9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1.exe
Size

104KB
MD5

27c6b3d13d8a175cb8f3589f570cf5f1
SHA1

0a676efd780232adf9120a7e21c89fac91d6f370
SHA256

9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1
SHA512

d5a073d788f24f6fd40960df76f0c2f7dabebe11144e21cac6421082be56830d7c5643e5194be580a67fdb7c2be275bc08bfb8375a82d8afc39472f28301bf79
SSDEEP

3072:B0WMxpDA9cqvLlrlQTlNEyBcdyIsnB07tOtiaeeoVcuE+h3+rJM++SYSUZCbCdW:mWMxpDA9cqvLRlQT3bBcdyIgB07tOtiM

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihmedma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijdjfdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekajec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iafkld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgocgjgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fijdjfdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iialhaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oljoen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdlkdhnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjaioe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khbiello.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hchqbkkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdlkdhnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddkbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcgdhkem.exe

Executes dropped EXE 64 IoCs

pid	Process
4656	Mmkdcm32.exe
2948	Mjaabq32.exe
4740	Nmbjcljl.exe
656	Nmdgikhi.exe
3952	Nfohgqlg.exe
1572	Ncchae32.exe
4584	Ngqagcag.exe
4252	Offnhpfo.exe
1568	Ombcji32.exe
4924	Onapdl32.exe
5036	Ofmdio32.exe
260	Ohlqcagj.exe
3516	Pccahbmn.exe
896	Pnkbkk32.exe
3452	Phfcipoo.exe
2408	Pdmdnadc.exe
4672	Qfmmplad.exe
3280	Qpeahb32.exe
3692	Amjbbfgo.exe
2836	Apjkcadp.exe
3908	Akblfj32.exe
4928	Ahfmpnql.exe
2864	Apaadpng.exe
1924	Baannc32.exe
100	Bklomh32.exe
4936	Bgbpaipl.exe
1660	Bkphhgfc.exe
888	Cponen32.exe
5004	Cncnob32.exe
2356	Cpfcfmlp.exe
1344	Cogddd32.exe
3512	Dnmaea32.exe
3468	Dhdbhifj.exe
4572	Ddkbmj32.exe
3788	Dkhgod32.exe
4400	Eoepebho.exe
5112	Egaejeej.exe
2816	Ehpadhll.exe
1088	Ekajec32.exe
4288	Fdlkdhnk.exe
920	Fijdjfdb.exe
2868	Fniihmpf.exe
788	Fkmjaa32.exe
1208	Feenjgfq.exe
2476	Gnnccl32.exe
1836	Gnpphljo.exe
4332	Giecfejd.exe
1272	Gpaihooo.exe
5104	Gngeik32.exe
3780	Hpfbcn32.exe
3828	Hhdcmp32.exe
4492	Hejqldci.exe
1960	Hbnaeh32.exe
3076	Inebjihf.exe
4664	Iafkld32.exe
1612	Ibegfglj.exe
1920	Iialhaad.exe
2252	Iamamcop.exe
4412	Jekjcaef.exe
4208	Jhkbdmbg.exe
1980	Johggfha.exe
1012	Khbiello.exe
3796	Kibeoo32.exe
4472	Kcmfnd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hbnaeh32.exe	Hejqldci.exe
File created	C:\Windows\SysWOW64\Aemghi32.dll	Mhldbh32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Hchqbkkm.exe	Hbfdjc32.exe
File created	C:\Windows\SysWOW64\Bfcjjj32.dll	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Bgbpaipl.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Mmkdcm32.exe	9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1.exe
File created	C:\Windows\SysWOW64\Dkhgod32.exe	Ddkbmj32.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Mnokmd32.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Baampdgc.dll	Fniihmpf.exe
File created	C:\Windows\SysWOW64\Jjpdeo32.dll	Gnnccl32.exe
File created	C:\Windows\SysWOW64\Dahceqce.dll	Gnpphljo.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Cpclaedf.dll	Hgocgjgk.exe
File opened for modification	C:\Windows\SysWOW64\Fijdjfdb.exe	Fdlkdhnk.exe
File created	C:\Windows\SysWOW64\Mjpnkbfj.dll	Lfiokmkc.exe
File created	C:\Windows\SysWOW64\Holhmcgf.dll	Gnaecedp.exe
File created	C:\Windows\SysWOW64\Nlqloo32.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Jhkbdmbg.exe	Jekjcaef.exe
File created	C:\Windows\SysWOW64\Hehhjm32.dll	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Fkmjaa32.exe	Fniihmpf.exe
File created	C:\Windows\SysWOW64\Kpikki32.dll	Oihmedma.exe
File created	C:\Windows\SysWOW64\Aafjpc32.dll	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Qimkic32.dll	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Fnebjidl.dll	Likhem32.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Aknmjgje.dll	Apddce32.exe
File created	C:\Windows\SysWOW64\Ohlemeao.dll	Jekjcaef.exe
File opened for modification	C:\Windows\SysWOW64\Ncpeaoih.exe	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Mhldbh32.exe	Mablfnne.exe
File created	C:\Windows\SysWOW64\Eoepebho.exe	Dkhgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pjlcjf32.exe	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Offnhpfo.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Daeifj32.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Mjaabq32.exe	Mmkdcm32.exe
File opened for modification	C:\Windows\SysWOW64\Khbiello.exe	Johggfha.exe
File created	C:\Windows\SysWOW64\Mapppn32.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Ocnabm32.exe	Oihmedma.exe
File opened for modification	C:\Windows\SysWOW64\Bmbnnn32.exe	Abmjqe32.exe
File opened for modification	C:\Windows\SysWOW64\Gclafmej.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Eecgicmp.dll	Fkmjaa32.exe
File opened for modification	C:\Windows\SysWOW64\Hejqldci.exe	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Ehblpall.dll	Egaejeej.exe
File opened for modification	C:\Windows\SysWOW64\Mhldbh32.exe	Mablfnne.exe
File created	C:\Windows\SysWOW64\Mljmhflh.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Hpoejj32.dll	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Cbpijjbj.dll	Ncaklhdi.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Ncchae32.exe
File created	C:\Windows\SysWOW64\Fniihmpf.exe	Fijdjfdb.exe
File created	C:\Windows\SysWOW64\Giecfejd.exe	Gnpphljo.exe
File opened for modification	C:\Windows\SysWOW64\Mablfnne.exe	Mapppn32.exe
File created	C:\Windows\SysWOW64\Ikpndppf.dll	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Pdmdnadc.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Hjcbmgnb.dll	Ncbafoge.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Dgihop32.exe
File created	C:\Windows\SysWOW64\Medglemj.exe	Mlbpma32.exe
File opened for modification	C:\Windows\SysWOW64\Nakhaf32.exe	Nkapelka.exe
File opened for modification	C:\Windows\SysWOW64\Apddce32.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Kebkgjkg.dll	Ncpeaoih.exe
File opened for modification	C:\Windows\SysWOW64\Gpaihooo.exe	Giecfejd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmefoohh.dll"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaokcqj.dll"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll"	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll"	Gnnccl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obgohklm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hejqldci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll"	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanfno32.dll"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oljoen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekajec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkhgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Feenjgfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdleo32.dll"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacodldj.dll"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipiddlhk.dll"	Nkapelka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gngeik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcjjj32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfedfi32.dll"	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Inebjihf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giecfejd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbfdjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kibeoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gnnccl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Johggfha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdlkdhnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hqdkkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemfc32.dll"	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 4656	4688	9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1.exe	92
PID 4688 wrote to memory of 4656	4688	9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1.exe	92
PID 4688 wrote to memory of 4656	4688	9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1.exe	92
PID 4656 wrote to memory of 2948	4656	Mmkdcm32.exe	93
PID 4656 wrote to memory of 2948	4656	Mmkdcm32.exe	93
PID 4656 wrote to memory of 2948	4656	Mmkdcm32.exe	93
PID 2948 wrote to memory of 4740	2948	Mjaabq32.exe	94
PID 2948 wrote to memory of 4740	2948	Mjaabq32.exe	94
PID 2948 wrote to memory of 4740	2948	Mjaabq32.exe	94
PID 4740 wrote to memory of 656	4740	Nmbjcljl.exe	95
PID 4740 wrote to memory of 656	4740	Nmbjcljl.exe	95
PID 4740 wrote to memory of 656	4740	Nmbjcljl.exe	95
PID 656 wrote to memory of 3952	656	Nmdgikhi.exe	96
PID 656 wrote to memory of 3952	656	Nmdgikhi.exe	96
PID 656 wrote to memory of 3952	656	Nmdgikhi.exe	96
PID 3952 wrote to memory of 1572	3952	Nfohgqlg.exe	97
PID 3952 wrote to memory of 1572	3952	Nfohgqlg.exe	97
PID 3952 wrote to memory of 1572	3952	Nfohgqlg.exe	97
PID 1572 wrote to memory of 4584	1572	Ncchae32.exe	98
PID 1572 wrote to memory of 4584	1572	Ncchae32.exe	98
PID 1572 wrote to memory of 4584	1572	Ncchae32.exe	98
PID 4584 wrote to memory of 4252	4584	Ngqagcag.exe	99
PID 4584 wrote to memory of 4252	4584	Ngqagcag.exe	99
PID 4584 wrote to memory of 4252	4584	Ngqagcag.exe	99
PID 4252 wrote to memory of 1568	4252	Offnhpfo.exe	100
PID 4252 wrote to memory of 1568	4252	Offnhpfo.exe	100
PID 4252 wrote to memory of 1568	4252	Offnhpfo.exe	100
PID 1568 wrote to memory of 4924	1568	Ombcji32.exe	101
PID 1568 wrote to memory of 4924	1568	Ombcji32.exe	101
PID 1568 wrote to memory of 4924	1568	Ombcji32.exe	101
PID 4924 wrote to memory of 5036	4924	Onapdl32.exe	102
PID 4924 wrote to memory of 5036	4924	Onapdl32.exe	102
PID 4924 wrote to memory of 5036	4924	Onapdl32.exe	102
PID 5036 wrote to memory of 260	5036	Ofmdio32.exe	103
PID 5036 wrote to memory of 260	5036	Ofmdio32.exe	103
PID 5036 wrote to memory of 260	5036	Ofmdio32.exe	103
PID 260 wrote to memory of 3516	260	Ohlqcagj.exe	104
PID 260 wrote to memory of 3516	260	Ohlqcagj.exe	104
PID 260 wrote to memory of 3516	260	Ohlqcagj.exe	104
PID 3516 wrote to memory of 896	3516	Pccahbmn.exe	105
PID 3516 wrote to memory of 896	3516	Pccahbmn.exe	105
PID 3516 wrote to memory of 896	3516	Pccahbmn.exe	105
PID 896 wrote to memory of 3452	896	Pnkbkk32.exe	106
PID 896 wrote to memory of 3452	896	Pnkbkk32.exe	106
PID 896 wrote to memory of 3452	896	Pnkbkk32.exe	106
PID 3452 wrote to memory of 2408	3452	Phfcipoo.exe	107
PID 3452 wrote to memory of 2408	3452	Phfcipoo.exe	107
PID 3452 wrote to memory of 2408	3452	Phfcipoo.exe	107
PID 2408 wrote to memory of 4672	2408	Pdmdnadc.exe	108
PID 2408 wrote to memory of 4672	2408	Pdmdnadc.exe	108
PID 2408 wrote to memory of 4672	2408	Pdmdnadc.exe	108
PID 4672 wrote to memory of 3280	4672	Qfmmplad.exe	109
PID 4672 wrote to memory of 3280	4672	Qfmmplad.exe	109
PID 4672 wrote to memory of 3280	4672	Qfmmplad.exe	109
PID 3280 wrote to memory of 3692	3280	Qpeahb32.exe	110
PID 3280 wrote to memory of 3692	3280	Qpeahb32.exe	110
PID 3280 wrote to memory of 3692	3280	Qpeahb32.exe	110
PID 3692 wrote to memory of 2836	3692	Amjbbfgo.exe	111
PID 3692 wrote to memory of 2836	3692	Amjbbfgo.exe	111
PID 3692 wrote to memory of 2836	3692	Amjbbfgo.exe	111
PID 2836 wrote to memory of 3908	2836	Apjkcadp.exe	112
PID 2836 wrote to memory of 3908	2836	Apjkcadp.exe	112
PID 2836 wrote to memory of 3908	2836	Apjkcadp.exe	112
PID 3908 wrote to memory of 4928	3908	Akblfj32.exe	113

C:\Users\Admin\AppData\Local\Temp\9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1.exe
"C:\Users\Admin\AppData\Local\Temp\9db8ddf4a0f5f4774c044c24094eb6d78f846567b539a91af9cf699c97388fb1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\Mmkdcm32.exe
  C:\Windows\system32\Mmkdcm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\Mjaabq32.exe
    C:\Windows\system32\Mjaabq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\Nmbjcljl.exe
      C:\Windows\system32\Nmbjcljl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:260
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:100
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        30⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        32⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        34⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Eoepebho.exe
        
        C:\Windows\system32\Eoepebho.exe
        37⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        39⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:788
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        49⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        51⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        59⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        65⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        66⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        68⤵
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        69⤵
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2460
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        71⤵
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        72⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        73⤵
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        77⤵
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        78⤵
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        79⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        81⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        86⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        91⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        95⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        98⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        99⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        104⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        108⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        110⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        113⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        115⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        116⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        117⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        119⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        121⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        126⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        129⤵
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        135⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6204
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        144⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        145⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        146⤵
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        150⤵
        
        PID:6556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:7156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
104KB

MD5
099fa3bf19f8a3bdd5cf8d878f1bbb56

SHA1
b0d8550cd48638a6ed72c6d170010b952e40d2c7

SHA256
69323117cefa44df53686af1a834b6e83bddcaca8ded793fdfc7736806d2ca83

SHA512
21beb88e07ce320a089f74f3523a49885e8f1d67ec79e5faa8fa3bc14f48c20956695112a2e561e19c730802530d9fa6ff9992326254e87549aed7586407347c

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
104KB

MD5
91b91f6bcbb89970326eeb90c75ae6a5

SHA1
f2d236178a34fa98405923afb0d6b91477083192

SHA256
4eb6b0ea94859de4d7724d9e87d957cf0b0b519b197353f01731b64c56bc83e7

SHA512
db0ff5c1c4daaf9b27623471b566fd8f4edb5f48f3e4553d32644563f68766d7b1a835bc4fd2a1e73a4a2c8e15aeb79570aebda57f90ad1eb196fa833f713ed9

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
104KB

MD5
4c665aeed7317137497d1e7e662f9ed2

SHA1
f2ac5cf9e7b297b53051c96080ae43a5e854eefd

SHA256
9bcc803704a65a98beb6d3bd2ec185fb22b27bc50f65f5c2385410ee75a1efa6

SHA512
e204986004087f347142389aa4105642fce011d32330fcc4dd0bfaa90b4fcd6892658ea3bb6872e7a279237c0d2046229148cf33ab02c5f9d35d7d0f619185a2

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
104KB

MD5
91e1dda62d03fc3f7c880c955c541a7c

SHA1
8d93832f553ae9376e98a57c22d9740c941ae9ac

SHA256
ae8753e9d0024015ca60092b5c532fd3b62e6a8dee00f9b4d347a65f3151489c

SHA512
68a0d989a6d4ffc0c63d079ad57744230e276954e31515e2302dce68a9bdf656e854196b5b74d00d237e70fe03eae8f2d25f0c27125e6ce655c8fe5fd14be4b1

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
104KB

MD5
a094a7310c053d565085edd3ba82bbf1

SHA1
c5d8b2e30e609d580c995700c67e79390345673d

SHA256
ebcd5bbf880e491f724daa87d1bc09ba806ed6133211cbf946934056453be41b

SHA512
617ca3d5e414125a99e4876d44e9d3d69a5d410e804e13c47e6f0e2d9b49d70e9acfd50f6e452070b5e7e4117b59eb06beddf2e1689a66532a0a4adcb138328b

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
104KB

MD5
988dfcc0499ed438e7309da0ed6ace2d

SHA1
822de17e73a03d3ac034902ff72e489e9e7adff1

SHA256
2b8660f414e78a27f1e5ce0c02b82aa65234fd6c86f1300e7e3578625b984763

SHA512
a77f8fb3ea633ff834c73d14060160a9cf21fef2572d787a6e088922836a40f1530caf191e2e083beb5f7b9e34173b835d61a6fbe2932ccd419cefc4b503d9cf

Download Submit
C:\Windows\SysWOW64\Bgbpaipl.exe

Filesize
104KB

MD5
d72180ceca769dcf04715f847efe2727

SHA1
15d7ffc0ddcb145198dcd53a94878b2361bdc920

SHA256
87c366b53dcb12362d97c358e866ea7f3608e909dc5d86129c24a2cb9ef5a101

SHA512
00556100710db12a8d6e3bf6ef6b629a3ef88a49ac7b3c6d166e44cea16df3b522bb4b46dcc1bb23e434195f402a9488842f792552824ea40271b7e0f3727f3e

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
104KB

MD5
d4aef995ff648de9c9e34a69fd8e713a

SHA1
e370b1891e0e59d8c173e24b03ff9c9bc0315a0e

SHA256
70911e99eafd5a602cfa00986ef55063fe294b7d79b066372b257c30ce16678d

SHA512
80ee2880293e940ee75b1f58617f6d0ee29aa0a8301e96e11751d8ce8343d779c7321d36aa2befb97be92b63e83a01636aa834b36e4d94e6e74f1bffe06d2fbc

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
104KB

MD5
769e336769ae8b4586d150085e4afa67

SHA1
0b292e79fa39b644fbc17e069f24d173072a7efa

SHA256
8a96a024ddc130330787624973143dccb206193651fe40bc0aea0c7534e00f20

SHA512
74c7268d7f7bf38e71a561b6cf5f73bd8231b820aa8d2e88d715c8a9001738f666522e84ab862003fa5874b4218ff2ebb199d568624d0725da935b92e9a97b8a

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
104KB

MD5
f04ba0d2032066d74d01f5db1d5ba2b1

SHA1
9d7c804795e03a21154f2ef2570c816e342fc8ba

SHA256
b267f89e0dcbd4cd291ed66f3701f731ced92c727f8547ec6abf2779d85b05db

SHA512
2e32f45d1cfd87436bf797ec3296bf7b1e07d634e1f846e532aee146df7806e4400ff9e069e66a990f2334d32c836e5842dac8811bcc1ad9e3f27c49bf4fa766

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
104KB

MD5
a1f1da7b66a78acf77764cfda6cbbb4f

SHA1
60b5d2713e644cd66398c3bf258ae89aa7c13c4f

SHA256
5dfe66bf1f195f786d9ea7f86c6746f59f40130825b1a3eba56696f4077a4114

SHA512
847b53debde516f455d0080eacc158d0e6f5f0b1cbd3b89dd12ff2f8a4cb6b7fb06124d4540e1f0010f821defa4ba3a405aa7bce6884b7d2da7343fcfa6a008f

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
104KB

MD5
fe10769c91c09f3b6170a0d9fd2eb204

SHA1
9a9afaf956448bca375ff92219daa6e98601c62a

SHA256
73108d3c5b93e8dbf0a8f4d589fb39f1b61ff3f5a62792f266051dc0fb7d4539

SHA512
3e0c6e6bf6b5286accf5ad9c210a1f797b4b92a5fdc7ce1e599145bd3be4fe9e1a99633da24723701c54bf14c2563afbdd984a43e521dbbf3515087335887044

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
104KB

MD5
defa31951df6d04555db6fee40d3ef7d

SHA1
b18a035a4d69ca0dfd15b281eed45ef6ab687b32

SHA256
9dbbfcaacb547185cdf87e3e31f833dfa4c258072d9380b2305379c6ba8366f5

SHA512
23a48262078a0396d73265f5a610c9264a11808cb641934dbb9abd4311cb8d03b2a4cd112690f114b90bf529fe56a2622ec7c3686caa786b9f6dc4c5ef4c9023

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
104KB

MD5
d3b03a003cab6d1627a9693e358ab8eb

SHA1
7b4a2ed2320ae3498bac78d004d7c36c5bf06767

SHA256
3a3b43cb0019e244beac9b56ea27bc1b799cbe15e29d0914695fb1b4b981aa65

SHA512
64003254ffa74e69a89a4f7c5a5a4e796dcc0b73d3096b8d748bb5483b80086f7553daca12f4c70a06e570208a3ed88eac6b49d9d9ce82db98db3807782c1233

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
104KB

MD5
838595fa01fac4886d16606172769645

SHA1
99bc6dee672cb6f329ea7eb9db4569d1a728fe6e

SHA256
33de687055c2b268bddfb2b861d0d6b127288de83f303b5b1983df9e990ac0b9

SHA512
efd85d895adde02c76e7b7e54caa6625571210980b5978a61238c052f3229af16916ab2055483f9841da0ba49658074fcfe6b60c7187136a93eb2c8729781a47

Download Submit
C:\Windows\SysWOW64\Enjgeopm.dll

Filesize
7KB

MD5
ec255c629cb954a69c0bd30aec06f150

SHA1
ae1ee895788aeff31e9d0852b0e72760090e113f

SHA256
465fd8377b3b8cfe352f57b1ad39ce3c8e937eb8b7dba1b575253ad160b60416

SHA512
6662f6a3ab56df59b5b72cdad568e006039158481d6c676aa9a8eface544d618caf31d482d02d1e846701e197c42838859f85a96032273feac80a6f40a1bc111

Download Submit
C:\Windows\SysWOW64\Eoepebho.exe

Filesize
104KB

MD5
b6c1e9e40a5faa2e9f81f3511126282f

SHA1
29bd7a145e558d92adc62fbe868df28df4448d4e

SHA256
926338225cc82b8712c0a870fdadde8ebb02ef5c65d6656c483155112ad80b9c

SHA512
2ca748109ad2585f1061083775972205ed3d6158d4752f8ff2dfc2a0458144e90dbfc08617990a84231cf036f76bbb48a50fd5dd512eb526465e193774a60240

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
64KB

MD5
8b1cbc77345d3e9bb7d0f503d10c67df

SHA1
94719484169ffa6ba07e24a6fa967ddbfb7bc9cf

SHA256
b304b23e3a900bfd0b4091c397fde29666fea7ada78fb56badfe1f662fe2c719

SHA512
c100c4da630c32dccb2b9629574e133f96913da583ee1caf6c3f3d814ced978b1508235e42ee6836560b9d4cb92c0e16006bb9849386b215265fd100e543ca51

Download Submit
C:\Windows\SysWOW64\Jekjcaef.exe

Filesize
104KB

MD5
c70977e1c209e1194f8a75299e82c337

SHA1
ad2cf7f6052878c0d84d1bb85fd245d77dc99798

SHA256
0673cedd3b303c362a87af3679e6c73c98fe817c60d7e22cdcb3df87d0ce6b47

SHA512
b6cc09931d659562d8adb02c05724ed6beacdda0570adc2022b05b4e78365c480f69f3ebff4813fab8bdbbfb61a1dd0fa44bfcb732f50b521594665fd4cbd29d

Download Submit
C:\Windows\SysWOW64\Kcmfnd32.exe

Filesize
104KB

MD5
fe31d7ca16eb91bb60970a21c7ecfe49

SHA1
84156f0576fcbf6f556fafe8177654e4524962dd

SHA256
5fa2926d331ad38433b3e5f3685952237f8fbe5524065d5246eaa1bb0b1a6cd1

SHA512
0fffe983c09fecd7cd7e97305c6c9bcc9e6fb54dbc5e05a2b592469b375fb5ae6fbeb8e308c835f00c2348aaf22c8d276bdf859a7b23f71c8896ec5c0dd41168

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
104KB

MD5
79afcb34114cbbda38d5031c2c194e5e

SHA1
13420d5569f9effd1e3d2d1ec126accecc7ed431

SHA256
c2ed3f9c07e965403a74fa5338c60b24410e177c2fe050b14a069cb1fc6e64aa

SHA512
643407be5a935cbbac045962981925dfba78bf6ce7e6d9739fe82578df03e5920f6bd0684807a9d4bb2bcbaf94c6ed38106cd0a7290f94a8add43f055014dd3c

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
104KB

MD5
0383790607622c7170c24acbba002248

SHA1
8db5c7426bd560b5af663db1d2c545536559dcf4

SHA256
a757bdb5c7be3a755d2639ba08f13b0fa4028a63551cfa7a036bcb52fa52124f

SHA512
00f4dd97af0f4c1b7387e726cb0144ffee5c26444fb9a410252edd224630fcde2e2b6893d0480fd4d466657c57bcaba0389dca50692bbb8f0d172ec936bee037

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
104KB

MD5
f6d0bbc5917c124aa56765f69fda7afa

SHA1
09ecce74fe4329f84577030dc0526b1cdfe23f54

SHA256
336519daafde294eb4a5e946f665c2668cf91c568735fac7ba8425c05b6b76e3

SHA512
1bfc4941221a3650ae03866e8419a1740e695835228984dddc80c9ca7f618ad41bd51588c15e084c1f395f1e0828cb66b2ede5ccb525efd009d3326836e93cbc

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
104KB

MD5
dd09af43e365909120f702a62dfd1d3a

SHA1
b9b43bc3be01497ad1a4cad9f0da17f0130ce29f

SHA256
56854e4e817f69f4730e69d52e5b47b3b7de792854749493c4006e5d2c04fc78

SHA512
47b2e63c78651edea2ee7be3b9007f0ff64754c23ee665f8340f287dd929339c7cd6120b7180ab04f58cb724de78597dd89338e3de42b36c172f789c603e7d08

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
104KB

MD5
8fd58783b2f276957ea14f03ebb10118

SHA1
98eaeb73bbc70dced642ec64d687d9fe2235589d

SHA256
984bfb64b399c11ae6164ae18bbd6f457fa93d297f62b4b7f03130e8b178e996

SHA512
f9bdeceedd0da6fa0298d9832d3e20838097e9bc052bb58802277d7b61628fd0ec46191259d0d6e9831571c79e728578db8e1db5f121844a4f3807d8dd10949e

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
104KB

MD5
114e6ab23928afcff09e7da4110a21b2

SHA1
2c22f4cd7515e52334f8b1adc07f12e04e12723e

SHA256
cfe827b70c257b7b4e0ec98d036371d8b85188fbb870470c6eec47185ba60da4

SHA512
bb9613b1666ee3e427872a149be5be75cabb850c485f9ec1318e76e9140b1f425849127fd2f57bf40b055a7b9494f169ea6ac542ab16b47389b0eb3c29eabb67

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
104KB

MD5
5a471fd370603921a8507e5d0a74512c

SHA1
39ba829b067ff6644781a393aa2e2eb02d116855

SHA256
435fcb756b3f08f926273387717e639899b7b1f0322be606f826f48920cc7c49

SHA512
00caf1307976570fddfe0ab76d0ef310d751b7d43324486fe4a2aae65c4d36c9fc1370d5c173a0a0e0e6062bd89a85528f3decb9b2736e140fecdbfb73077e92

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
104KB

MD5
2b6d7d0caffcb3a361a01b4b8e201519

SHA1
2b0ae4e11b5061b976e2805c4704ab11d957fb95

SHA256
80fc326d409310058bbc8a91cf35b0013aad34cc0c3b038e589beb8f1f92af60

SHA512
76e9fb1a3a798ec8c6d4bf8508a36086cc5cc1b0301fa01e6ce8b15f4422a6971388cf98c6878e294cbd728a17657fb1e458d528019efd7f3122ccbeb81b5ee0

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
104KB

MD5
7f9c1a1368e168aa6c17434e01d4e426

SHA1
6092336867bdbd400a11518f190dbcc18bf8cb03

SHA256
ecb09abd6fef7f6040bf7178681d22ba2625cff463f2740b77af78851fab2c08

SHA512
1c7d9dafbfc730332ec1da55079dddc4b77e8d48330520c207029958c96bffe8e9233af08a1e82ab6efa7c85cccad2a78c1073f06ce9b06bbeb5b0bb2000a2fe

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
104KB

MD5
fe68755e80f52c4038edc626fde5d114

SHA1
344c4ae744a691615c6e98ec6643880f11501033

SHA256
08ca710ec71b0967c120b953ef0a245c1cdfcaa220262ec222edc0169fb4c3bf

SHA512
492d239bced51e08d1e36705ab99e2dbcda7e5b5c24ecf4c4fe38382566eccd6ee81429f03a4b643d85b50710ff27dc16924c7630dc6eb20c4fe4ee036674188

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
104KB

MD5
f188029dbd67d0e87d793c5a84ac9b2d

SHA1
01904ac002b9f9c2a4d6ff15a64b107e9954ce03

SHA256
c50e9fbec4dbad967d9d012c928db26c23dba4a7d26d049dec5d5179aba03b89

SHA512
26edd2682510ea82870c1808d611a714163eca27936f19724ddc996d9dbdb72c3536b34dc00c676626656fcbaf0ef438336efd0a82805cd746ff7b0a7a17fb0e

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
104KB

MD5
734275c33396f595d0eda9594c49e879

SHA1
fc3cc80aa972c47adf8215afda89930539263979

SHA256
deb74c8137546d2ed8cf996eb4bef17fe70d660d05eb643519824e3b237eb4c4

SHA512
67f728e9e88180d4e8e79129b34524565915191286108f62f8fce6764c481bdf269c56786bb75d400c33b9b99e99e23c035e170c81fb0771a66997dd3fbfe498

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
104KB

MD5
bb556d7e2e5d09a6029a73d15aad9c18

SHA1
441d27bff143d9f3e2e472e88573d84e10e02e53

SHA256
f21b456b153545acee63433304264de52db949391189053a59671da00b581230

SHA512
05c31b3a83be681ff114459b9040358f3f4b273ae5a02e2fd367d608db257496ef758e9234d5a21225f61debbfb57bdf2b0646c91af7d30175a9f684c11003ee

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe

Filesize
104KB

MD5
ef933b38fc49ccb3fd7fcb64af518f5c

SHA1
f27b1b1f3dde3148d413a3072343698196883aa6

SHA256
cee0622957fe578a2ee228fec5c38494afd652b62e04997f6f57db71d5789ca1

SHA512
20de7cadc218b3ae9e18b1ecbd32296f76a4fff1b19dfceb397a8f5d518b0c7a01d49fb66661ff2ad856802724ceef362a5d3e8f1287a0ad20e794699d83e300

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
104KB

MD5
c755577ff8cabeefe22b3ff27191eb64

SHA1
a8a57297969dfa25ad7eeb46e16e3b20af1fd074

SHA256
330f4eb328b0d7ecbf78ec6e6f3565b7e21578797313c902473cd5b232523046

SHA512
8aee85f76c2401cf471cd649b5a576396debccf7347059a4a23c25a14a1b10547cae822da3ab5b32cff170edbae28c5ed84e12f90b3430e6f34e978c3626d13e

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
104KB

MD5
a41c48218be710a2e95e806f1f5e8811

SHA1
5fbfb9beae2ab3e7941f235293bdaef8ed734ce8

SHA256
09c2073f6e5e3664444bf910b0f6c06f00eec66e5738067d9f17432d85f4293c

SHA512
d83569650d541ca3a36e5bfac29615520cbe97eb9e497d637a6e106ecb603df719030635c95393ad62929dffa94c7d899f1251fb84ee34e8a501bc5d77de675a

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
104KB

MD5
719f2ac8f1864bc066bce20c9c867c1b

SHA1
c884acb801eeba5f9b53d56e96806dd12a68564b

SHA256
b1a6fa148e76aebbba001808ddf2851765813a46d2c15cba174eb721f73669d1

SHA512
7f67ce616987fc4d11d01dab610b3c963d83d67c5aafcc3661c9f4b439aff5eaac5744da7467a58d13858665457b3f2601d3f4c6bb1039b1de53807f564aef85

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
104KB

MD5
bce4b0be0d74f3267663c72164aa638c

SHA1
c475f80ebbbc7e87e44dfbe2d635b9c52ce0479c

SHA256
090e17e5e3295c7100709e08a547841aea96c486cccbf3bcab57013de30cf1bf

SHA512
f787bd3e003d23529d6115355ec99f31a9ef8b6e32b6c49147e98df41bf3432fb4abf57331cbe52714d2abc4fee967db70a7700c4212bf8827bd24d3bac07acb

Download Submit
memory/100-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/260-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/656-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/788-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/888-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1012-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1088-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1272-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1344-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1568-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1572-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1836-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1920-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1980-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2252-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2816-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2836-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2948-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3076-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3280-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3452-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3468-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3512-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3692-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3780-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3788-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3796-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3828-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3952-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4208-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4252-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4288-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4332-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4412-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4572-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4656-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4664-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4688-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5036-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5104-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5112-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads