7e968e10539272298e2e099095

SHA256
4120d98ca30a42f2807d97cb5f028174516bbeafa7590694710f7f5509ae0363

SHA512
9212ddb948d10e81f37732a9470073c1fdfde812d580109d1b8afa1ddd2a8dfccc7c74b3155da91053a9fa5b21a0d2adc34e79bcbaa196dd4138e424868e1925

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
421KB

MD5
cdac0220be713c5fcc2dcfd6311e2a56

SHA1
85fb22346fe10fc586e744b463ea5d28d2d9ba78

SHA256
67c2412cccfcd886856468830f0af24a45826351a2da16e0978ba73f93aae61b

SHA512
3ca1b75f3c3f106a5c99b56f4f419ab857e4a461efecc85b0493388a7dcd7ef544382014d12583de44a0cc2cbfa4333e8f9d4c01a3a97bcfea2b643d7dc0a1cf

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
467KB

MD5
5dc80d5738e1251ec9784aa9a8ee9d71

SHA1
3629180211886b73668ca2911385e78eabd77d9a

SHA256
980f893e28f77d3904ad7e34dabc67d5399b5c1ee75a46d6a43e77808e53254d

SHA512
abe623cfa6871c3d975cde497f09c071c5df27b6cdfe6f0987cd0bad289e56ffff56423fe04295d3ba2396a7505c5792f59958bed3821f2300e95fc6170d86fe

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
467KB

MD5
8480dc4e7b7faa8aae8fa3c2d54d03e6

SHA1
9b271ac19890a5ac8788c7b0251557eeb44ccfcd

SHA256
6c59588c1d39cb48dab5bcf0f1ac4a27aefcd1bb27a25eb4f69a2e71de04df42

SHA512
16d522e1af8e47e396d623cfd05800a596ed15a336e684635cb6c0c08b748af405101504ca0dfcf8f1783bd8067b077ac5366a104ffa43830560bf7269f73108

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
384KB

MD5
9c356b2ba6dc9efe18da4930a7005966

SHA1
6d63db04c29ccdf6d5e402e274e3624195f0f821

SHA256
75df4920ae08403ad0f3cfa12769081147d69f6ed133276a66698e8f3f8687bc

SHA512
c1d7685f44f3d8b7f7c475ebdb074ae64e6c85e45c4245c336470d0af46d32d592f66e143e88819b5de5a2efa990f1f08f8180416a683d17ac376141fd50d646

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
467KB

MD5
6d4ec2a3a5a0714da69e1eb421cc13e1

SHA1
b5c6ced869763b90504938a34baf3745c4408a26

SHA256
e6a42d038f4a974125400620c1cd1d1aa24f7beae7eb687e71efd5964e742781

SHA512
4efaff22703d3c3cfa34e7e5a28fc3d278096800f146420d438f92078a24010c8dc4aaf09161d95b23fe95d8ec33503aa5cb6fc9afb12577ed6ae53b7a6c85b1

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
467KB

MD5
1b01ef338f8ca09ea63819811b2aa83c

SHA1
222475a2ed5f88c02e0f2a2dc54902e83098e1fc

SHA256
6eedcff9524daee57bb6cccfbcba13587a6ca6edc0ba1cb32ba66d40035f8db7

SHA512
adf16a6fab892d5c8005290dbdb7f9fa8e0d87476c4620f2ca1792a2c9d6e3d2bb566e179d3826c832a563ade69d604f6aaae494107ddf37676242c7e1177724

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
467KB

MD5
cf65ef0d7a6af4b60dcd0c7e238f76c0

SHA1
320a90463d3965ea470946023ad8b15ea2a9f812

SHA256
719468e96346fa3f0e2ef94da94cecfe4d356a57bab188ca0da926c6e6625e1a

SHA512
1fd8b7beb4d3d12012a3d75df3fb6cb5fb783d41a1e0d7ef4d9929640ba694eab45e33aa62dac3fd720f75b55bb3fd108ebed240891bad635225332ed6af1c17

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
467KB

MD5
688c2e63c6c963cbfd858e88065e801f

SHA1
8233ff5bf56592c580594651e4d9562f6c7b8deb

SHA256
b1ceeb14b97db95a9d14a0f232e40f8d0cb927bebf2c68ded7c7e4cbed0fb184

SHA512
6e84cccdb25a20296eda2eb3dc59c46b6548930026d476e4ddb54706bfb8b0bb21aac9a19ab58da3d6bb19a2ee541393c9f1b740e576a1ddb0ae72cc27fe71cd

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
467KB

MD5
07043dd5a294e44ede118f11b01a7368

SHA1
331d789e1e5d41574f9e2340b34e563d7bd62843

SHA256
51af1690155aec6b20d9bace561b7dce44c1a4aa710e36fec60ca8e0024fe65e

SHA512
8bf8739b33b2ce93f3ed3e2f6857c24fa09417c24f311716b85cdb94f8da2c7116ee0701dd0aef4dbc427b7c6a140d961f66ce9a173a686c4dcb9960187d3648

Download Submit
C:\Windows\SysWOW64\Kgkfnh32.exe

Filesize
467KB

MD5
c3dde2d344551d977ca4ccc3a061154b

SHA1
a4722574b5db4319d4e7803ad20ad500d381d6a6

SHA256
28db8f641f058ece0755179f3822f3e14b8b46fa3932ff6b48e678594f7b1b7e

SHA512
53c1c0131ec9a6367e876ce00eecf5bb568c764589fbbf08825b82cbc525ec92439c6910a50d0fda1631bec88c0a512f5ab7624468678c9d38aff166c03e7bf2

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
467KB

MD5
00a35a9197167052f1992edb478b308e

SHA1
546126b7aa2a40a5a40be5ebe1e2d5e782ff7127

SHA256
c687b210cc280202d6d55471d790312dd63bfb432194241c9df86c33d8b857cd

SHA512
7e495477ca9deb1d8566b10d13606a140237118bb95c29abf3bec4b63a7e1fa914f4a32b72e7702a0d2872b1a36c508a44066d717f4672c7af5b44915d492577

Download Submit
C:\Windows\SysWOW64\Kjeiodek.exe

Filesize
467KB

MD5
614a3ceb90236dc89b9f62948ba4692b

SHA1
70fb7d404ffcd40fca6c304f795f4af639dd62ab

SHA256
edd5829030abde1652d2cec56798ef5c89e09f9ac4e77bc5caecaf91d870bb16

SHA512
70784eab73a3945778033daf9baaacfa2e1d7cb0dd871c1fcf701957dea88c4608d89455b927fe842df8b11bf68bda323bff461a2a742f9c955973b517dacec4

Download Submit
C:\Windows\SysWOW64\Lcgpni32.exe

Filesize
467KB

MD5
b9255d315363ff6b152a97d046a0a2d4

SHA1
6ecbb3741d06c51f81e4790e05f9dad53c30353b

SHA256
e2e3a21a43d4bfb92374d7979c5fd0917ea79afd3b1dec4cba84d64d6899d708

SHA512
1e7b4fe31b8ca175f9f7b5858607f10e2e573eed95c97908e69c46efebb75c83e45838aac370e10603bd62ae8fdfdc5fd024be230b9e9cf029dcf42f45eaa3ed

Download Submit
C:\Windows\SysWOW64\Lcimdh32.exe

Filesize
467KB

MD5
1e141ff4049f902cf47caba1b7c63b99

SHA1
69df75210ec9bbb011be0e68b5f836b56e750bf3

SHA256
1ad290d7da173b8b67f4f14fa0c0b64bd6cffb1c7e8d890eb02bb110fa017881

SHA512
7e7c18b9b5e158a0de404ae8964e0abd300fe299766ba9863c701ba8262ba75d5c7235e33f4f345dfd8df576429630a4f1c930eb48ec77bec8de9294aa4e4295

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
467KB

MD5
ed85b1e31865ef886328b86228f388af

SHA1
55769f1a63cb2fbb26ea0765029c790a40d1610a

SHA256
92138630b64016fe43702928b0c0f013e3974e15e830c9f1d392d7c96f80e9f6

SHA512
a03e32202ab60107991bafa1d6768e827233e353ecb758bc89938092dd3f7c1c21c8f610b78e2f07446e00a4b284f32850112d72e8e34b6025944ebe3a2f069d

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
467KB

MD5
944fd9bd5e0a791887c5042498a38c58

SHA1
dc02c4a8b0fcba88e11598789ce760e6d8ae81b2

SHA256
ea31b7fcebb872c677343c5f6338c19e3ecd9c2bd24850fcfac966390211b9d7

SHA512
9afae6ca2533c9e27a45acfbee3352058d7c14bfac0a80337e81587604a52a3488cd763355c893f719c755804d6b6fe85d8684b149dbac87d043c7d196349467

Download Submit
C:\Windows\SysWOW64\Lobjni32.exe

Filesize
467KB

MD5
7c6e8681afcc2a341d932272da62db53

SHA1
7840c91d93927a6f234d9755625479202a49af32

SHA256
80222d0995f76ca138d0834481c5aa7286184f79570d783b528e10d66521954a

SHA512
f71f1cdf8f7bf4bc857461f5af46d4c78976baac51670a4cf8b5d434d19445b71af15d9d30831bfb1e3342e284ffdc295264e6906c760fcb966fef1a1dcc88ac

Download Submit
C:\Windows\SysWOW64\Lqmmmmph.exe

Filesize
467KB

MD5
9208b4269f15819eb081f145e5833539

SHA1
86525d7e4a18bfc164e219ec3419880cf71d2414

SHA256
5e587a9446d6b7bcb495cc1dec06bf10843837b79444a73aab7e514ba475e9a5

SHA512
1c18f9c8635f87f20419e565f48c6bdb2dd6b970edc013b11861ceef0123c1b0b3aa1925dc8517e676336242f20244426890440a57434cd85dff9dee5c139b19

Download Submit
C:\Windows\SysWOW64\Mgloefco.exe

Filesize
467KB

MD5
82787332ac8f276639d5774da215b0fd

SHA1
35845508a3b99f23eb4c7cd440c0689b761ddc7d

SHA256
bf3704b0a4d5f5ac4419bae87eb15f01298ac0fa7d9adea285d8a59bbe7178d5

SHA512
7d1fa69cfc2013d007208cc701e038d97acf34d5abf2ef68ff0341cd678933ef3bd906d9d9cc4c2287848abd71aedf53e25925ccc20b19908fabfa22c6c10fd4

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
467KB

MD5
32c34272e55d6accc66f4591a11bf64a

SHA1
3edf5f2e2b25536d77c61604152cf8b12b19bf4a

SHA256
2e5bd6ee202161ae9e7e654d584ef768fa4749923673a0bb7d073793df727cf6

SHA512
9bf4ef83792e7983edeeace7cfc2ca5022f6b2568d77a1efe85abbe0066bbdea88b1f20ebebdf332917f6bca43d944d19f5a818756573927cc3e121b4caa47ca

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
467KB

MD5
dd35af00adf82fc2f2b7d8670e9325c7

SHA1
ad15e60ef69d175e941ffe68a031aad188e96759

SHA256
4bc7a031d431f2c71967bb94696f67481bee00570c0b78a6c063891657b3da72

SHA512
aa4f994076dd56ac514816ecf0e8ec7bf9f7d995c9c8d954dd8c18a279d547a8c170f82df100e982d2b6e7e1a65f0c73e0da8677025e61e702162caa7934fe19

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
467KB

MD5
8941d2567d075b5084c9b98b9229b7ce

SHA1
60cb61c7fd4268844a14e6464266021e6c6cc7ed

SHA256
11c6fffb543bd8fbe330fba0e100d633c4e131366b9aa523476a311ebb9c9ff0

SHA512
43ddf82fea5db1cd57adbc9e2e584df7f6fe6091eb6fd091abe4ece7eade2ce5f7cb967fea6b2ca4a6c01ff0788397ff53af2b6764a09ecdb2be277af094d106

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
467KB

MD5
140e68fccfb54e26e855099749f3149b

SHA1
5e9fb4cfbcf6b241ba2ae8370fdf21bc1eb54051

SHA256
7104d7207fd032d381fce71eccdfd6f8e0872a2a2f4c86cd64ee83b1abb3c51e

SHA512
c26f5f1f82098f2354f52e18e8eab4305f8e9455918af4b8f4980e69f9970ea4dca787c99545d127bda017551f6664acf87a801abcf42edbf234e6ae961dca59

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
467KB

MD5
595c0db1d56dd7e2129005cd7fc30d9e

SHA1
f6fe080860ee05bbed03f73174b71eb6a53779d0

SHA256
bea310fb26b939b1ebf65794e5fdaef60c8af18296da04d9f9f7faaae1f92b90

SHA512
36550a090ab4bd09813d285944dbc4714d6a0834b3101cb2ccb36f378239fdc6e6b1856e3c9447ac607b04accefcd6a5f46b8961435f25f9de55d5db14cb750d

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
467KB

MD5
a9f5058e4e8564fb0794806aa2b64751

SHA1
dde44d323aee91e0053d0ad3e787e786330c00cd

SHA256
08d8712e466dae676b72cbd0bec8a526ef2c02d9f01186f0a75212903ff4a0c8

SHA512
8a4e23cff78a79d85f49d79dd6d8fc68e876bd3afdb804451763b4669d3fc2d33c3c0d0443582aacba9ea63fb8ecd6338311dd777bb7c76ea4c0120ac3893e97

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
467KB

MD5
b9631b4fcf4074afc1909769221dd49c

SHA1
1eecf69853e838d0441229c329ba21471412bd37

SHA256
251b7e38fbabe4369cb12178e4b88c3974f30f544c035b7cba69d9bfb98aafbf

SHA512
4d4055cd7bf97659e2dd4a00d27f6be52f07dfdaf30012b639ca0f72138c2c83ab7fa8e41e620b5f1ffa379f1fadf10692e200975e8011045251b5c546d68d18

Download Submit
C:\Windows\SysWOW64\Ogjembbd.dll

Filesize
7KB

MD5
77802ce7b47850b79c3c03623a3cfa7f

SHA1
9941bfee869e8d07c11a21b9e4ee47feeda6f5b4

SHA256
23dedfe73afb68f614b15a7b34b9290d640c7a16349fdc166d406721175041db

SHA512
054f76834649c91a0df31d4b75d101cd0b4a5e5556d249a4c55fe6886092974b45176e5210515b53c39448fa04ae1897245977e3147af9fd0e3094f1130266b6

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
467KB

MD5
074e2a3eb260929de36c906421e12301

SHA1
4dc7b900dd303401d477ef3011652d26c117427d

SHA256
151b313c8d6eed99af24edebf06841fd498efb593b1dff2443d2992702bb1b74

SHA512
e41944c7f5270b04cb91993839513c0d16bb4e9cb334c79f05ce60ea146c6d98870fb23af4ab980300da9b22294b3f73dbebf69dbbdf70d7f121ea94069b66ae

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
467KB

MD5
5a08ea88cfa11d6a68e62f6e955a13ff

SHA1
cfded902b24597f0412c7ef819b9134b831d8f33

SHA256
b0c9e123753430a74286dcc20abacee4e1a291d4b99440ce74ff69a8ba5c9154

SHA512
26d3103c25b672e44222dd0d5a5baaa798ee782bebb27255a3f7a23ef77a9f6e7d167e90cf7da548fdaeab7e5f869a80b2aa952482e72a57a7fee4ff61779c1c

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
467KB

MD5
374f466302826591f781ce0c8979cfb3

SHA1
858151441c8f9de4de40c7d159cd86cb66b26c71

SHA256
982a11e7331ac8853277d1702fcb53c922b9b3fce8057b223363e23de3601ba2

SHA512
48364a94e0c48aff8eb8281db7bb2f4457030e36f0b6ee735a06addc26a9b13d492acb719234c6849ded2cdc24ec80699af3940e2551232c56b3d25b6e36333b

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
467KB

MD5
3b0498fc3336f351f6d25d7b4a5d3da8

SHA1
5f21e92bc31e25a0a0bc780c308adf10c8b3c391

SHA256
6145ec156516c52aeb6b9729006535b12494864c9ac1704ddc27a64e41414ccd

SHA512
c54a4f9ec471e07ac8e1400274728bd5d56044d1ddbeb63891bc146835c4e169c38a50c7ae1d61773bcadee1794fb1016898201aa9115b2de433708e5bc8b01e

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
467KB

MD5
b0b02b938d75404510dc6b0b8dd92d20

SHA1
3ef45683704e255577140b4c60d5e2ce18a3ead3

SHA256
23cd724feca1ac090a74baebc4b6a27b323e5a7619a632531ff7e04348d75cd0

SHA512
d3113788ea98330696acb1945b3afa9385cf31e3d5fd37bdda59570174b6711666dd8316246ea3487f18961f81bf9226169651a3d4453ae9ba48e84f73f07ae9

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
467KB

MD5
7f63841bcbbe94b49eb07411cb841b9e

SHA1
77a77f79bf1907ffabb94d67ae19395edb3b9fd1

SHA256
b88fa6974d4f37fbecf929423d8d50ea89dd5e5153b7993e72146fdc6295e024

SHA512
375de9e7f1277cbdf6eec3d2de1858ac242d81b685e08b7867d5db2c666ff745b998652d0d45c73586643819467bfc040c9ea3cf3e91e55f7591d5b2f7ab716c

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
467KB

MD5
4ad89b4252476d10656908cdae5e8a05

SHA1
f0848d585dce97a986193acc900d3d26e4ba6cfa

SHA256
d2c80109a52bd3ba7d52fd20bbab759bc4c67360d88d2c7fccfd7e25fe575ebe

SHA512
2616eb0e000959d2e82017a8252f017317c73970dc729d064ee89ecedcf33820254881b2733c87f446ef47fd050710b8eb6e5e2a5f60a82005460ecda93db035

Download Submit
memory/996-83-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1016-199-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1084-267-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1148-81-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1476-285-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1504-94-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1532-326-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1592-231-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1616-255-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1684-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1688-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2056-297-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2248-103-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2252-350-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2332-338-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2420-75-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2696-303-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2700-367-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2824-151-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2960-143-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3212-82-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3320-261-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3332-183-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3500-296-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3672-127-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3708-191-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3732-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3784-215-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3812-344-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3920-356-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3980-135-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3988-247-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4020-166-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4256-309-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4292-175-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4328-87-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4368-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4380-207-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4412-273-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4432-223-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4472-279-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4556-315-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4560-332-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4600-118-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4696-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4708-111-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4736-239-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4824-159-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4960-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5152-369-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5196-375-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5236-381-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5280-387-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5320-393-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5360-399-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5444-411-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5524-421-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5564-427-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5604-433-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5652-439-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5696-445-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5740-451-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5796-457-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5840-463-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6324-793-0x0000000076C50000-0x0000000076CB3000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads