7c9f65a5cb2ff4d031c89e6e83fec1a44263c130267b7a1ef318627f41d0bc8c

Analysis

max time kernel
146s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ea1e202d132cd02b15d5d3029d9e840.exe
Size

117KB
MD5

5ea1e202d132cd02b15d5d3029d9e840
SHA1

5510bfad5d497d5187ea7d2f2772e3553af77797
SHA256

7c9f65a5cb2ff4d031c89e6e83fec1a44263c130267b7a1ef318627f41d0bc8c
SHA512

a8facd9454e2488feeab99520d61294339f6a16406b0570dd580512541b8f0de26fe4ec3f8a65a9fa533e54b98ebfb09e04802a64e182e7b3fbd1a9790058837
SSDEEP

1536:ffBXSgU32d1AM+u0ds5CxjBe5dseGEACKa74+gm7TFomG8fvvonfaGvw2WKy5gmo:NA0xw1Edser70aR2WK1mCRFFfUrQlM

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meamcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhpbfpka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oboijgbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglfplgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjdebfnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndflak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcghg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nahgoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmflbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nenbjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocmconhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fipkjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqpamb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlhkgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alcfei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkalplel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mapppn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebhglj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdcliikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knalji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiioonj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcgnbaeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcecjmkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pefhlaie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahcajk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipkjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjohde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpjmnjqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohnohn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmhigf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkicaahi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmbaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qebhhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nccokk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njpdnedf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijqmhnko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knfeeimj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oeehkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odjeljhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkicaahi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdigadjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe

Executes dropped EXE 64 IoCs

pid	Process
4308	Bapiabak.exe
1460	Ocmconhk.exe
5096	Oiihahme.exe
4780	Fpodlbng.exe
3208	Jnpfop32.exe
972	Meamcg32.exe
4896	Mnnkgl32.exe
3580	Micoed32.exe
2080	Nobdbkhf.exe
2492	Nhmeapmd.exe
5012	Nhpbfpka.exe
224	Nahgoe32.exe
2524	Najceeoo.exe
4700	Nlphbnoe.exe
2960	Okedcjcm.exe
3228	Oboijgbl.exe
2436	Ohnohn32.exe
4588	Phbhcmjl.exe
3616	Pefhlaie.exe
448	Peieba32.exe
1172	Pkenjh32.exe
1600	Pcobaedj.exe
4620	Piijno32.exe
4952	Qhngolpo.exe
4204	Qebhhp32.exe
4624	Acfhad32.exe
1840	Ahcajk32.exe
4692	Aakebqbj.exe
4828	Akcjkfij.exe
1744	Alcfei32.exe
1776	Bombmcec.exe
2980	Bfgjjm32.exe
1468	Cjecpkcg.exe
960	Ckfphc32.exe
1060	Cmflbf32.exe
1812	Cbbdjm32.exe
4716	Cmhigf32.exe
1084	Djcoai32.exe
3416	Dpgnjo32.exe
1872	Ebhglj32.exe
2468	Ebjcajjd.exe
1076	Epndknin.exe
4428	Embddb32.exe
3644	Ejfeng32.exe
1484	Fikbocki.exe
460	Fpejlmcf.exe
4572	Fjjnifbl.exe
2944	Fmikeaap.exe
556	Fipkjb32.exe
444	Fjohde32.exe
1100	Gbmingjo.exe
4036	Gmdjapgb.exe
2672	Gkkgpc32.exe
1932	Gdcliikj.exe
5076	Hpjmnjqn.exe
1480	Hibafp32.exe
816	Hgfapd32.exe
740	Hlegnjbm.exe
5104	Hkicaahi.exe
2056	Injmcmej.exe
4312	Iphioh32.exe
4784	Ijqmhnko.exe
4600	Idfaefkd.exe
3992	Jnjejjgh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nlphbnoe.exe	Najceeoo.exe
File created	C:\Windows\SysWOW64\Bombmcec.exe	Alcfei32.exe
File opened for modification	C:\Windows\SysWOW64\Cmhigf32.exe	Cbbdjm32.exe
File opened for modification	C:\Windows\SysWOW64\Knfeeimj.exe	Knchpiom.exe
File created	C:\Windows\SysWOW64\Kmkbfeab.exe	Kdpmbc32.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kcapicdj.exe	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Lqpamb32.exe	Lkchelci.exe
File created	C:\Windows\SysWOW64\Jheldb32.dll	Mcecjmkl.exe
File created	C:\Windows\SysWOW64\Nhmeapmd.exe	Nobdbkhf.exe
File created	C:\Windows\SysWOW64\Nqjgbadl.dll	Lmgabcge.exe
File opened for modification	C:\Windows\SysWOW64\Njinmf32.exe	Nelfeo32.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Egopbhnc.dll	Lchfib32.exe
File opened for modification	C:\Windows\SysWOW64\Oiihahme.exe	Ocmconhk.exe
File opened for modification	C:\Windows\SysWOW64\Ebjcajjd.exe	Ebhglj32.exe
File created	C:\Windows\SysWOW64\Lkeekk32.exe	Lqpamb32.exe
File created	C:\Windows\SysWOW64\Dhbebj32.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Hqomopfd.dll	Nhpbfpka.exe
File created	C:\Windows\SysWOW64\Nmpgal32.dll	Hibafp32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	5ea1e202d132cd02b15d5d3029d9e840.exe
File created	C:\Windows\SysWOW64\Fmikeaap.exe	Fjjnifbl.exe
File opened for modification	C:\Windows\SysWOW64\Fmikeaap.exe	Fjjnifbl.exe
File created	C:\Windows\SysWOW64\Ilnpcnol.dll	Knfeeimj.exe
File created	C:\Windows\SysWOW64\Pnkibcle.dll	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Mjkblhfo.exe	Mglfplgk.exe
File created	C:\Windows\SysWOW64\Fpkefnho.dll	Nlkgmh32.exe
File opened for modification	C:\Windows\SysWOW64\Njpdnedf.exe	Ndflak32.exe
File created	C:\Windows\SysWOW64\Hhfgeigk.dll	Omcjep32.exe
File created	C:\Windows\SysWOW64\Nobdbkhf.exe	Micoed32.exe
File created	C:\Windows\SysWOW64\Mohokaph.dll	Piijno32.exe
File created	C:\Windows\SysWOW64\Fjjnifbl.exe	Fpejlmcf.exe
File created	C:\Windows\SysWOW64\Hgfapd32.exe	Hibafp32.exe
File created	C:\Windows\SysWOW64\Kdpmbc32.exe	Knfeeimj.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Pfccogfc.exe	Pmkofa32.exe
File opened for modification	C:\Windows\SysWOW64\Fjjnifbl.exe	Fpejlmcf.exe
File created	C:\Windows\SysWOW64\Diadam32.dll	Ledepn32.exe
File created	C:\Windows\SysWOW64\Llcghg32.exe	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Oboijgbl.exe	Okedcjcm.exe
File created	C:\Windows\SysWOW64\Faimhjhp.dll	Embddb32.exe
File created	C:\Windows\SysWOW64\Lmbhgd32.exe	Lkalplel.exe
File opened for modification	C:\Windows\SysWOW64\Ojemig32.exe	Oophlo32.exe
File created	C:\Windows\SysWOW64\Pimfpc32.exe	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Npjfngdm.dll	Lkchelci.exe
File created	C:\Windows\SysWOW64\Omcjep32.exe	Olanmgig.exe
File created	C:\Windows\SysWOW64\Lfinqm32.dll	Qebhhp32.exe
File created	C:\Windows\SysWOW64\Fipkjb32.exe	Fmikeaap.exe
File created	C:\Windows\SysWOW64\Kdigadjo.exe	Jnlbojee.exe
File opened for modification	C:\Windows\SysWOW64\Mqjbddpl.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Ojemig32.exe
File created	C:\Windows\SysWOW64\Hlegnjbm.exe	Hgfapd32.exe
File created	C:\Windows\SysWOW64\Lnpckhnk.dll	Noppeaed.exe
File created	C:\Windows\SysWOW64\Ojcpdg32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Meiioonj.exe	Mjdebfnd.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Gdilpd32.dll	Ocmconhk.exe
File created	C:\Windows\SysWOW64\Hflkamml.dll	Mepfiq32.exe
File opened for modification	C:\Windows\SysWOW64\Olanmgig.exe	Odjeljhd.exe
File created	C:\Windows\SysWOW64\Imqpnq32.dll	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Qhkjegqi.dll	Phbhcmjl.exe
File created	C:\Windows\SysWOW64\Fhffdban.dll	Ebhglj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4436	632	WerFault.exe	258

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoigi32.dll"	Ohnohn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfinqm32.dll"	Qebhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkeekk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll"	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocmconhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfcen32.dll"	Acfhad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olanmgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcphdpff.dll"	Iphioh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Meamcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjonng32.dll"	Pkenjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfdcegm.dll"	Gdcliikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebhglj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhpbfpka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihejacdm.dll"	Mjkblhfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nccokk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll"	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkkgpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgmfg32.dll"	Lqpamb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mqjbddpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nobdbkhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clddmhpl.dll"	Lklbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmnjnld.dll"	Oeehkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpckhnk.dll"	Noppeaed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Micoed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmhbpmi.dll"	Hkicaahi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcjmel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdglf32.dll"	Ndflak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmikeaap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbmingjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkkgpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpefo32.dll"	Olanmgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcobaedj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bombmcec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgeemcfc.dll"	Nlcalieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhffmd32.dll"	Nlhkgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlihmi32.dll"	Mnkggfkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfgeigk.dll"	Omcjep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkenjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioqgiibk.dll"	Hlegnjbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odjeljhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfghc32.dll"	Cmhigf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll"	Lhcali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbceobam.dll"	Nccokk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micoommd.dll"	Ckfphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbbdjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blickdlj.dll"	Epndknin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4308	3032	5ea1e202d132cd02b15d5d3029d9e840.exe	87
PID 3032 wrote to memory of 4308	3032	5ea1e202d132cd02b15d5d3029d9e840.exe	87
PID 3032 wrote to memory of 4308	3032	5ea1e202d132cd02b15d5d3029d9e840.exe	87
PID 4308 wrote to memory of 1460	4308	Bapiabak.exe	88
PID 4308 wrote to memory of 1460	4308	Bapiabak.exe	88
PID 4308 wrote to memory of 1460	4308	Bapiabak.exe	88
PID 1460 wrote to memory of 5096	1460	Ocmconhk.exe	89
PID 1460 wrote to memory of 5096	1460	Ocmconhk.exe	89
PID 1460 wrote to memory of 5096	1460	Ocmconhk.exe	89
PID 5096 wrote to memory of 4780	5096	Oiihahme.exe	90
PID 5096 wrote to memory of 4780	5096	Oiihahme.exe	90
PID 5096 wrote to memory of 4780	5096	Oiihahme.exe	90
PID 4780 wrote to memory of 3208	4780	Fpodlbng.exe	91
PID 4780 wrote to memory of 3208	4780	Fpodlbng.exe	91
PID 4780 wrote to memory of 3208	4780	Fpodlbng.exe	91
PID 3208 wrote to memory of 972	3208	Jnpfop32.exe	92
PID 3208 wrote to memory of 972	3208	Jnpfop32.exe	92
PID 3208 wrote to memory of 972	3208	Jnpfop32.exe	92
PID 972 wrote to memory of 4896	972	Meamcg32.exe	94
PID 972 wrote to memory of 4896	972	Meamcg32.exe	94
PID 972 wrote to memory of 4896	972	Meamcg32.exe	94
PID 4896 wrote to memory of 3580	4896	Mnnkgl32.exe	95
PID 4896 wrote to memory of 3580	4896	Mnnkgl32.exe	95
PID 4896 wrote to memory of 3580	4896	Mnnkgl32.exe	95
PID 3580 wrote to memory of 2080	3580	Micoed32.exe	96
PID 3580 wrote to memory of 2080	3580	Micoed32.exe	96
PID 3580 wrote to memory of 2080	3580	Micoed32.exe	96
PID 2080 wrote to memory of 2492	2080	Nobdbkhf.exe	97
PID 2080 wrote to memory of 2492	2080	Nobdbkhf.exe	97
PID 2080 wrote to memory of 2492	2080	Nobdbkhf.exe	97
PID 2492 wrote to memory of 5012	2492	Nhmeapmd.exe	98
PID 2492 wrote to memory of 5012	2492	Nhmeapmd.exe	98
PID 2492 wrote to memory of 5012	2492	Nhmeapmd.exe	98
PID 5012 wrote to memory of 224	5012	Nhpbfpka.exe	99
PID 5012 wrote to memory of 224	5012	Nhpbfpka.exe	99
PID 5012 wrote to memory of 224	5012	Nhpbfpka.exe	99
PID 224 wrote to memory of 2524	224	Nahgoe32.exe	100
PID 224 wrote to memory of 2524	224	Nahgoe32.exe	100
PID 224 wrote to memory of 2524	224	Nahgoe32.exe	100
PID 2524 wrote to memory of 4700	2524	Najceeoo.exe	101
PID 2524 wrote to memory of 4700	2524	Najceeoo.exe	101
PID 2524 wrote to memory of 4700	2524	Najceeoo.exe	101
PID 4700 wrote to memory of 2960	4700	Nlphbnoe.exe	102
PID 4700 wrote to memory of 2960	4700	Nlphbnoe.exe	102
PID 4700 wrote to memory of 2960	4700	Nlphbnoe.exe	102
PID 2960 wrote to memory of 3228	2960	Okedcjcm.exe	103
PID 2960 wrote to memory of 3228	2960	Okedcjcm.exe	103
PID 2960 wrote to memory of 3228	2960	Okedcjcm.exe	103
PID 3228 wrote to memory of 2436	3228	Oboijgbl.exe	104
PID 3228 wrote to memory of 2436	3228	Oboijgbl.exe	104
PID 3228 wrote to memory of 2436	3228	Oboijgbl.exe	104
PID 2436 wrote to memory of 4588	2436	Ohnohn32.exe	105
PID 2436 wrote to memory of 4588	2436	Ohnohn32.exe	105
PID 2436 wrote to memory of 4588	2436	Ohnohn32.exe	105
PID 4588 wrote to memory of 3616	4588	Phbhcmjl.exe	106
PID 4588 wrote to memory of 3616	4588	Phbhcmjl.exe	106
PID 4588 wrote to memory of 3616	4588	Phbhcmjl.exe	106
PID 3616 wrote to memory of 448	3616	Pefhlaie.exe	107
PID 3616 wrote to memory of 448	3616	Pefhlaie.exe	107
PID 3616 wrote to memory of 448	3616	Pefhlaie.exe	107
PID 448 wrote to memory of 1172	448	Peieba32.exe	108
PID 448 wrote to memory of 1172	448	Peieba32.exe	108
PID 448 wrote to memory of 1172	448	Peieba32.exe	108
PID 1172 wrote to memory of 1600	1172	Pkenjh32.exe	109

C:\Users\Admin\AppData\Local\Temp\5ea1e202d132cd02b15d5d3029d9e840.exe
"C:\Users\Admin\AppData\Local\Temp\5ea1e202d132cd02b15d5d3029d9e840.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\Bapiabak.exe
  C:\Windows\system32\Bapiabak.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\Ocmconhk.exe
    C:\Windows\system32\Ocmconhk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\Oiihahme.exe
      C:\Windows\system32\Oiihahme.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\SysWOW64\Fpodlbng.exe
        
        C:\Windows\system32\Fpodlbng.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
      - C:\Windows\SysWOW64\Jnpfop32.exe
        
        C:\Windows\system32\Jnpfop32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Meamcg32.exe
        
        C:\Windows\system32\Meamcg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Mnnkgl32.exe
        
        C:\Windows\system32\Mnnkgl32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Micoed32.exe
        
        C:\Windows\system32\Micoed32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Nobdbkhf.exe
        
        C:\Windows\system32\Nobdbkhf.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Nhmeapmd.exe
        
        C:\Windows\system32\Nhmeapmd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Nhpbfpka.exe
        
        C:\Windows\system32\Nhpbfpka.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Najceeoo.exe
        
        C:\Windows\system32\Najceeoo.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Nlphbnoe.exe
        
        C:\Windows\system32\Nlphbnoe.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Okedcjcm.exe
        
        C:\Windows\system32\Okedcjcm.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Oboijgbl.exe
        
        C:\Windows\system32\Oboijgbl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Ohnohn32.exe
        
        C:\Windows\system32\Ohnohn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Phbhcmjl.exe
        
        C:\Windows\system32\Phbhcmjl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Pefhlaie.exe
        
        C:\Windows\system32\Pefhlaie.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Peieba32.exe
        
        C:\Windows\system32\Peieba32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Pkenjh32.exe
        
        C:\Windows\system32\Pkenjh32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Piijno32.exe
        
        C:\Windows\system32\Piijno32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Qhngolpo.exe
        
        C:\Windows\system32\Qhngolpo.exe
        25⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Qebhhp32.exe
        
        C:\Windows\system32\Qebhhp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Acfhad32.exe
        
        C:\Windows\system32\Acfhad32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Ahcajk32.exe
        
        C:\Windows\system32\Ahcajk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Aakebqbj.exe
        
        C:\Windows\system32\Aakebqbj.exe
        29⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Akcjkfij.exe
        
        C:\Windows\system32\Akcjkfij.exe
        30⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Alcfei32.exe
        
        C:\Windows\system32\Alcfei32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\Bombmcec.exe
        
        C:\Windows\system32\Bombmcec.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Bfgjjm32.exe
        
        C:\Windows\system32\Bfgjjm32.exe
        33⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Cjecpkcg.exe
        
        C:\Windows\system32\Cjecpkcg.exe
        34⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Ckfphc32.exe
        
        C:\Windows\system32\Ckfphc32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Cmflbf32.exe
        
        C:\Windows\system32\Cmflbf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Cbbdjm32.exe
        
        C:\Windows\system32\Cbbdjm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Cmhigf32.exe
        
        C:\Windows\system32\Cmhigf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Djcoai32.exe
        
        C:\Windows\system32\Djcoai32.exe
        39⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Dpgnjo32.exe
        
        C:\Windows\system32\Dpgnjo32.exe
        40⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Ebhglj32.exe
        
        C:\Windows\system32\Ebhglj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Ebjcajjd.exe
        
        C:\Windows\system32\Ebjcajjd.exe
        42⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Embddb32.exe
        
        C:\Windows\system32\Embddb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Ejfeng32.exe
        
        C:\Windows\system32\Ejfeng32.exe
        45⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Fikbocki.exe
        
        C:\Windows\system32\Fikbocki.exe
        46⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Fpejlmcf.exe
        
        C:\Windows\system32\Fpejlmcf.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Fjjnifbl.exe
        
        C:\Windows\system32\Fjjnifbl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Fmikeaap.exe
        
        C:\Windows\system32\Fmikeaap.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Fipkjb32.exe
        
        C:\Windows\system32\Fipkjb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Fjohde32.exe
        
        C:\Windows\system32\Fjohde32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Gbmingjo.exe
        
        C:\Windows\system32\Gbmingjo.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        53⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Gkkgpc32.exe
        
        C:\Windows\system32\Gkkgpc32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Gdcliikj.exe
        
        C:\Windows\system32\Gdcliikj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Hpjmnjqn.exe
        
        C:\Windows\system32\Hpjmnjqn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Hgfapd32.exe
        
        C:\Windows\system32\Hgfapd32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\Hlegnjbm.exe
        
        C:\Windows\system32\Hlegnjbm.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Hkicaahi.exe
        
        C:\Windows\system32\Hkicaahi.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Injmcmej.exe
        
        C:\Windows\system32\Injmcmej.exe
        61⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Idfaefkd.exe
        
        C:\Windows\system32\Idfaefkd.exe
        64⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Jnjejjgh.exe
        
        C:\Windows\system32\Jnjejjgh.exe
        65⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4164
        
        C:\Windows\SysWOW64\Jnlbojee.exe
        
        C:\Windows\system32\Jnlbojee.exe
        67⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1240
        
        C:\Windows\SysWOW64\Kggcnoic.exe
        
        C:\Windows\system32\Kggcnoic.exe
        69⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Knalji32.exe
        
        C:\Windows\system32\Knalji32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4860
        
        C:\Windows\SysWOW64\Knchpiom.exe
        
        C:\Windows\system32\Knchpiom.exe
        71⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Knfeeimj.exe
        
        C:\Windows\system32\Knfeeimj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        74⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Lklbdm32.exe
        
        C:\Windows\system32\Lklbdm32.exe
        75⤵
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        76⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        77⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Lmbhgd32.exe
        
        C:\Windows\system32\Lmbhgd32.exe
        79⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\Lkchelci.exe
        
        C:\Windows\system32\Lkchelci.exe
        80⤵
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        82⤵
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Lmgabcge.exe
        
        C:\Windows\system32\Lmgabcge.exe
        83⤵
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Mglfplgk.exe
        
        C:\Windows\system32\Mglfplgk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Mjkblhfo.exe
        
        C:\Windows\system32\Mjkblhfo.exe
        85⤵
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Mepfiq32.exe
        
        C:\Windows\system32\Mepfiq32.exe
        86⤵
        Drops file in System32 directory
        
        PID:520
        
        C:\Windows\SysWOW64\Mkjnfkma.exe
        
        C:\Windows\system32\Mkjnfkma.exe
        87⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        89⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        90⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        91⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Mcjmel32.exe
        
        C:\Windows\system32\Mcjmel32.exe
        92⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        95⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Nelfeo32.exe
        
        C:\Windows\system32\Nelfeo32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Njinmf32.exe
        
        C:\Windows\system32\Njinmf32.exe
        97⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Nenbjo32.exe
        
        C:\Windows\system32\Nenbjo32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Nhmofj32.exe
        
        C:\Windows\system32\Nhmofj32.exe
        99⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Nlhkgi32.exe
        
        C:\Windows\system32\Nlhkgi32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Nmigoagp.exe
        
        C:\Windows\system32\Nmigoagp.exe
        101⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Nlkgmh32.exe
        
        C:\Windows\system32\Nlkgmh32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Ndflak32.exe
        
        C:\Windows\system32\Ndflak32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Oeehkn32.exe
        
        C:\Windows\system32\Oeehkn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        107⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Omqmop32.exe
        
        C:\Windows\system32\Omqmop32.exe
        108⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Odjeljhd.exe
        
        C:\Windows\system32\Odjeljhd.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Olanmgig.exe
        
        C:\Windows\system32\Olanmgig.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        113⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        114⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        118⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        119⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        121⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        122⤵
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        123⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        124⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3032
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        126⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        131⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3804
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        134⤵
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        135⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        137⤵
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        139⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1336
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1088
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        145⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        146⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        149⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        151⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        153⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        156⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:416
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:364
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        160⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        161⤵
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        162⤵
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        164⤵
        
        PID:632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 232
        165⤵
        Program crash
        
        PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 632 -ip 632
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakebqbj.exe

Filesize
117KB

MD5
60621575eaa6dd7494a2cc9b0efb0ed1

SHA1
056cfb14043bf6ae4100815e1958f5c63c6167ba

SHA256
5e8813a24a45bb3d56e09dbecccc436e6ab4cf29d4a1e08a43f711afdc4f8a2a

SHA512
1dba5280397733449bad5f594c3f4bce426cdbb9d6ab4636af5ea0f8a4d1b4f99698b3e715aaca1f417df9f84f1d3bd1546a95fb591fe03ee08f52d104511bf8

Download Submit
C:\Windows\SysWOW64\Acfhad32.exe

Filesize
117KB

MD5
f5157d841706693d9f6944b28c7d23b9

SHA1
649d89a82d6754752b7862d5bd22b08cf85a53ba

SHA256
0e91f5d86426bc30757287be51cb68e564e0d6ccf573217e90ad8ec30791b3e9

SHA512
4bce3333b199e1aff2e974b0b01c45c6a696e648fcd4c1c76ec1049a428358f4540cc2d5d22f8bdee883dda5af6a3fb824a9e523bcda4e706f86b8375fb0e414

Download Submit
C:\Windows\SysWOW64\Ahcajk32.exe

Filesize
117KB

MD5
0b0856cb1ff96ff2745a7f7f7ff6dd44

SHA1
d01700dd7f3ca27d4fc7900ab9725c0a8da19987

SHA256
aaa82ed1b2cab92d531afe0afdf5ecf655e6c9ef754c5372e7c77cde4bf73933

SHA512
14b3d41f9b529f3474490b88f365bc8765a5263221530969e921a6e9df70b5a4911a3caa36a02e0f1cb41b79bc1165056b18b97362120688a2a50dc1ca8012dc

Download Submit
C:\Windows\SysWOW64\Akcjkfij.exe

Filesize
117KB

MD5
d00a46c78e8edeac71b300a760371f31

SHA1
716005e31e5dec8f94a01d3600102bc84e185d4e

SHA256
ab0c2bcdf6c9f39cc55f8d253acae93c35625ae60459503a7b09fe57b08ac74d

SHA512
293e5e2d6084a66d080d8c286f5c221fd413c16b3437ddd04d6c9e6a1201cfcb768e079fcc0cb648bdf75fda4978645e0b0457ab867a832b9e068a81060a2932

Download Submit
C:\Windows\SysWOW64\Alcfei32.exe

Filesize
117KB

MD5
8aa3f9b60f11ebbbffcee7cd795c9baa

SHA1
93e031b3a91987eb9fce0a9ea9a0e51162f381aa

SHA256
3456cffe7c246be31bfc37f39efa26ab0c1590f816955c6a1e67e0d04c5db731

SHA512
37e80c3e4cd10be141f6808edaed4a39a95cee4b3b046520015c8bb0fb2459147a451766f389e79da8398e975994fb805ad5cc7497206e63f3a61017259e0a51

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
117KB

MD5
2d21c39e154585d43de0e77dc33b3a79

SHA1
14ec732b14158085204e3aeb4493a177ab993342

SHA256
12c30118ecbf9cf8c82aecc8e3379987d9ea1ba849511086bba2fd6d653b415c

SHA512
605149ec80e66b222d157653950aabf88fceadd8dd265fdeda42256fb3578c4edf36f987bfdd25b090f4ec518fb2797da48d2c740eb79a34d3eb5c4abfc00b6c

Download Submit
C:\Windows\SysWOW64\Bfgjjm32.exe

Filesize
117KB

MD5
b5e01d66764cec6d54bb17263792162a

SHA1
e12d246eaf4f4932b7ae5d7a821d299bc127d626

SHA256
f3a1ba23d09fa9664669c17949826df8cf73faea3df8ece440f8bd001f9d86ea

SHA512
97d3a548bafea6bd109564a231b5fabff32294bdf901a85691d6036283486171392c24350213aa9bca4d2b99cc8343de577fc268ea2c7872d08cb2c14414a44d

Download Submit
C:\Windows\SysWOW64\Bombmcec.exe

Filesize
117KB

MD5
1a01f8ac6e7cb3b66a2452657c50c30d

SHA1
ee75809c3d27abca979f77cdd3c1bdacdbc47244

SHA256
74a110a8256292fb468a019195d06202a9ef67489fabf2f21c801250a42a3b63

SHA512
1c6514b4947c31673e4334fa1a7df18866977569ec827002e3767e51c333de33115237fac7d8a0f53f6fa67041f46a612a5c1dd183822d43ef4fb2cd56e18828

Download Submit
C:\Windows\SysWOW64\Djcoai32.exe

Filesize
117KB

MD5
6036ed5899563a36936d0dff08858a7c

SHA1
cee4a1f782987321f3323a4985f99d5bc5d09a35

SHA256
cd44b6dedfcabeaa5115d16a952c0e327e2c52a5d9b1fe5f2b9adb3c03a92576

SHA512
3c9934c24917faa432a11f4977b0c340f83a9277c400b2195bcabe6bec088ae539cd417abceab6c4a0b13fa7a62b776b98d474c541928fe84c802a8440c010c9

Download Submit
C:\Windows\SysWOW64\Epndknin.exe

Filesize
117KB

MD5
f7af327473fc704d9a0d1a7a31a0a2b6

SHA1
fc3537f0cc177685a076137702f746172de8df90

SHA256
1a2df97776845edd55c6ee826f2e1030b9e8377247c5c3902a153d6c5e9f288b

SHA512
fa6b67ea8dec91b771b336e18289c55e2a1cf26af2b99c7453e3f290aebd58223ca5c374b00ff386dbc33d7c49d7b2c542bd6d1bbffa0ea7e2f3faad0cd0e6b5

Download Submit
C:\Windows\SysWOW64\Fpodlbng.exe

Filesize
117KB

MD5
085d1c255bf19a4f16911a1c8aaa517d

SHA1
d29af1120d971702649a0a30e7c3f1de336bad44

SHA256
818080629776f3e7e2321647cb2c8e125120a0f3758bd84060b82fac53abb8a6

SHA512
6b540d74f86d3dc89a8735b38ceda8c994062f9086c7a7ea8bba25eed54c57a1b8386aa3e0e4160cfe0c0a69319f09484727df35d4defd91f298846c1b78343e

Download Submit
C:\Windows\SysWOW64\Gmdjapgb.exe

Filesize
117KB

MD5
15dd638f2c5bc57655c07648afc0f4c3

SHA1
df0c893109546d82668557c8f708f62f3a72a95d

SHA256
acd056da90cd51d076de2da0994bf3583e79cc959b646ba8c696eaa4fb7fbee3

SHA512
1a947593c9a72a5f46827e7d4fa7a4ce82136dcc9d51ec429417683a2585b1f4b6f0202a7e9d59729f77be459b24e9bd089a3fd23642ee903c59e3b9bb5cedc0

Download Submit
C:\Windows\SysWOW64\Jnpfop32.exe

Filesize
117KB

MD5
c74a99ea329b4da1fe71ffcffe7d52fb

SHA1
b65c80cd25ac5e61e626537a60c40606b13e5951

SHA256
654674ff451fef04be8ff23ab1f75c7a4080b782f4cd299dd741f5cd6dc88897

SHA512
bd050429dcefba48bb46bac31b32ff8ba6d4813e9feb9e9843f3ec36d6c7e94f3ca1030e8161dcad5f9545b6f67ee150af1196ec7e12e8656474e560d7b41918

Download Submit
C:\Windows\SysWOW64\Loolpf32.dll

Filesize
7KB

MD5
8f035c130f45ad72e1467695c79ff4dc

SHA1
108c9090a78aebac0e2c458ff095167239591455

SHA256
6b811d130721d352c3000bca48f2ab997f4562a4c6cf0f88a909fd05d0f3e90a

SHA512
adf47f300d469959dd25054c2309ef87251029605e6a051785b72fd58ffe0a4efe0a0e69d6d9e19f00489122195fb937ebf18136ee1c39143b7c6c947300ee37

Download Submit
C:\Windows\SysWOW64\Meamcg32.exe

Filesize
117KB

MD5
05085e4edf6578e0b00af2fd61e9402e

SHA1
4ab039ecaa5eac3860245dc8cb38fe712db938af

SHA256
9182231c1adb534e7aab2872f165e814000fc651c51ad222c9b1708ea2b284b0

SHA512
977553b4cb339a52417eb3fa0de7e2a88369b924d681b44ee2aa95471bfde101c668d14948db1dd23251c206647885a16c528627ebf4b350865f7a665499a02f

Download Submit
C:\Windows\SysWOW64\Micoed32.exe

Filesize
117KB

MD5
431015962ebdea415aa5400a51bf8ade

SHA1
ecf180483ea1c615b03627fe7ed2624271c338d0

SHA256
b55d454f1cb88738484437e13100436b98eb01db498eacce915e66694c74968d

SHA512
e6ae534a47d3ff0c3cd819a65b90aa2c0a32fa531be7419102e88f16b0ba230b3f835c1701cac5234c18bd102430cbe45e0841c846ddfbfae311172a5787b483

Download Submit
C:\Windows\SysWOW64\Mnnkgl32.exe

Filesize
117KB

MD5
e5342035d5baef62a4f2f0d0ad72fa28

SHA1
e882af7b90ca7c3091805780c44e01eca2b687a8

SHA256
8b6b4b037dd508fb0422b4f5da81a885f0a651ec1ad74819e3c7d8e51f8b5be9

SHA512
aac937d21403e25d51dc2aa30cec5032a91e5e21de41f7bd37018aac391ecad8907a0274db3541a6bb2226eeafd9a9edd0508e627514b3510e710a9084a5c7d8

Download Submit
C:\Windows\SysWOW64\Nahgoe32.exe

Filesize
117KB

MD5
10ad90efb83629eab56a80ccb81cb9a0

SHA1
4dd53d2cd783396a56570feca98713fd7f351367

SHA256
bce05ef0a65ba00a034b09bc565f0b99bd97bc82434e991be57a357b8ab460bc

SHA512
6fbe66f3aeb64ab98f92d2e3629cc50c5cdb9293b25ca4476d7b4fcd7bb6368ef906ae26a9c9bde8b85938456241ceb0b2829168cb62b691dbd78cafbdfd8301

Download Submit
C:\Windows\SysWOW64\Najceeoo.exe

Filesize
117KB

MD5
d097621424ed925b4c013519c6a043a1

SHA1
1e242669a57668d74ca31dc9d030f90088834116

SHA256
5616fa0df6e1e54fefd02da6cbb0dbe9452af53b49beb1c20d8c8c49aa30297f

SHA512
882de3904d72e54642590d2d5e2adbc792c7179665aa9f24057bcb0b7c6513cb86b68a73d88af1f9d35fcd1f272434e333a2d53655f01c76cdb746045afa9afc

Download Submit
C:\Windows\SysWOW64\Nhmeapmd.exe

Filesize
117KB

MD5
1de224e491e22d6c65e67cf1b2919534

SHA1
1b1898c002333343ee0dc7625be4ac0f2de5565a

SHA256
31ac1060ac730167a52d94c60c06e7c61587be2ae85bbfc92cdfda8b673eed67

SHA512
ffd0e37c3db3650e682fc083ad3b6d3707a65e1738e5cfd9a8b54b53195f080e3caa0b9258a01e5bc20f980bf966f274e384799ab58832970072e82ceb6d2b9f

Download Submit
C:\Windows\SysWOW64\Nhpbfpka.exe

Filesize
117KB

MD5
b5e52b9ca3b523a83a5b32c1d677f0f7

SHA1
84cbd9b0712c17a65aa6d5c42ed041142d998eef

SHA256
16492752260bd0990fa9b18021f3b23ce047eee37fabcfe1ef917c5f5411dfb1

SHA512
6166661875074c4a91ded231b516b507824c44eec99de9cdb69adef7ea91e4835c3b14a3a3c8606349121c7ce2920b3db59fe0a2270023bc94c290da54c4fa92

Download Submit
C:\Windows\SysWOW64\Njinmf32.exe

Filesize
117KB

MD5
2baa872f9b4422366944dfb3786f8483

SHA1
72c304da6a644697ae017970e5450c48c9c53671

SHA256
931252fb4f4e243066ffd9c5d1e8989c2b0dd11e4a766f6e4d7d53031eb36aa1

SHA512
973b41a32186fb3369151beebfbbc84e32d5ac33f2944342f594d0b2f82add027ab83d6cd5e278c124d9b6ab0a20f5083d398a0987642796d9230816c84079f8

Download Submit
C:\Windows\SysWOW64\Nlphbnoe.exe

Filesize
117KB

MD5
0d1e9af78464bb754e250fe200cd1559

SHA1
2f57efd718799695b3b971023830a60a8e68b32e

SHA256
e2ea2f211f86b42953a79b889f559e8abdb61b50a06722d27e3c837e2a6adc05

SHA512
1af6e0b5e4fa1a8f5207fbd31897e06a4d926dde3774adb1477922b595cd5d02acb5ab112ee9ada33c9e606d3745b319dbb51b98e06b810f9063d6c8b0bb1ff0

Download Submit
C:\Windows\SysWOW64\Nobdbkhf.exe

Filesize
117KB

MD5
5ae519c6944d22499b884edf3dff8e56

SHA1
21e0aa5fd2d81c183acb97606707bca51107e382

SHA256
91f52abc2b95de7c070a5af25dbe8e361e55e6f1a59a72889012d23b0cffc328

SHA512
6e0ea3d924a9cffb51fd8b311bafa209a5e9b4112d3bc53b19a203f29cb5a588c9edbc999fc045bfd9eaad3ad2cef2a32b0af1372cd77a163bca427ec0882076

Download Submit
C:\Windows\SysWOW64\Oboijgbl.exe

Filesize
117KB

MD5
a4e8bb169a2b3d3e2c9bfcdeac31b00d

SHA1
7d9b97a3c20300354b2010aece6710d9f6c9d317

SHA256
41133ab6b11ca18cc0fa9269ce496b46291205db39f367dfc7765c3d48c24837

SHA512
1367f274eaba37d02fb01a5e055cf0a64d98e0fbfa5f36b1e75c0f09d7234da773035a0fd9f965b0b7e3d3829bd92e6aedc5ec9375133bee2ba40dc0fc6b3f1b

Download Submit
C:\Windows\SysWOW64\Ocmconhk.exe

Filesize
117KB

MD5
8fdf95d93d6a7fd7238ce7fb298527f0

SHA1
7a012081d1822ec303bb3649aca2bbb12d627a85

SHA256
518f229016e3a2be52aa0ab34d665b64de3d70225ddbcaf799a443dbfb031403

SHA512
898f2d647ef28a432f4cdecd4abfeeb01806def97217f85167ffb4d3aa20385a14289355aa63cb08225e8357e8890f0175df83a3daa45c0348cb04cccaaa92e3

Download Submit
C:\Windows\SysWOW64\Ocmconhk.exe

Filesize
117KB

MD5
933d193d2272392e3d3e05438634d31d

SHA1
a3acb4de663228e3f3f7077ea13c7d97d99f52dc

SHA256
2370575ef207896cb4fc20b8590bab232e15375f6256c66a1ab5fc43152ca623

SHA512
e7e1a7454887dcd38e5cc5cee7d091476829c7ddb701a7c078669821b04c3f9aa56518720daf42345bad4cb8eeafcfcf25ebc323c9173b6f588c070a42840436

Download Submit
C:\Windows\SysWOW64\Ohnohn32.exe

Filesize
117KB

MD5
1a5b81d8eb77541de557fbcee3b0d47a

SHA1
e366524062a98e74925cbbadad2dce7602baadf4

SHA256
4ebc83af20ea6f8b3e57e82813cd4e8eb02705481d1b156a0d5c24dca51045ac

SHA512
6858a9e37becf3b8f79a97a2ec5f2f76d1bd8432ddd21b2da3a60a4088e1f8626a7ee3e04199a3423ab2949fbcab52abc7e0bb160626984fa55eeff9100a09de

Download Submit
C:\Windows\SysWOW64\Oiihahme.exe

Filesize
117KB

MD5
9a5af2755bc5d7f25642c9a39bbf1fc6

SHA1
35afa529f37a219a81b905aabc2b74a0bd3d1c9e

SHA256
f41fc971b131240a39ad566c34d89ba840b33858f43b5e2bb34d934b7b1d389b

SHA512
a5e32089537d5740e99f2e0b6205b170fc02fc9dff08ddbf63d91c5562777f9bf15023a1a6ba1dbdd57ec26c61a609f03e6d6dd775ec20540295bd5b753e0bc9

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
117KB

MD5
1dcc0ae7b993b38e9c9fd8c36bf7b01a

SHA1
5531d3cf4dae2f45eafbb783d2514390e9c76337

SHA256
cf0a2cc37e82ac7da75eb2af65797c2f7cedecd9674ee58a75e8cf54f1a7a8d5

SHA512
a0a4f63e5c9583baf44cc73d45e684cf14b6a9467efd36fce11529b7faac4779a4bc91ddbbf1553153d1e5d4ff58034389679a885819755125297636066c6af5

Download Submit
C:\Windows\SysWOW64\Okedcjcm.exe

Filesize
117KB

MD5
e12e5df3e17b7456ef0358b0a1a88028

SHA1
e25dfe5207b8d15be332d9411866b88d0d36f14e

SHA256
c198c3f1673dfeb520e684584de83480cad837c3d9bd0f9edb88006fbbd919ac

SHA512
870d8a47b7fb054078d07b1c06b9cbb4b073fc6cc7a029cc8ac7bd2b492293f55749be5cef9a4506de428fae61b212b2a39b49ca6904e5247eafcbd55a4aa22f

Download Submit
C:\Windows\SysWOW64\Pcobaedj.exe

Filesize
117KB

MD5
289317e40555d9b0e4df99dc48697207

SHA1
f5f2d3569da0140712c3881cb6b024e7c5457f85

SHA256
fd9de56ea06ad6e0ae8006fa604c6aef0518b91ff91a443a5eba7348e2f0c57d

SHA512
78359614bab5590f14dba119470ec096ec9f00ba26521a1a3f87b1565573d587574e8f58ac99a485ae4f707a191b8daf651565c3b9c88145c50817de80616e41

Download Submit
C:\Windows\SysWOW64\Pefhlaie.exe

Filesize
117KB

MD5
2db6b5c3213fe7d680e5ba001d73a338

SHA1
8618c79f41538c70c44beb6818351e0eb1e57066

SHA256
709ab80378c33adaa7ab51e24fd04154298d80c5b491c1e912e4360364f75173

SHA512
359cb48517253829d4c23e913626a8d9e81ab78cbc64231bde43f015ae20510d6ac0af548dae77d4a4370290f6353c746da385622f3985125e66aaacfc306949

Download Submit
C:\Windows\SysWOW64\Peieba32.exe

Filesize
117KB

MD5
f8e990e72a425e6456d76fea7a450f9a

SHA1
2b8ade9390d3595c93d8b1be14775a89b13d8a13

SHA256
e9295badd59a954ec74a5f7ccb54fe7dc6c5b1f509b1e35fe5374776b4ff28ca

SHA512
6e9907994c5594b2bdb29c2a304debf9859f2011af7608cddbbedd0c55c8605d5e7009c7ef35eb7ec268d315346131e6ed6bcf7fb72f2e2f8983f6cb92d3d5f5

Download Submit
C:\Windows\SysWOW64\Phbhcmjl.exe

Filesize
117KB

MD5
b7ecf1390cb730dd8c8ba877f0d8d59a

SHA1
ef6991cfb93ef4c2f42a830b31ff6edfd5b9cfdd

SHA256
1bc4f59f016c4abaeea0bf18bf907bf4d2d606c657d61bd6eadf52966624894d

SHA512
06d1b962e6c07d5616b7f26132e046cf1f26ade86dd1329badb1e1f049b0cd86b2555675bd14764c91617804311ceebe62da22e6408897f1c38f9f923279302b

Download Submit
C:\Windows\SysWOW64\Piijno32.exe

Filesize
117KB

MD5
7fc07639617e596ff866094e776b7067

SHA1
fa53b99c0d88091a2d142d2559e702e4f4c94e76

SHA256
a18c2a4c4eefbb7f752db518f184ff17f3f49a8b472d922b1b37dff62f758ea2

SHA512
e346b0f31bb6a64dc74e6b83e59b38c3ce6d29e3f45b268f07b87e6ad00d54a4e7edd36701ff5d6661ee830b58885de9e39f08e71d12bb276db5097527ac1e40

Download Submit
C:\Windows\SysWOW64\Pkenjh32.exe

Filesize
117KB

MD5
58ca0bdb62d5c5179c48900ab923d95d

SHA1
649af0751ba302871d883fa2df10e374ba718cf9

SHA256
e39663439232fa4a620acbe9b9d4c7ec2d3276fb137a0d6c32e6a493b0516307

SHA512
46e87e8d067fb5436e0d310b1e0ed6a801be2c52b84cb7e4e6280a244c35f80753a8a906d4e0e024f20279139cb4a2cc17e3203083c0894dc8a9365fe59657f9

Download Submit
C:\Windows\SysWOW64\Qebhhp32.exe

Filesize
117KB

MD5
a8c1a437c28330b93e457b0e4e21d2a1

SHA1
1f96f190370584b359404e8f22ff87e14f8e20c4

SHA256
df38d2e78f8ac605472fd13cfa179919eb74748192786fb687505e3f2afb4310

SHA512
ab99bde18d0a1186c17ac6a0cf11122507eafb8de5f4fca25f66ca22ef3a1fb5fe7ef7d520868133d332a9593395e4f0b919d943e5da7265c7773a027c535714

Download Submit
C:\Windows\SysWOW64\Qhngolpo.exe

Filesize
117KB

MD5
a9e3b26eb8aed53bc9eafacf70a6a98e

SHA1
21b8f9b3294a4f06bad8c633849f04abd5e42f7e

SHA256
8cc9b916eb9187c29903bf8aef51924b55928f58d7f8296dad9eaa0128deb003

SHA512
ad6a35e3a5d6eb6db3553519eb9a6531111febf5549f1df6bbecbd2fd23c97b00fb651a9b6099224982bbbd2ef894a41a2d4eadb276739a46615b0cc1cdc645a

Download Submit
memory/224-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/444-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/448-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/460-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/556-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/740-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/816-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/960-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1060-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1100-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1744-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1776-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1872-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1932-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2944-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3032-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3416-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3616-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4312-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4620-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-439-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5012-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5076-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5096-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5104-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads