f30d4ded39e522238f438bab780c480ea5b6152fac5abaaa8eedcd9005ca4147

Analysis

max time kernel
137s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

215301fdd66aa68d896355295e470d97.exe
Size

276KB
MD5

215301fdd66aa68d896355295e470d97
SHA1

2f7fde3acafe29426d599dff8e56e876bb032c10
SHA256

f30d4ded39e522238f438bab780c480ea5b6152fac5abaaa8eedcd9005ca4147
SHA512

80ad42a98b51610fe6be222b4e08187deadcf6ea2425f9404d969db44dd3b1d9514862feb40a43cf54ca2da3519a14c097f2de9c629cc5aac9cfe1d3b8f3b2cd
SSDEEP

6144:bDgnmx0SUidWZHEFJ7aWN1rtMsQBOSGaF+:bDB1J2HEGWN1RMs1S7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meiioonj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhifjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blnoga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnindhpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Popbpqjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebjdgmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aamknj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbbnpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebdcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eokqkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efgemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gikdkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjokgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadiiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coadnlnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpdegjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoideh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eokqkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmojkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coadnlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpdegjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbbffdlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiloco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnoiqdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lobjni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbbnpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbnmke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkhnjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bllbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anclbkbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkjiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffcpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnahdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eppjfgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnfge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	215301fdd66aa68d896355295e470d97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnkpnclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdlqqcnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chqogq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmkqpkla.exe

Executes dropped EXE 64 IoCs

pid	Process
4844	Mminhceb.exe
2940	Mjokgg32.exe
1316	Malpia32.exe
1440	Meiioonj.exe
4720	Napjdpcn.exe
452	Nlfnaicd.exe
3280	Nabfjpak.exe
1852	Nnkpnclp.exe
712	Odhifjkg.exe
4616	Odjeljhd.exe
2616	Ojdnid32.exe
3224	Oobfob32.exe
1636	Odalmibl.exe
316	Omjpeo32.exe
1512	Phodcg32.exe
1520	Pmlmkn32.exe
3932	Phaahggp.exe
3952	Pefabkej.exe
3600	Phfjcf32.exe
2640	Popbpqjh.exe
3264	Qlgpod32.exe
4928	Qeodhjmo.exe
5008	Qklmpalf.exe
4408	Aeaanjkl.exe
4888	Aknifq32.exe
4244	Anmfbl32.exe
4748	Ahbjoe32.exe
732	Alpbecod.exe
3392	Aamknj32.exe
4312	Anclbkbp.exe
1076	Alelqb32.exe
4120	Baadiiif.exe
2632	Bkjiao32.exe
2960	Bnhenj32.exe
1800	Bebjdgmj.exe
2332	Bllbaa32.exe
4584	Bahkih32.exe
1952	Blnoga32.exe
1476	Bffcpg32.exe
2096	Ckclhn32.exe
3552	Cnahdi32.exe
4108	Cdlqqcnl.exe
4588	Coadnlnb.exe
3212	Chiigadc.exe
4128	Cbbnpg32.exe
4488	Cnindhpg.exe
4376	Cfpffeaj.exe
4248	Cohkokgj.exe
3588	Chqogq32.exe
1004	Dnmhpg32.exe
3724	Dfdpad32.exe
3220	Dmohno32.exe
4936	Dnpdegjp.exe
4396	Dbkqfe32.exe
4308	Dmadco32.exe
4168	Dbnmke32.exe
3968	Dmcain32.exe
2356	Dndnpf32.exe
3256	Dflfac32.exe
2424	Dkhnjk32.exe
4956	Dbbffdlq.exe
2252	Eiloco32.exe
2492	Ekkkoj32.exe
4568	Ebdcld32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Dgeofeib.dll	Odhifjkg.exe
File opened for modification	C:\Windows\SysWOW64\Dmadco32.exe	Dbkqfe32.exe
File created	C:\Windows\SysWOW64\Mhcmcm32.dll	Dbkqfe32.exe
File opened for modification	C:\Windows\SysWOW64\Mfqlfb32.exe	Mqdcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Afockelf.exe	Apeknk32.exe
File created	C:\Windows\SysWOW64\Aqhblk32.dll	Phodcg32.exe
File created	C:\Windows\SysWOW64\Popbpqjh.exe	Phfjcf32.exe
File opened for modification	C:\Windows\SysWOW64\Eoideh32.exe	Emjgim32.exe
File created	C:\Windows\SysWOW64\Bomfgoah.dll	Malpia32.exe
File created	C:\Windows\SysWOW64\Ockkandf.dll	Popbpqjh.exe
File created	C:\Windows\SysWOW64\Amoljp32.dll	Aknifq32.exe
File created	C:\Windows\SysWOW64\Bffcpg32.exe	Blnoga32.exe
File opened for modification	C:\Windows\SysWOW64\Omjpeo32.exe	Odalmibl.exe
File created	C:\Windows\SysWOW64\Iahici32.dll	Baadiiif.exe
File created	C:\Windows\SysWOW64\Cnindhpg.exe	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Fpkibf32.exe	Fmmmfj32.exe
File created	C:\Windows\SysWOW64\Bpenhh32.dll	Eiekog32.exe
File created	C:\Windows\SysWOW64\Ojdnid32.exe	Odjeljhd.exe
File created	C:\Windows\SysWOW64\Nqdmimbf.dll	Goglcahb.exe
File opened for modification	C:\Windows\SysWOW64\Dbnmke32.exe	Dmadco32.exe
File opened for modification	C:\Windows\SysWOW64\Efgemb32.exe	Epmmqheb.exe
File created	C:\Windows\SysWOW64\Gpnfge32.exe	Gmojkj32.exe
File opened for modification	C:\Windows\SysWOW64\Jofalmmp.exe	Jmeede32.exe
File created	C:\Windows\SysWOW64\Paenokbf.dll	Afcmfe32.exe
File created	C:\Windows\SysWOW64\Fpimlfke.exe	Fmkqpkla.exe
File created	C:\Windows\SysWOW64\Fmkqpkla.exe	Fechomko.exe
File created	C:\Windows\SysWOW64\Cnnbme32.dll	Gihgfk32.exe
File created	C:\Windows\SysWOW64\Baadiiif.exe	Alelqb32.exe
File created	C:\Windows\SysWOW64\Jenmcggo.exe	Hmkigh32.exe
File created	C:\Windows\SysWOW64\Hedafk32.exe	Gojiiafp.exe
File opened for modification	C:\Windows\SysWOW64\Mmpmnl32.exe	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Ggiabl32.dll	215301fdd66aa68d896355295e470d97.exe
File created	C:\Windows\SysWOW64\Abjfai32.dll	Anclbkbp.exe
File created	C:\Windows\SysWOW64\Ibkgme32.dll	Oobfob32.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmkn32.exe	Phodcg32.exe
File opened for modification	C:\Windows\SysWOW64\Fbelcblk.exe	Ebnfbcbc.exe
File opened for modification	C:\Windows\SysWOW64\Eiekog32.exe	Mmpmnl32.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Gcghkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgihaji.exe	Fpimlfke.exe
File created	C:\Windows\SysWOW64\Amkhmoap.exe	Ajmladbl.exe
File opened for modification	C:\Windows\SysWOW64\Bnhenj32.exe	Bkjiao32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcain32.exe	Dbnmke32.exe
File created	C:\Windows\SysWOW64\Lifcnk32.dll	Gjaphgpl.exe
File created	C:\Windows\SysWOW64\Npdpachh.dll	Dbbffdlq.exe
File opened for modification	C:\Windows\SysWOW64\Phodcg32.exe	Omjpeo32.exe
File opened for modification	C:\Windows\SysWOW64\Alelqb32.exe	Anclbkbp.exe
File created	C:\Windows\SysWOW64\Cfpffeaj.exe	Cnindhpg.exe
File created	C:\Windows\SysWOW64\Gimqajgh.exe	Goglcahb.exe
File opened for modification	C:\Windows\SysWOW64\Lobjni32.exe	Ljeafb32.exe
File created	C:\Windows\SysWOW64\Pefabkej.exe	Phaahggp.exe
File opened for modification	C:\Windows\SysWOW64\Afcmfe32.exe	Adepji32.exe
File created	C:\Windows\SysWOW64\Nbbeml32.exe	Eiekog32.exe
File created	C:\Windows\SysWOW64\Ccegpn32.dll	Mmpmnl32.exe
File opened for modification	C:\Windows\SysWOW64\Phaahggp.exe	Pmlmkn32.exe
File opened for modification	C:\Windows\SysWOW64\Amkhmoap.exe	Ajmladbl.exe
File opened for modification	C:\Windows\SysWOW64\Odjeljhd.exe	Odhifjkg.exe
File created	C:\Windows\SysWOW64\Bpmhce32.dll	Emjgim32.exe
File created	C:\Windows\SysWOW64\Phodcg32.exe	Omjpeo32.exe
File opened for modification	C:\Windows\SysWOW64\Alpbecod.exe	Ahbjoe32.exe
File created	C:\Windows\SysWOW64\Chnidloo.dll	Bffcpg32.exe
File opened for modification	C:\Windows\SysWOW64\Ljeafb32.exe	Lmaamn32.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Gjaphgpl.exe
File created	C:\Windows\SysWOW64\Eokqkh32.exe	Efblbbqd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5768	684	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gimqajgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Popbpqjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmlmkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmfbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjmpfcl.dll"	Dkhnjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higplnpb.dll"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhihhecc.dll"	Bnhenj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidlo32.dll"	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnkpnclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll"	Odjeljhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnbme32.dll"	Gihgfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebjdgmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eoideh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjkaabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojdnid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qeodhjmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhpjc32.dll"	Chiigadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfqnichl.dll"	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidalg32.dll"	Dmcain32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhdjbno.dll"	Bebjdgmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll"	Eifaim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpbpbecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alpbecod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpdegjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebnfbcbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqglioac.dll"	Meiioonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khliclno.dll"	Phfjcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aknifq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojdnid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqoll32.dll"	Johnamkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbijb32.dll"	Nnkpnclp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeaanjkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpapmqq.dll"	Dbnmke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjcgjio.dll"	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll"	Jmeede32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopnfa32.dll"	Pefabkej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfcklij.dll"	Cdlqqcnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gldglf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmmaj32.dll"	Gimqajgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odjeljhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phodcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmeddp32.dll"	Alelqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnkpnclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmlmkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbbjj32.dll"	Eiloco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glkmmefl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aknifq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cohkokgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qlgpod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankkea32.dll"	Eokqkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljeafb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 4844	2604	215301fdd66aa68d896355295e470d97.exe	87
PID 2604 wrote to memory of 4844	2604	215301fdd66aa68d896355295e470d97.exe	87
PID 2604 wrote to memory of 4844	2604	215301fdd66aa68d896355295e470d97.exe	87
PID 4844 wrote to memory of 2940	4844	Mminhceb.exe	88
PID 4844 wrote to memory of 2940	4844	Mminhceb.exe	88
PID 4844 wrote to memory of 2940	4844	Mminhceb.exe	88
PID 2940 wrote to memory of 1316	2940	Mjokgg32.exe	89
PID 2940 wrote to memory of 1316	2940	Mjokgg32.exe	89
PID 2940 wrote to memory of 1316	2940	Mjokgg32.exe	89
PID 1316 wrote to memory of 1440	1316	Malpia32.exe	91
PID 1316 wrote to memory of 1440	1316	Malpia32.exe	91
PID 1316 wrote to memory of 1440	1316	Malpia32.exe	91
PID 1440 wrote to memory of 4720	1440	Meiioonj.exe	92
PID 1440 wrote to memory of 4720	1440	Meiioonj.exe	92
PID 1440 wrote to memory of 4720	1440	Meiioonj.exe	92
PID 4720 wrote to memory of 452	4720	Napjdpcn.exe	93
PID 4720 wrote to memory of 452	4720	Napjdpcn.exe	93
PID 4720 wrote to memory of 452	4720	Napjdpcn.exe	93
PID 452 wrote to memory of 3280	452	Nlfnaicd.exe	94
PID 452 wrote to memory of 3280	452	Nlfnaicd.exe	94
PID 452 wrote to memory of 3280	452	Nlfnaicd.exe	94
PID 3280 wrote to memory of 1852	3280	Nabfjpak.exe	95
PID 3280 wrote to memory of 1852	3280	Nabfjpak.exe	95
PID 3280 wrote to memory of 1852	3280	Nabfjpak.exe	95
PID 1852 wrote to memory of 712	1852	Nnkpnclp.exe	96
PID 1852 wrote to memory of 712	1852	Nnkpnclp.exe	96
PID 1852 wrote to memory of 712	1852	Nnkpnclp.exe	96
PID 712 wrote to memory of 4616	712	Odhifjkg.exe	97
PID 712 wrote to memory of 4616	712	Odhifjkg.exe	97
PID 712 wrote to memory of 4616	712	Odhifjkg.exe	97
PID 4616 wrote to memory of 2616	4616	Odjeljhd.exe	98
PID 4616 wrote to memory of 2616	4616	Odjeljhd.exe	98
PID 4616 wrote to memory of 2616	4616	Odjeljhd.exe	98
PID 2616 wrote to memory of 3224	2616	Ojdnid32.exe	99
PID 2616 wrote to memory of 3224	2616	Ojdnid32.exe	99
PID 2616 wrote to memory of 3224	2616	Ojdnid32.exe	99
PID 3224 wrote to memory of 1636	3224	Oobfob32.exe	100
PID 3224 wrote to memory of 1636	3224	Oobfob32.exe	100
PID 3224 wrote to memory of 1636	3224	Oobfob32.exe	100
PID 1636 wrote to memory of 316	1636	Odalmibl.exe	101
PID 1636 wrote to memory of 316	1636	Odalmibl.exe	101
PID 1636 wrote to memory of 316	1636	Odalmibl.exe	101
PID 316 wrote to memory of 1512	316	Omjpeo32.exe	102
PID 316 wrote to memory of 1512	316	Omjpeo32.exe	102
PID 316 wrote to memory of 1512	316	Omjpeo32.exe	102
PID 1512 wrote to memory of 1520	1512	Phodcg32.exe	103
PID 1512 wrote to memory of 1520	1512	Phodcg32.exe	103
PID 1512 wrote to memory of 1520	1512	Phodcg32.exe	103
PID 1520 wrote to memory of 3932	1520	Pmlmkn32.exe	104
PID 1520 wrote to memory of 3932	1520	Pmlmkn32.exe	104
PID 1520 wrote to memory of 3932	1520	Pmlmkn32.exe	104
PID 3932 wrote to memory of 3952	3932	Phaahggp.exe	105
PID 3932 wrote to memory of 3952	3932	Phaahggp.exe	105
PID 3932 wrote to memory of 3952	3932	Phaahggp.exe	105
PID 3952 wrote to memory of 3600	3952	Pefabkej.exe	107
PID 3952 wrote to memory of 3600	3952	Pefabkej.exe	107
PID 3952 wrote to memory of 3600	3952	Pefabkej.exe	107
PID 3600 wrote to memory of 2640	3600	Phfjcf32.exe	108
PID 3600 wrote to memory of 2640	3600	Phfjcf32.exe	108
PID 3600 wrote to memory of 2640	3600	Phfjcf32.exe	108
PID 2640 wrote to memory of 3264	2640	Popbpqjh.exe	109
PID 2640 wrote to memory of 3264	2640	Popbpqjh.exe	109
PID 2640 wrote to memory of 3264	2640	Popbpqjh.exe	109
PID 3264 wrote to memory of 4928	3264	Qlgpod32.exe	110

C:\Users\Admin\AppData\Local\Temp\215301fdd66aa68d896355295e470d97.exe
"C:\Users\Admin\AppData\Local\Temp\215301fdd66aa68d896355295e470d97.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\Mminhceb.exe
  C:\Windows\system32\Mminhceb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\Mjokgg32.exe
    C:\Windows\system32\Mjokgg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\Malpia32.exe
      C:\Windows\system32\Malpia32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Odhifjkg.exe
        
        C:\Windows\system32\Odhifjkg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Odjeljhd.exe
        
        C:\Windows\system32\Odjeljhd.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Odalmibl.exe
        
        C:\Windows\system32\Odalmibl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Omjpeo32.exe
        
        C:\Windows\system32\Omjpeo32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Phodcg32.exe
        
        C:\Windows\system32\Phodcg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Pefabkej.exe
        
        C:\Windows\system32\Pefabkej.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Popbpqjh.exe
        
        C:\Windows\system32\Popbpqjh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        24⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        38⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        48⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        51⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        60⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        70⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        71⤵
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4320
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        73⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3732
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        76⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        79⤵
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        80⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        81⤵
        
        PID:568
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        82⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        83⤵
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2000
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3700
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        87⤵
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2284
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        90⤵
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2020
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        92⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        93⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        94⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        95⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        98⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        101⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        102⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        106⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        108⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        109⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        116⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        117⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2196
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        120⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        121⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        124⤵
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        125⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2692
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        127⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        128⤵
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        132⤵
        
        PID:684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 412
        133⤵
        Program crash
        
        PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 684 -ip 684
1⤵
PID:5720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aamknj32.exe

Filesize
276KB

MD5
530d29889438943661091d5c64cb2686

SHA1
1f3bb2e9f7e55e41efabd0ee0b063464c131196a

SHA256
8c0f7fa9400c8cefc1ba2d71415458a479f9c84e63c21498786c53366f94f959

SHA512
447c12805973e0379d86c89e43449bdf80eb3c04cc1ef333e27ba3b9e29b2cb9df6b266f11da7dc5aecc5393159f92f660210b50b6b9d914770b3d3ff5620680

Download Submit
C:\Windows\SysWOW64\Aeaanjkl.exe

Filesize
276KB

MD5
5ed33271ff50d82f2173d72883bea1ae

SHA1
4578a3a0ce39d106ad1feff5b23bf53ecf45f252

SHA256
757f0e076e8cc37994ed7c14d34707aa3a3e6daa1489be6ea82b9d416cbfc49f

SHA512
a27bc42711067aded4b2484b74e162882340e753927baaa67bad2a32107fb56b06135bbe84d2752c909b9cde20e7bc9a93bd171d6a2b3fb3b0d3b92dffe2e1ab

Download Submit
C:\Windows\SysWOW64\Ahbjoe32.exe

Filesize
276KB

MD5
f34bc71aa0bbd3f15ddb90637733c523

SHA1
0ace38736ec8964a3fedfc97098ecdf12ef82b36

SHA256
b89a2ce9e9d66628a6c4d2969e01bb65f1b7222013f5a563dad179ed401a39b7

SHA512
6ca5d860caa8b7fde6efd6166c71c8d1c513bbaca8b335bd9e6172092f2eca06362368300f251968647416a3495a36d002f69dd3d5ee79d38c8a9dda233d5407

Download Submit
C:\Windows\SysWOW64\Aknifq32.exe

Filesize
276KB

MD5
e725225e26cae2beb487a88407986dbf

SHA1
5027bfc0c4662f2c4cfa96403355604d6d1a551b

SHA256
cd5b41a179805b16cb80f5161e4fe89717cb59f32b68f988cbb1aa27be927d08

SHA512
fe6e1b59a95275fbdabbcdd687103ed3e85385d17b229512e55aeeeecd663ce6be146879080edf31f758b2c1d2682d19a18e7f20d3a59fc59c12861313d33e22

Download Submit
C:\Windows\SysWOW64\Alelqb32.exe

Filesize
276KB

MD5
22bb0cbfb1e0d08f26478bd1a599dfa2

SHA1
0e33e064554bc53c90788ea449b2102bc7b3181f

SHA256
e08d8471027b4885e6a623fa4816d51005f9121a6ceca15d0136ea31ac803271

SHA512
2fae0caa6b47499f7fad7827e8d0da7dec8c2525126573653982a628e5cc6c040456eb69d3c79b7922e249d0bb114fcbf5b691a36dbb2b9da52f6a7b66e9944b

Download Submit
C:\Windows\SysWOW64\Alpbecod.exe

Filesize
276KB

MD5
0339bdc295bb3a07fd36f2813ddecf02

SHA1
e2603ed5cc1de7d9ab7ec52a2fd9cc9ded8ade14

SHA256
13ac02e54dc09e256854c94b95febab28b1c9c5a5fdaa21074f53bfb6527f6ab

SHA512
3d7b44e6e3d8535810375aeeb4fd6bbf7e248bd570313730a2821eb4dfd65632d123830404144c737351301c3d8ae6adf15192ac4ffcd71781023e0044fc7cff

Download Submit
C:\Windows\SysWOW64\Anclbkbp.exe

Filesize
276KB

MD5
99f94638458139512f55062615817f45

SHA1
b88d727ec40f39237e0455d4974e59127970d883

SHA256
e343d8b106e7b9d520e62c899fc0ccbd4c125a24e4d3b878411c683dd3023476

SHA512
7a352732d2915b2abebb2b3dad2bb40b39bab383d781f58d531418f50d8df9a493a191b7a534c9e6b2029645fbbfc6f74ed9eb3ce61e7220a704325d4353be25

Download Submit
C:\Windows\SysWOW64\Anmfbl32.exe

Filesize
276KB

MD5
20a5c9fca0c6c41e265146098e3e9a49

SHA1
3da318ffff42d406f87cc59479f7cbc95ad776fb

SHA256
3417d8f1d49042898e041e1bf21ed36a6a9e8d060868cdec34a55c7180d6d044

SHA512
375ae2481eaa5a72e68a3f4f195da5463faae36223347ac5a37a66afb05ccba71f80cb679b66d872bf98b8b7761c7eb5e3320858b23ff187a8f6fcdb9bfb9755

Download Submit
C:\Windows\SysWOW64\Baadiiif.exe

Filesize
276KB

MD5
3c17bd61f3a634398689451cad6b105c

SHA1
68f2042d6dd3d06d746d4c9fe3a370698423e50b

SHA256
140660b0cce1a362a6bc219c1b0dd3abf859f50950b58986ccf0e6290d802c56

SHA512
1e5a7e060f61f864f6aa04d3f783877c3c38d07f889f653001de2a787258a513a2dc33bf8c6013e140b17b6647843f9bfea2abf373d421ac7ccd27988c00af9a

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
276KB

MD5
5d9aea6bcdb1788fa83507857bf9dbdc

SHA1
d678ba24c31695993cbbe20d2037e5c4aa3a18e3

SHA256
1c5975cedd68ebb3e3b3fc3ca21386a39a32e5da368d851ec0154a51f739b1f6

SHA512
a567ac61f0eb5a2205d966b78f4ed24e5c2f7041feba2318f9443bbc756c863854e8d2c13b0bcc66c138a164faca79a0271b450c8f5b5b49b736196a783e2592

Download Submit
C:\Windows\SysWOW64\Cohkokgj.exe

Filesize
276KB

MD5
e9e8d67db2cdf703f2888033bc0a4115

SHA1
5cb4430c35a25e5b96417123e4819af08e682ce7

SHA256
f60d5f00de50f66c2e4d2b6b0932a73ab09a2799e4da65c7aed0d321b1c7015a

SHA512
b389feeb33aecfcce64fc05fb142adab492ab331e2781120c2aa5b729f6aa588fbfe4c4410f2f000094e6ba67758510fef312f13cdce270552ff0b65ccbef549

Download Submit
C:\Windows\SysWOW64\Cqglioac.dll

Filesize
7KB

MD5
68901794abfcc222461cd49086d8f0b8

SHA1
92d6c9ab424af13d405411f9e37014d9f59d5222

SHA256
132ee1e793ee71767e88118860d13dd63df08bd1dcd3e9397c960f22e8db62c8

SHA512
5b4e325d18f43c095e075dd363e6fa272011e7b78e8835eb10f880fc21b92f1a76c6a9bad6e7ef94dcc108aec84548b0018a0f1ea321e6beaa268aaf6527f47d

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
276KB

MD5
70914da0ab7eaa612b5685ae4a9ae437

SHA1
35db8d770f69bd3d3686e96ddde8c11f649065a4

SHA256
faba389d896ae2be9698b0fa55031d6a4a740af757c70298fcbfff83f68c3a5b

SHA512
676fac9ceccc54a0f449b0c6ee4f4bb00ebc74d51faf7075aa7fd7d66cb3bfe365afa3bf4352abb9ef78a9d378295c4f2538960cc8cff34caa2b7e33a34f32d9

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
276KB

MD5
ff0cabffd76d4dc79ae1021c40146913

SHA1
c80b225fbb28ef284179fcaa881baa11fc781822

SHA256
6a3e95317f1b5212f00f745e897146e7158ae726ef6817a79f5a6dea4413d1bb

SHA512
47557c3df10678f43c2bcdaab4f32e4e8df874c1f117e3732f0ce3f8dd1f2eab4aaea2d936c1c0584dc9e8d9cdcc8691472caa4bebb865b50d06ee775c0ae770

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
276KB

MD5
8f216aa37eb777ea925265228232d300

SHA1
b810336c36343ab497ade8b538e350cf63a645f7

SHA256
f48543bed86fab003df4f9660994953c27b6c76dfc03d93a51e5adb948c2771e

SHA512
8fa193b986b935085d168871e5666fa01b5ee0293e7c556ae823dd9575061ed69e59799e784d1b0a8d22329f4c8fdc3ae2288a296c2d37a4e32c444d1a4384bd

Download Submit
C:\Windows\SysWOW64\Hmkigh32.exe

Filesize
276KB

MD5
0cf51563ca14bac78fc371d8fd451dda

SHA1
04c89e9f2628052c1bdfe652872cdfb19660334f

SHA256
57ae0ae2a21894f4ad412a6a45eccbd4e20891b11cfece2ccda8cbd2916a7f55

SHA512
f5578644fb60b1f6380e677ad391afb3da8e714c7ae8f1a9f848b7e70a976f682f37c0441e1fd8f9d74470fe65c5c57e2178d61813101755ad90d7c507010f3c

Download Submit
C:\Windows\SysWOW64\Ljhnlb32.exe

Filesize
276KB

MD5
9170291f178e19a4dd98584c87a35ed8

SHA1
8e02552425caf698a5cf0054a880b47d63373bfb

SHA256
bd82022b6dc0c9602cfc1563b183c2be7878a6411c0e9a41fd6da3e5151f9afa

SHA512
29cdfbea609d86f5397ff5e527cd35ebd051bdc27d13ead927eb08143e3bc53f24263a500e1d945613f7948fbccec7b987f7d7871ccf11a21ad81fa926b88c4d

Download Submit
C:\Windows\SysWOW64\Malpia32.exe

Filesize
276KB

MD5
be384856007ac87bfefcafb0490a0837

SHA1
101353888a6e4f41fcbaabe9234f5261c07356fe

SHA256
4f9745cc3c6e4e3a1be5b9b05b708c882dff7e5889c0e6ae18319345b9d1ef3a

SHA512
e5411ed5156d8ae4736852e9b933ca1c50c7269088babe9c301eaa3fe1789121ffeb0b60fbb44c0ddbd14396149e2d3988836d124a6aad40b619cb0c9c6ebd98

Download Submit
C:\Windows\SysWOW64\Malpia32.exe

Filesize
276KB

MD5
57827c177f6e229313de5e59eecb9442

SHA1
5a3a9fe842eacb899d0915f4450fbf45de28f97a

SHA256
63df1603f0afc8f92171b960c593352d483bb2f3a61224a2c0364e96853cc6af

SHA512
52e27561567391e70b8627c56d26f9c870190072423b205fae53d03a8f7dddc4cddb531155e63d4031f7859e6c698ff15319bce9d59be4bda44ddc3660e62906

Download Submit
C:\Windows\SysWOW64\Meiioonj.exe

Filesize
276KB

MD5
0d835e332b1f0d195d190e8f0b5203fa

SHA1
3fa0559f1995bae6d597398d913f533de83972ab

SHA256
afb7cac5dd63a7a9c8cee1dc1b604e02c2cd49c28d09fa58781bc8a5b3e9fd23

SHA512
b76d59592ea8630a97c43b13acbcec4da76a5eae7681e251b017a20f1450fc8bb7439801e5088a6d819e8d100a7a5b76078364b5ab6318dc0f338b201b49128d

Download Submit
C:\Windows\SysWOW64\Mjokgg32.exe

Filesize
276KB

MD5
0a0341e73e7d651d36e4dd20ebaf4f81

SHA1
0ae4deb685d31b5377a0ad3c276f98395837c619

SHA256
b06aa4cfe778c38ce5602f9af345c8985a65e51c32a37abf2590078c37f60d5f

SHA512
66de7614d03daa6305c4cfa64880f8fddd136243d57d65387ed71e0b31027ec92e81c73b46ca24153418be540d791cf46d34a554f7cedb02b20c136c26a0a88d

Download Submit
C:\Windows\SysWOW64\Mminhceb.exe

Filesize
276KB

MD5
93bb275254c1eba0984a6909d75ec702

SHA1
6de7c87a48bfaa3fea1502e430eb6f584488407d

SHA256
024adbedeb4a1ffc15a166c3bc57b87e90a9f5c99746e24b18d8f53612070663

SHA512
c8aa19e3c4b51c8fab382a6075adcfc17c0524879a26b0f63967ed0d3a0af4bf07715886e046d780f971e18f423e2193bc12a6782bb23122617edf06d0371137

Download Submit
C:\Windows\SysWOW64\Mmpmnl32.exe

Filesize
276KB

MD5
4a51f2500ec39d95f0fb556c87737638

SHA1
221536d5fedd743259c5cb8ee913146efb210207

SHA256
f96e9793f3cde0d703d9bd4a1c6c42ec76fd3ef0ed0293d4cfa77b656f00b41d

SHA512
cf0d2b4615f03d9817a3c1009ce41eae4ba3ac147bc077a58ecbf5d8739519928cee3ded5f11e060e09b070314af8d9939a406ebdfd601ade1a3e8807af5dc09

Download Submit
C:\Windows\SysWOW64\Nabfjpak.exe

Filesize
276KB

MD5
f525b9174e66b8de491d1bc4af81df31

SHA1
cd90967031d13c5cb55b8bb123b4dca4b084734d

SHA256
db4c468008744bcd0cdd82d46ae703598256be849222395d1ec1cf0100c64000

SHA512
81e96f18900f703da82fffab3a187851f1f1dbc1d2e33f33004c44be8a904b41d09b079d2bb1547e93f807c58315080c2510acf855f225d606cd8e227f7ff21f

Download Submit
C:\Windows\SysWOW64\Napjdpcn.exe

Filesize
276KB

MD5
9ba07293c74364b7174c4a21837a70ca

SHA1
2dabd2154b86a4d2f28de8319dace8225d664972

SHA256
b5b888071dcf23e5757ace6f52aed1d6694d4aa53d2e465198569d68b0a0b7c3

SHA512
28fac65abc9235035b8203ee6ee6ab3300819051ed86bdd30ea17889a4f1c1be434e123078a9921b077f725dd0f381a9b7b92a83501e187036ffb0cf3ae27b44

Download Submit
C:\Windows\SysWOW64\Nlfnaicd.exe

Filesize
276KB

MD5
b244cb39f08294164ee22db20ac2b147

SHA1
acb14b1c79ab5f37edaf3709fb584c3451f7c0a8

SHA256
db84225fb241a4c92304469ae78147d13ec6f004b2ff54a2ad5d352c494e7e95

SHA512
835c1447efe99c0960c7552aa19282f60170f1d1e31c52d05c50f25c4a999b90c88cbf421b53c4b347a59d6b29edcd7fa0e686a7a6dacac3f345ba70ef9a0ea2

Download Submit
C:\Windows\SysWOW64\Nnkpnclp.exe

Filesize
276KB

MD5
0c47c012ef0464a7a41c5a05099106c6

SHA1
d86496ef689bf6d61cb006fa2a97aab7e1cee732

SHA256
9eed646fd5fa95372f4473e6b64cdd59855a69436b8cdb39e494caea0bc7cb27

SHA512
7e6fff828adfa1bd4efa9e75f0529f1eb93e62b5abf381194d921d016a232bd046565d4a284e830201fd268a1613c9501679ebfc68cfb0afdb95efa182c1c7ac

Download Submit
C:\Windows\SysWOW64\Odalmibl.exe

Filesize
276KB

MD5
589ee0b3e60c9e223b1f4b02985305e1

SHA1
f08bc47294ed03da78172b7dc03922c849244b9d

SHA256
514769aa47defe78cc847b7eb7b218812eb37ee9645b7d48687583eacfde90b6

SHA512
564deaec43e37cc6aefbf8637a6b7d9784b14240dd9f2b402e5f73661564f01a296b4efcbea8bf9aa18f2ed4f2f5af26a6768f84db1123e564d043e60fef9dce

Download Submit
C:\Windows\SysWOW64\Odhifjkg.exe

Filesize
276KB

MD5
aef2944484f7faeb829b717eeda41ec2

SHA1
ef354f833a6eab8b1823c05b1063120fbfd58a0d

SHA256
b6be9749fa46277e350025eacf52c9f4e838c78a971023ee2a91b3fc94a016a5

SHA512
b1a75eaace0d9f3c0caac32fda3e07c048e3dd08d6a660da858d053192f8fd9e2ddcd529d402ab0e16ae0eea054124b1c31cf65357d28639917d9a8ccb5e2414

Download Submit
C:\Windows\SysWOW64\Odjeljhd.exe

Filesize
276KB

MD5
303f94f5eba58f961d756a9302345941

SHA1
78b78868fedcd83a3d408b752cc20be4877dd2b4

SHA256
8a2e992c81feacb777bb0da04b574a323ef217f0ae015c62aa799f3fcf0e4a2a

SHA512
a6dc8a429576b5e0f056d9207f673823fe1d610e23cd0e9f00e62b7a3174f37e7a2bba59f4274512e18c8834fd4ef1567c3f8e0590e2dbaba70a7c6dfbd0449c

Download Submit
C:\Windows\SysWOW64\Ojdnid32.exe

Filesize
276KB

MD5
1610894b8334d1b026a4333541f6da04

SHA1
2d7f67f403a0e11c27b2119df3111b9d4f2070b0

SHA256
92d9276e0dbe1809eb721474317f49a6bf64de83cffc6d278d744c04564465fa

SHA512
b6328c8739fdd03397d31624aa9fdb0253ba0f0b36932deb0858ac1ba1799fb746822040b11c1a382673cb7cf83ac09526fd35ead113bacca457bb61081a6eff

Download Submit
C:\Windows\SysWOW64\Omjpeo32.exe

Filesize
276KB

MD5
7a9cfd01eab46187950577a243b2fd20

SHA1
0bd3d5a685d65b57cd55aed13547f614862e1d31

SHA256
395057121c47194bd562307073ea50a87ed74ed19cc93e1e52ab5ceb98c8f725

SHA512
00d3a01acf0d27109e52365ae4fb1cc67c09f8b0a34a86306ae7b32463ad2ffdf6ffe25fe0d785e1867031ef0d5816bd33b0807a5fdf909c7f2b305d17bec5be

Download Submit
C:\Windows\SysWOW64\Oobfob32.exe

Filesize
276KB

MD5
1d2da2a095bb20b5d7d979b483ff03d8

SHA1
584666dc4ba7daeefa0e7b61487018b56ebf31b0

SHA256
9ef6fb6bf95d875d7fae3e213d7be99b79f95b0186944bf4bb991d6f44f939b9

SHA512
48c4e7ff3e377fb986775a4ab57ec7572dbc7b6fa185a980acc37ab5e068847a742fcc1232c44c9f40f8af6e744088904532be0c4f2830597e0c91ccac8f7375

Download Submit
C:\Windows\SysWOW64\Pefabkej.exe

Filesize
276KB

MD5
45822b27e74ad1e1d11c92a9c6282e57

SHA1
bc826488eda9ffcbfa0d89d2b72b2477d2319369

SHA256
e517de260112643dba2c201a02c39de59779d71e605b4c21175c9cb726728d47

SHA512
65ea4988b83746f88bffe1400c44cf7181cb629f1afa60a984ed833c4f60e4602982f7ac3aec880c983842c064ddb8d6808842d3fa680bfa26f2841b1447badc

Download Submit
C:\Windows\SysWOW64\Phaahggp.exe

Filesize
276KB

MD5
1390f2a35b5d2dff5fa58e103d6c1ce7

SHA1
c6ce661abdf8902dba896dac702b817c9a4f792b

SHA256
ecb56ccf7aec76209f5bf039fd8ca545f12c2697d8ded96ab6ba2359da5b42b7

SHA512
298ecbb11746f220fb55c4a79010f0e860b94262cd0bb83c46e2f3505cb7189825b4f3eaa9dce431af7dcc2883a4fb1b7b456638c369b8d77c553dd05d9cb471

Download Submit
C:\Windows\SysWOW64\Phfjcf32.exe

Filesize
276KB

MD5
0bcd41f82c7189ef15cdc04ec782c314

SHA1
6410f4e39f571615f16d8c4860b0bd781030aabe

SHA256
8f684ab341b146828316f4e7ae33a21c6fe5990783cf31fd572a06c4c10c0cf1

SHA512
a980abb7766a7d1298019ed4d3ee0a90f58610a9c175ab1270d6882a3a37dd8aa812652dafec06170dae3dc4c8a67b0bbddf3d450951d3988e4359387f166c90

Download Submit
C:\Windows\SysWOW64\Phodcg32.exe

Filesize
276KB

MD5
901f4d487f3971ff6cc3535dd625377d

SHA1
bda4da47e9ef223c991e8c9761af483740e50ffc

SHA256
10b986169ccb3787272a4ba00ab00c1394e3fa1b0ef2411e8ec45d6e15943a76

SHA512
61ddd028954702495d26e19a9724a37e32e8f7c7de02b77254753176e38f6c0328c39f6565579bfe80e90f778a3a27caf2e789fbbb564fc278a646bd207c9c00

Download Submit
C:\Windows\SysWOW64\Pmlmkn32.exe

Filesize
276KB

MD5
83f317375354e72ddc316caa263959f0

SHA1
e32d5d18e3a215512c3ae32532f69ab0f3344c0d

SHA256
a61666d14dbbe87161feff1b4d30b7eeda6883f21962fbfcc54e1c719b1dcbda

SHA512
20fb3dd16f0940565600526d57fe4df8151e557264c8bd303643e5a5052b5d01fb85274f2afe53af151b88b855062c60e807adf839f6dcc7c61b94d7f3cdecaf

Download Submit
C:\Windows\SysWOW64\Popbpqjh.exe

Filesize
276KB

MD5
96c974f8734231880fd361814941d836

SHA1
a9b2d2346d8048d0661d6057f0f2e221abde2061

SHA256
d001519a553038fe52e824dcbd617a4bddbe9164e4e9b902d4860d891758b574

SHA512
d56862ae9eec85255c5e87f44cccb1d6ac209d648cd4e7a76e81ddcccd583c6e18773fcefe369425c5601db51ca978630166ef0fb31940c027aba90f25addd59

Download Submit
C:\Windows\SysWOW64\Qeodhjmo.exe

Filesize
276KB

MD5
d894b42a8100368613b5d5be344876d8

SHA1
335899efd17adca083e2ef0d941eadf940e8a638

SHA256
95c7e4c0b761011bdae3574501ea992cfce58f590d677c8859c5807ee1b614cd

SHA512
29d4ca90870470a1334a94ae76aeb69d0cb398dd8a7d22d9e4b9f95fbeb42a619776d0eca6e2cffcc24db3f6ab3e6ef9b72a374adcfffd7625e422f2621412ab

Download Submit
C:\Windows\SysWOW64\Qklmpalf.exe

Filesize
276KB

MD5
70ef9d745e3929d996fab286ad758258

SHA1
67505644e1100e093f30f71612d69fcb1b6c7c1a

SHA256
5429942b024ec3741e08456ab260244cf7242db72327071be6a90cc5e79dfb69

SHA512
554646a19eb865fddd661c0e7b5fd2343dc018354ff1fd7b243531ba8d6f0e9e6b098166a9991b29ab721e5fa89b08c028b9be8cde6ca2712abf920778750077

Download Submit
C:\Windows\SysWOW64\Qlgpod32.exe

Filesize
276KB

MD5
2c0ef1991e0e236caafdb4d9c955df8c

SHA1
581fd7763ad0f55b5e5cc178456f64353c8c8189

SHA256
2c46e9e0e5b22ddfd467d0539c3f6139aaf83a5b125f01bd156188c7258f4b9b

SHA512
9b3bd16cb57cd5889c41f21b85341b959f8211e0de7e83aab3a5fd7c1fde474e4966234fee2d5bbf28fb4b0ad8683e703108b44021443dfcae8f1e5bc8e27a26

Download Submit
memory/316-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/452-51-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/452-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/712-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/712-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/732-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1076-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1316-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1316-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1440-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1440-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1512-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1800-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2332-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2632-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-173-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-289-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3264-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3264-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3280-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3280-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3392-250-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3552-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3600-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3952-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4108-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4120-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4120-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4408-211-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4588-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4720-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4720-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-226-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads