b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe
Size

236KB
MD5

b8ce47c8f40667cf1c94c37ef8879c5b
SHA1

e6839c982fb1f0de7a840a6f8285766719e969df
SHA256

b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523
SHA512

de799cf5d8d5563ea93a19de5f09d0a67e02fdb4751499bcf500e038f8a96b81420473147d8bc06b86ccc5076fe48ab5f76932bec265b4acf57ec601b6bce5fb
SSDEEP

3072:mRwuOtk38zbTsZt4VY/ODJ9IDlRxyhTbhgu+tAcrbFAJc+RsUi1aVDkOvhJjvJUp:meuOtA8zbTC+Y/ODsDshsrtMsQB4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adikdfna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoalgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhenj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdickcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olicnfco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmmqheb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cofnik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibjli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iepaaico.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlbcnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnfpcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmmqheb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efjbcakl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedafk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jljbeali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eehicoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hplbickp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coadnlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhndpol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlbcnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ickglm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfipef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oloahhki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olicnfco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnipbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpjnjii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmieae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpdhboj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njinmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pocpfphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkokcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feoodn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmafajfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hemdlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jghpbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeaanjkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebdcld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmojkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbhoeid.exe

Executes dropped EXE 64 IoCs

pid	Process
3424	Kmieae32.exe
1456	Kqfngd32.exe
4764	Lqikmc32.exe
2576	Ljclki32.exe
864	Lekmnajj.exe
368	Ljhefhha.exe
3852	Mepfiq32.exe
4404	Mcecjmkl.exe
2852	Mmpdhboj.exe
492	Nghekkmn.exe
440	Njinmf32.exe
1596	Neqopnhb.exe
4480	Nnkpnclp.exe
1440	Oloahhki.exe
2068	Omcjep32.exe
1572	Oldjcg32.exe
2932	Olfghg32.exe
3256	Olicnfco.exe
1356	Peahgl32.exe
1664	Pdfehh32.exe
1720	Pajeam32.exe
1120	Pmaffnce.exe
3116	Paoollik.exe
3036	Pocpfphe.exe
4308	Qlgpod32.exe
4236	Qlimed32.exe
3384	Aeaanjkl.exe
2940	Anmfbl32.exe
3464	Alnfpcag.exe
868	Adikdfna.exe
1912	Aamknj32.exe
4496	Aoalgn32.exe
4600	Bnfihkqm.exe
5028	Bhkmec32.exe
1432	Bnhenj32.exe
1784	Bklfgo32.exe
1404	Bafndi32.exe
3140	Bkobmnka.exe
260	Blnoga32.exe
4740	Bdickcpo.exe
4872	Coohhlpe.exe
3124	Cfipef32.exe
3920	Coadnlnb.exe
1016	Cbpajgmf.exe
3588	Cnfaohbj.exe
2228	Chlflabp.exe
1244	Cofnik32.exe
1500	Dkokcl32.exe
2972	Dmohno32.exe
3160	Dfglfdkb.exe
2368	Dmadco32.exe
4188	Dfiildio.exe
4584	Dflfac32.exe
860	Dmennnni.exe
4660	Eiloco32.exe
1624	Ebdcld32.exe
2904	Emjgim32.exe
1324	Ebgpad32.exe
4320	Ennqfenp.exe
4024	Eehicoel.exe
664	Epmmqheb.exe
3440	Eifaim32.exe
3472	Efjbcakl.exe
952	Fmcjpl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ljclki32.exe	Lqikmc32.exe
File created	C:\Windows\SysWOW64\Joicekop.dll	Lekmnajj.exe
File created	C:\Windows\SysWOW64\Anmfbl32.exe	Aeaanjkl.exe
File created	C:\Windows\SysWOW64\Ibknda32.dll	Bklfgo32.exe
File opened for modification	C:\Windows\SysWOW64\Gmfplibd.exe	Gflhoo32.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Cnaaib32.exe
File opened for modification	C:\Windows\SysWOW64\Aeaanjkl.exe	Qlimed32.exe
File created	C:\Windows\SysWOW64\Bklfgo32.exe	Bnhenj32.exe
File created	C:\Windows\SysWOW64\Kbmimp32.dll	Lmaamn32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Gfhndpol.exe	Gmojkj32.exe
File created	C:\Windows\SysWOW64\Jniood32.exe	Jljbeali.exe
File created	C:\Windows\SysWOW64\Ondljl32.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Ccoecbmi.dll	Bhhiemoj.exe
File opened for modification	C:\Windows\SysWOW64\Nnkpnclp.exe	Neqopnhb.exe
File created	C:\Windows\SysWOW64\Bohgljdl.dll	Kcpjnjii.exe
File created	C:\Windows\SysWOW64\Jbnffffp.dll	Oldjcg32.exe
File opened for modification	C:\Windows\SysWOW64\Bklfgo32.exe	Bnhenj32.exe
File created	C:\Windows\SysWOW64\Ghjnkpdc.dll	Gmafajfi.exe
File opened for modification	C:\Windows\SysWOW64\Cnaaib32.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Pdfehh32.exe	Peahgl32.exe
File opened for modification	C:\Windows\SysWOW64\Iojbpo32.exe	Imiehfao.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cbpajgmf.exe	Coadnlnb.exe
File opened for modification	C:\Windows\SysWOW64\Gfeaopqo.exe	Flpmagqi.exe
File created	C:\Windows\SysWOW64\Npiiffqe.exe	Mjaabq32.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Pjbcplpe.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Hkpmpo32.dll	Omcjep32.exe
File opened for modification	C:\Windows\SysWOW64\Lggejg32.exe	Lmaamn32.exe
File created	C:\Windows\SysWOW64\Ibingd32.dll	Fnipbc32.exe
File created	C:\Windows\SysWOW64\Pqknpl32.dll	Holfoqcm.exe
File created	C:\Windows\SysWOW64\Jiejjepo.dll	Hlbcnd32.exe
File created	C:\Windows\SysWOW64\Bppgif32.dll	Klfaapbl.exe
File created	C:\Windows\SysWOW64\Kjjbjd32.exe	Kcpjnjii.exe
File created	C:\Windows\SysWOW64\Mqdcnl32.exe	Mcpcdg32.exe
File created	C:\Windows\SysWOW64\Ekfcklij.dll	Cfipef32.exe
File created	C:\Windows\SysWOW64\Mlelal32.dll	Imkbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ilcldb32.exe	Ickglm32.exe
File created	C:\Windows\SysWOW64\Qlgpod32.exe	Pocpfphe.exe
File created	C:\Windows\SysWOW64\Hdbplg32.dll	Gfeaopqo.exe
File created	C:\Windows\SysWOW64\Dfjehbcf.dll	Iepaaico.exe
File created	C:\Windows\SysWOW64\Jmeede32.exe	Jmbhoeid.exe
File opened for modification	C:\Windows\SysWOW64\Jgbchj32.exe	Jniood32.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Alnfpcag.exe	Anmfbl32.exe
File created	C:\Windows\SysWOW64\Mbbiec32.dll	Adikdfna.exe
File opened for modification	C:\Windows\SysWOW64\Bhkmec32.exe	Bnfihkqm.exe
File created	C:\Windows\SysWOW64\Cfipef32.exe	Coohhlpe.exe
File created	C:\Windows\SysWOW64\Ffnknafg.exe	Fligqhga.exe
File created	C:\Windows\SysWOW64\Fenhjedb.dll	Hedafk32.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bajqda32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjgfb32.exe	Lgpoihnl.exe
File opened for modification	C:\Windows\SysWOW64\Kmieae32.exe	b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe
File opened for modification	C:\Windows\SysWOW64\Neqopnhb.exe	Njinmf32.exe
File created	C:\Windows\SysWOW64\Flkkjnjg.dll	Bkobmnka.exe
File created	C:\Windows\SysWOW64\Diinlj32.dll	Coohhlpe.exe
File created	C:\Windows\SysWOW64\Oclknk32.dll	Fpimlfke.exe
File opened for modification	C:\Windows\SysWOW64\Ipeeobbe.exe	Iepaaico.exe
File opened for modification	C:\Windows\SysWOW64\Imkbnf32.exe	Iojbpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhenj32.exe	Bhkmec32.exe
File opened for modification	C:\Windows\SysWOW64\Kqfngd32.exe	Kmieae32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7156	7040	WerFault.exe	253

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjgfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lggejg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pajeam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjnkpdc.dll"	Gmafajfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfipef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbhoeid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoalgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfihkqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgiiiidd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfaohbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmfplibd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goglcahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paoollik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebgpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omcjep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjinodke.dll"	Aamknj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqcmdnk.dll"	Hplbickp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmieae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnkpnclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmifh32.dll"	Ebdcld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hedafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goglcahb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kegpifod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjjbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll"	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleeje32.dll"	Lqikmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joicekop.dll"	Lekmnajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeaanjkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbplg32.dll"	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebdcld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilqoobdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqikmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qlgpod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iojbpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjgfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klcekpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mepfiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkkjnjg.dll"	Bkobmnka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifjfmcq.dll"	Jmeede32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjgaoqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjokon32.dll"	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll"	Chlflabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll"	Eehicoel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgdfb32.dll"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhenj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll"	Efjbcakl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmcjpl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 3424	1836	b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe	90
PID 1836 wrote to memory of 3424	1836	b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe	90
PID 1836 wrote to memory of 3424	1836	b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe	90
PID 3424 wrote to memory of 1456	3424	Kmieae32.exe	91
PID 3424 wrote to memory of 1456	3424	Kmieae32.exe	91
PID 3424 wrote to memory of 1456	3424	Kmieae32.exe	91
PID 1456 wrote to memory of 4764	1456	Kqfngd32.exe	92
PID 1456 wrote to memory of 4764	1456	Kqfngd32.exe	92
PID 1456 wrote to memory of 4764	1456	Kqfngd32.exe	92
PID 4764 wrote to memory of 2576	4764	Lqikmc32.exe	93
PID 4764 wrote to memory of 2576	4764	Lqikmc32.exe	93
PID 4764 wrote to memory of 2576	4764	Lqikmc32.exe	93
PID 2576 wrote to memory of 864	2576	Ljclki32.exe	94
PID 2576 wrote to memory of 864	2576	Ljclki32.exe	94
PID 2576 wrote to memory of 864	2576	Ljclki32.exe	94
PID 864 wrote to memory of 368	864	Lekmnajj.exe	95
PID 864 wrote to memory of 368	864	Lekmnajj.exe	95
PID 864 wrote to memory of 368	864	Lekmnajj.exe	95
PID 368 wrote to memory of 3852	368	Ljhefhha.exe	96
PID 368 wrote to memory of 3852	368	Ljhefhha.exe	96
PID 368 wrote to memory of 3852	368	Ljhefhha.exe	96
PID 3852 wrote to memory of 4404	3852	Mepfiq32.exe	97
PID 3852 wrote to memory of 4404	3852	Mepfiq32.exe	97
PID 3852 wrote to memory of 4404	3852	Mepfiq32.exe	97
PID 4404 wrote to memory of 2852	4404	Mcecjmkl.exe	98
PID 4404 wrote to memory of 2852	4404	Mcecjmkl.exe	98
PID 4404 wrote to memory of 2852	4404	Mcecjmkl.exe	98
PID 2852 wrote to memory of 492	2852	Mmpdhboj.exe	99
PID 2852 wrote to memory of 492	2852	Mmpdhboj.exe	99
PID 2852 wrote to memory of 492	2852	Mmpdhboj.exe	99
PID 492 wrote to memory of 440	492	Nghekkmn.exe	100
PID 492 wrote to memory of 440	492	Nghekkmn.exe	100
PID 492 wrote to memory of 440	492	Nghekkmn.exe	100
PID 440 wrote to memory of 1596	440	Njinmf32.exe	101
PID 440 wrote to memory of 1596	440	Njinmf32.exe	101
PID 440 wrote to memory of 1596	440	Njinmf32.exe	101
PID 1596 wrote to memory of 4480	1596	Neqopnhb.exe	102
PID 1596 wrote to memory of 4480	1596	Neqopnhb.exe	102
PID 1596 wrote to memory of 4480	1596	Neqopnhb.exe	102
PID 4480 wrote to memory of 1440	4480	Nnkpnclp.exe	103
PID 4480 wrote to memory of 1440	4480	Nnkpnclp.exe	103
PID 4480 wrote to memory of 1440	4480	Nnkpnclp.exe	103
PID 1440 wrote to memory of 2068	1440	Oloahhki.exe	104
PID 1440 wrote to memory of 2068	1440	Oloahhki.exe	104
PID 1440 wrote to memory of 2068	1440	Oloahhki.exe	104
PID 2068 wrote to memory of 1572	2068	Omcjep32.exe	105
PID 2068 wrote to memory of 1572	2068	Omcjep32.exe	105
PID 2068 wrote to memory of 1572	2068	Omcjep32.exe	105
PID 1572 wrote to memory of 2932	1572	Oldjcg32.exe	106
PID 1572 wrote to memory of 2932	1572	Oldjcg32.exe	106
PID 1572 wrote to memory of 2932	1572	Oldjcg32.exe	106
PID 2932 wrote to memory of 3256	2932	Olfghg32.exe	107
PID 2932 wrote to memory of 3256	2932	Olfghg32.exe	107
PID 2932 wrote to memory of 3256	2932	Olfghg32.exe	107
PID 3256 wrote to memory of 1356	3256	Olicnfco.exe	108
PID 3256 wrote to memory of 1356	3256	Olicnfco.exe	108
PID 3256 wrote to memory of 1356	3256	Olicnfco.exe	108
PID 1356 wrote to memory of 1664	1356	Peahgl32.exe	109
PID 1356 wrote to memory of 1664	1356	Peahgl32.exe	109
PID 1356 wrote to memory of 1664	1356	Peahgl32.exe	109
PID 1664 wrote to memory of 1720	1664	Pdfehh32.exe	110
PID 1664 wrote to memory of 1720	1664	Pdfehh32.exe	110
PID 1664 wrote to memory of 1720	1664	Pdfehh32.exe	110
PID 1720 wrote to memory of 1120	1720	Pajeam32.exe	111

C:\Users\Admin\AppData\Local\Temp\b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe
"C:\Users\Admin\AppData\Local\Temp\b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\SysWOW64\Kmieae32.exe
  C:\Windows\system32\Kmieae32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\Kqfngd32.exe
    C:\Windows\system32\Kqfngd32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\SysWOW64\Lqikmc32.exe
      C:\Windows\system32\Lqikmc32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\SysWOW64\Ljclki32.exe
        
        C:\Windows\system32\Ljclki32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Lekmnajj.exe
        
        C:\Windows\system32\Lekmnajj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Mepfiq32.exe
        
        C:\Windows\system32\Mepfiq32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Nghekkmn.exe
        
        C:\Windows\system32\Nghekkmn.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\Njinmf32.exe
        
        C:\Windows\system32\Njinmf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Neqopnhb.exe
        
        C:\Windows\system32\Neqopnhb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Oldjcg32.exe
        
        C:\Windows\system32\Oldjcg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Olicnfco.exe
        
        C:\Windows\system32\Olicnfco.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Pdfehh32.exe
        
        C:\Windows\system32\Pdfehh32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Pajeam32.exe
        
        C:\Windows\system32\Pajeam32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        23⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Bhkmec32.exe
        
        C:\Windows\system32\Bhkmec32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        38⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Bkobmnka.exe
        
        C:\Windows\system32\Bkobmnka.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        40⤵
        Executes dropped EXE
        
        PID:260
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        45⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Cnfaohbj.exe
        
        C:\Windows\system32\Cnfaohbj.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        50⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        51⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        52⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        53⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        54⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        55⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        56⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        58⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        60⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        63⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3980
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        67⤵
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        68⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4772
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        72⤵
        Drops file in System32 directory
        
        PID:180
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4232
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        79⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        80⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        81⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        83⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        87⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        88⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        91⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        92⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        95⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        96⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        98⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        101⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        103⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        104⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        105⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        107⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        108⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        109⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        113⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        114⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        115⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        117⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        118⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        119⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        120⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        121⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        123⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        124⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        125⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        127⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        128⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        132⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        134⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        135⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        136⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        137⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        140⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        141⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        142⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        146⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        147⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        149⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        150⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        151⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        153⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        155⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        157⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        159⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6860
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6904
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        163⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        164⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        165⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 408
        166⤵
        Program crash
        
        PID:7156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7040 -ip 7040
1⤵
PID:7116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:6920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aamknj32.exe

Filesize
236KB

MD5
b1818cffea6bb5712417eeec8db5a1a5

SHA1
bc68832798dae22e3b6ae7e917860842dc19cc81

SHA256
65a5d7963832d36d44405546e89a44e9daf9c2a6676c18c2c61b50b77f6589d2

SHA512
0d197cdb2791be5f41f698d55222ac337c9f619895685f7e72fda8a1dc04f250c0ec36840aa1720aaba1f9d818070939ab66b199707d183fd1c5627c19dafd15

Download Submit
C:\Windows\SysWOW64\Adikdfna.exe

Filesize
236KB

MD5
c7092bf348271ebb9ce38db1093094a9

SHA1
e8c024c2e46e75e2eb1edabe069e5be646b4fcf3

SHA256
bc649d629f3f59072515c01ffaaba96e2a8340f43eddb589f377ea805ef6552b

SHA512
ca7ca1b7e1e9131827d60a44b2df2406ebed61ed35d356ceaaa7f9f5e83264583ade226c522478f85e41f4178bba6cb8e965d6fc2081874ae41c0d3b9ddb4fad

Download Submit
C:\Windows\SysWOW64\Aeaanjkl.exe

Filesize
236KB

MD5
17df5181f4a2aa953c3b86f598961679

SHA1
f1c5949ecf24ad8cd1277539bc1a251b1ad82091

SHA256
11421d18327787fe3452040f680105ba4ab88e9460033915b7a1b63fd0a594c3

SHA512
6a8b3a7aafd8d283f46b02c11b0be4d15bc80c9a9677d2b4851c7ff775298f9ecf2f4e78086aaa8c08241a7d56042c64ef6185a3ea3b1ab6373cef1251718c5b

Download Submit
C:\Windows\SysWOW64\Alnfpcag.exe

Filesize
236KB

MD5
2ebecee2112983bf949b23b32240435a

SHA1
a72a1b3d82575e9d7c0c65c6eadd1b7aa9c61d0f

SHA256
e42d01a798a3ea97d0323e55fd3fdb2365cbcfd146bd1c7c1095d0bb6db5d1b2

SHA512
c1829f0c82b20839c1f6642f2a1481a86da9bac2d6c43b6ca600a067e31d10d6570e45165a909cc18c52a2a2a2d5f3e7dc2d2992c99c4f1fbdcd40c0dcaf2712

Download Submit
C:\Windows\SysWOW64\Alnfpcag.exe

Filesize
236KB

MD5
c78aad6d20d5707bf9e0baaa5874d5f3

SHA1
4594f09e532c5aaede17348433616b95adc0860f

SHA256
9ed2ed25d017463b2de9614cb0e152b3e2b006b3d0ddca53a4c3f0a868f7794a

SHA512
9f06e3b03091f430732727778d6689425d04800d6630ea473e2e085fa5aae206047536c0f56015661b1bcb6c31e3eecd377e894a36b04d009de6069600903206

Download Submit
C:\Windows\SysWOW64\Aoalgn32.exe

Filesize
236KB

MD5
be26f3e154f917891c2cb3cc38dc4913

SHA1
598c76f768cebc8d3f3f36fc555a1bee36032910

SHA256
360a88f39db515399f3ff44e6a6f937a701bba3debc06406c65ff34899bb1ff5

SHA512
5e96a30d2c3c6c42b45241472cd0dcc872b7a22f8c2d6f38949b1125cebb73a61bcd41abd149a47f20945b943da29b7f91aac16a4baffea6a3cef0fe6a23a538

Download Submit
C:\Windows\SysWOW64\Bdickcpo.exe

Filesize
236KB

MD5
fe4adb8c763d79b76871a615cf13ef34

SHA1
ef92f1fd73169c16f7f32c47f86942e088d28126

SHA256
d583c871d24cf4d5a602a1c5f204310636c95ee8111f96b8e8431ed87a02aaff

SHA512
8b0257a5025b361b92c44f45752e69394a4c5fd098179b189d65a35b8856d2cb54f9406fb6d675245a42a313d3890d6703d4b61e86194649187321d32cec0cb8

Download Submit
C:\Windows\SysWOW64\Cfipef32.exe

Filesize
236KB

MD5
aa4d1c3b77f8008701eda3ad95a74d8e

SHA1
b767e5228c6c7909e12c7f742a32bd1c619408f7

SHA256
f1fcdefa7d30e0b113acd6dcd3202576fd6244e6dd1af441014cf234304e84bc

SHA512
4beff639a7f408572929fffb1033459e01c1204a550922325ac7e8d1b7b947696a04eed0e452e4705636feb7eefeb16d057714dc4cae48e41852fab002ee6086

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
236KB

MD5
683fd74f36d8fccacaf2860a4eb7526e

SHA1
7d47c7b0b3368b28683a366a7b7bb3bd45047252

SHA256
a6af1c6c4d80fffc5e4cb07a3d5cc115c5cbcb5b5b66c1ec3894fa3779ca993c

SHA512
169a3b70ef0c8468112a67647d5e55871bcf047ab2bc36069f976f477b156beb76184b291ea476e06c9be818e7809137a24a2bc2dece660f2b21bb7d93ca9c3e

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
236KB

MD5
7ef7f0c8a51d1f44059a91481b33d27c

SHA1
723cebbb58c865251a888a3d740e56c1359c76a4

SHA256
58ca5f40bd000bcf04f4ff0d0ea2558a821ad7c4c4f53a07324369ee703b0d03

SHA512
c34e2a4ce3bab575fed9344a70d128e7299e2d2cdc6922f49888bcbd404da508af48bd9fc8476a619c5764755190c7375101ae4b7cd9bc678e2c56531149fecf

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
236KB

MD5
6fdb530a2e8574d59a17451345ce8510

SHA1
84b0e3303fee53db473e5b46994e88714dc14b4a

SHA256
cabec04917bc5cb9dbff4ac5ab76867fcb9895cb77cd6c0e23f7202039b44bb5

SHA512
f0e7b5b79a5ecb7f477d1dde83da29a6f23181c13bfad0c841ee57a9d66eb0a03dafee95dc786a1fa8015c0fa96bc2313bfb728f849a76a4727d855ca583210d

Download Submit
C:\Windows\SysWOW64\Ebgpad32.exe

Filesize
236KB

MD5
ca7dff443235c1d31dc7536a40ffe0c8

SHA1
8a48d8adc6f9a42cd2e97d1afe69ac5bd2c4c831

SHA256
ec61242e6e04581bc86b4addc424aa41463252a0e9966dd9681022b7aa05e215

SHA512
0c5c3750d865dd01e37436be3bcfc58f462725f83cc9867b155251729a2055c6af4db56113efc6d3c3dbca185066b966e9092acb9020afaf50cd6e1faf98a34f

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
236KB

MD5
f390a4da2eecfaab16a2b7e25ceb5699

SHA1
f23bbfde9c4a77568a52776eddcacc41c46bdec3

SHA256
deb7ada03de393ac838df7efc5540d60bca9cf39ad354be0c828e164a0945609

SHA512
12e312ec75fd2b950e285a603d93be85628f242063fc2703fd88a058cf1aefa046ec1e318c69b7c5bc4922edcee727377af8ee8c893eea1bdde9e9880b320d70

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
236KB

MD5
cc83b6058cfd3f46942d053fa884211d

SHA1
c5e8e24520857cdf78eabb718e41bd7edf1ce19f

SHA256
e44d94500c922f36cb05ed9ecda653d60f9f155e4b293020353c9029e043ecfb

SHA512
ee6fce903e0dc445c73d75e1f2bbfb3a11735219c4ef68f7f78e6f0bcd17e856441c7df9ef672a2b155f0b2e7868cc122319b20cd0651414438f00f9732fa5b8

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
236KB

MD5
7a49fce374d0eaad318ccac0a9ddfeb5

SHA1
27901b0778de20a3d99e5d6a2a1805e5a068215f

SHA256
61f9a134238599e9a32d8c8de3ceb1cff5b5c847974e4fe51a847ae1d62e002f

SHA512
f73bd5446e4ec439f818e193d3e914bf8b1cf3d7c421fc948fb9ccdee5cecec8a3d186596877a44dd3e2e06ac18b98bfbcb2dfbb298f866b8917d05d6ba0ad83

Download Submit
C:\Windows\SysWOW64\Gfeaopqo.exe

Filesize
236KB

MD5
cb17d83da98c7a4202229342847e0a63

SHA1
80eca27188b90426b85dd21873a18e6bef64dc8c

SHA256
2a2cfc8dc9f26ce0e4fb984b0dd81fb8db18162ea727905f64f3f0998e9454fa

SHA512
710737281125840cc1b8e7940e052d24ddecbcad7a5e5bf915c8e228b10c993888e30c0ffdaa61f9261880645d19a436ba33014c89faf20fdae437e7f3b98d11

Download Submit
C:\Windows\SysWOW64\Gojiiafp.exe

Filesize
236KB

MD5
fcdd3270a33a563ce86d068782a27294

SHA1
298b0608a113366f2e7a6e0fb4d5b4ed0a106a98

SHA256
285b1c9aa1e4d1d6fda279f2adda86ad4c1bc4e6f6a2777ab9e139fc7ab1dea8

SHA512
b25bf19031d766e7c8ea53feba96aef85c07cbfd4a029b623ddd36a4b85dcae770930e5396c450f3aa8b78aa0d15155361629d0bc9ca15ee9d0d0b38877d2325

Download Submit
C:\Windows\SysWOW64\Hpqldc32.exe

Filesize
236KB

MD5
68d35c9df80a7304a97e0ac4d01490fb

SHA1
d97dd33562fdf8424449a4c997f566d31802fda5

SHA256
53cb58cecae76cd54f12b6cdfb1c4fe220ec189c62e40b1404d3d228bf52f4d6

SHA512
4c6e1dabd8dd7a71019a2e4f4b85d6b6a3fc6a0b0f8ac99aa1059b8d055d38ba9e80325b69aed2cac8423bbaecd80369e1b6a2bb3c680e4a36f3789a7c67b5cb

Download Submit
C:\Windows\SysWOW64\Jljbeali.exe

Filesize
236KB

MD5
1ca6ed1c4c633e1faae739d0bf769d49

SHA1
1f764ce2eef7f242e40de3723a708e0c3ecb6cf0

SHA256
300ff5d9a0659d3a47a38d1547ee4cbc292ec7109d76e03094de670fb0693ff8

SHA512
c2c43f39e8c6683bd64b18dc1dc5c7aa8686738739d6055a5750ab4d8824930593cc5425e64d55d0ba5cfd95f2d182cf26203de9b05a467b3cc731206232fbfc

Download Submit
C:\Windows\SysWOW64\Kmieae32.exe

Filesize
236KB

MD5
61eb77dc91a5b7247d8bc525d82b8a38

SHA1
2e9d8c677038283a69524ae02502e52d7acf8c5f

SHA256
4654c4be7ebd13ab35a601918f33b122adbf39a49e1b10a0571f3527f99f89bd

SHA512
caed1441576fd7510d88b603a9ef60e7a5e1e48ac295b6dce3edb005dfe982f53aa9a9f89e2cccf3acf00c4719ae9dfd2232cbb8ccb809efb51404c4d6b94aab

Download Submit
C:\Windows\SysWOW64\Kqfngd32.exe

Filesize
236KB

MD5
331d53683bde8033b758bfecba9d4bbb

SHA1
36e35508b8251133dfb834b6eb04f30245de3597

SHA256
a8fc6710bc703f1a2319ba73cf88c8cba1d927054bc812ad2c26c7c4ad11bcf7

SHA512
77bb58e80092897b48a89e8313ad051b40f21f57554289aab5543a3dceaa4ec2d0671cd663219b0b60a857bb572af0e9f492a2997a3c08075f80f98a20453def

Download Submit
C:\Windows\SysWOW64\Lekmnajj.exe

Filesize
236KB

MD5
8d81f0e8034ca2dcc80201d88c8e4e44

SHA1
d0c1cef4f2dbfe953835ddef129da4faa96f6e59

SHA256
b1a5a27fa899e03a1d0f3797b6cd08db5cedae5a9e91fea74c90f2a2fe9eddb3

SHA512
c017c33c0ed8472b3380691fed2207e3107811c944b3a5440ede810bcdb47b4074c9936d33f61a7d904e97930ac6e7fda461192af66710c2f4f2932efc20965a

Download Submit
C:\Windows\SysWOW64\Ljclki32.exe

Filesize
236KB

MD5
c9f0bb05f6e6d9f53e5c556d1ef6d288

SHA1
62e46897a5bfc8d2f4f2cb7dc489f54903cf0d97

SHA256
e92831622c0738eab89f610bdad01b9e9164e395084dc78e89dc44ef0290097d

SHA512
298069ea1893eb7a22bd144a90dda29fc2001c0dcad49d4d24579d22e2036ecedb9f8735e90b56a4ecd3328b95ce31f5e0840e229406b13bdfb9a2b9aa4b1c19

Download Submit
C:\Windows\SysWOW64\Ljhefhha.exe

Filesize
236KB

MD5
d61ed3d50045e113d91b20467bef28c5

SHA1
c1443c1d836345572ff8a18656ae164f8e1e4e9a

SHA256
69a46afb6ca6a71ecc3e6cbc47f5c799dc67036cdcb29e57551f003d992a80f1

SHA512
0c330cb5c8498cbf16ef21ca73b7634ee7f302d1cb8b43d49532fb2e7b778317933b0ff11a5c9bb5b2ca2a152533017636483eafb3bbda2ad76af918968be7cd

Download Submit
C:\Windows\SysWOW64\Lqikmc32.exe

Filesize
236KB

MD5
cec214cf22fefeb2383548fc73da499d

SHA1
088afabb554af67ce3d4ddc44834f3a1969cd30b

SHA256
dd73d484bd2296d07bd1ca54104d44dd5a0ff0c3a30d495a7ba4388e0bcd751f

SHA512
3830716309cd0005f2b2193f57bc4b001934c3c03ffbe54daf66782928468d109d028606fc18a4f8df4879d9f5890009785e8a6fefa663c8c7f1fda627ae5ab9

Download Submit
C:\Windows\SysWOW64\Mcecjmkl.exe

Filesize
236KB

MD5
10fe2540920f8b2c88f78527fdf50756

SHA1
85dfc36cc35600fbee67eb99fbbf4a88c3659bac

SHA256
4a4a22cba1b199ff08988945e3cd8845f13e2ed7cedc9f3f3ba42651d358ddf6

SHA512
25956e7872cd91626530534755422ecff4cd6e37771428b2e3d0c8b0ae4b6773d27994815ad13fec9eced572091c524ce16fe597ceb7359d064a01c5563450de

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
236KB

MD5
932e4ebbd773a96371fc36185b8bd1b8

SHA1
7182f26042b913f0f5caf6f104e4a6f0d8e7c86e

SHA256
7418a79299a3b9158584d0fa536eaa1c9a657c09bc466184284c23066befd466

SHA512
357cc49307ea527f705d6e406f1e6359dc325d6d0c3fcb3d53bce1e257c53966e8778feb4bc7c0df8650f4f848ef252b691d06b030f1e10ae09ffa300b40cc6d

Download Submit
C:\Windows\SysWOW64\Mepfiq32.exe

Filesize
236KB

MD5
fbd0d7683bab09f2989d78ede10234a5

SHA1
107232569a49b89cc452919ae69d9a1beea89c26

SHA256
672e94822eaed866d42b78082a626b8fee23696004ff2babe49079b62e8234d7

SHA512
6997a302ee4617f098f742985fe523a360456b257ae208165911d57a5f87a5ffb81171d6f7df034441eca43fdb2d49b3699f9e1aaf868225cf7ec0168a3c7e78

Download Submit
C:\Windows\SysWOW64\Mgphpe32.exe

Filesize
236KB

MD5
fdd9c7882e43379b6c602fe90be70d7c

SHA1
0f7197d875e45d5c2b8028ab64df7fb39ba6a180

SHA256
943715da274a7ce84708b9eff36a4826420106df01e9d8e84a30dec8bd51301d

SHA512
d1f3c229d8262d5b80012885ab664e84eb408563fee5716d94de380a5b71e356587c86824badf7809bc72249ef48d888333517166b4efe7aaa4cb8a6d63a4950

Download Submit
C:\Windows\SysWOW64\Mmpdhboj.exe

Filesize
236KB

MD5
9a492fecfbf10564e6372fbf263a4289

SHA1
247a0ba79bcbcfe7a9914114fe4a19f2d427c1df

SHA256
3bc31606c0c18a19751620d4de7de5b98ba3fcf9e9d5d07eea754a6c4f586264

SHA512
7cb740d38a992ea7d6a110b17a229931876682a6069c42d9df10894964a0b910e6c37530a609b574c8cc78374fc5248956268d3c051d2797c3f4bd82d2c70bb4

Download Submit
C:\Windows\SysWOW64\Neqopnhb.exe

Filesize
236KB

MD5
ef525440e693cfebd3ae54038db6bd21

SHA1
189096176ac349fc44c318f149542e5187900bef

SHA256
b6989dd66b6167ae79adddb0c27f0f74d5b87a2b97e6c5ef33ed2cc57bdbda88

SHA512
8a25fe50765d9da6014cb6945b96bfa78bdcf2e768322cbad35361c702b8db7a3557517d2a8246b3c0bf917b51e42de186e57808c64be8f4f8c5d226160597ea

Download Submit
C:\Windows\SysWOW64\Nghekkmn.exe

Filesize
236KB

MD5
da0ff4a6afffff7de140d96298a50a2b

SHA1
8c6613213de0612e841264134a452192e04a04e5

SHA256
ded46691e8afbfc645abe79d80b1d4b871b98877fbaa0dc7f285a164d386f079

SHA512
dd24e88171b43c103e32faa60725d64bb49c20f3fe1b3b84974f6599b1215b203a2da1adab6e938e550d74734549980a8936b83cdfe1a56fdb8affb18f262f90

Download Submit
C:\Windows\SysWOW64\Njinmf32.exe

Filesize
236KB

MD5
4823120cef34e438f805f9990477bb97

SHA1
11347bea5ff9fd7a72a0b80c11b0ee074c123c3a

SHA256
31868b5a19f12b3f10eca7334fedb8450a5453aca2b5348b059c184126756f06

SHA512
460afc54f3426b8483bbd030b2bf6eacf70c1a4dd33b1e36bb1a1f3c587f7a7e58e982ae29a00a5316f072ddaae0da33c9ad0032da9a1e915e33525d365aaf8d

Download Submit
C:\Windows\SysWOW64\Nnkpnclp.exe

Filesize
236KB

MD5
8c3286d2874cab3ec231c0018e03a8d3

SHA1
b05f2fe092ae74515615dc89945b5df8c3e77487

SHA256
0450a3f0f538a928f198da56e4184372c12eb3fab95713b9cabe454791d0f875

SHA512
d31f47d75a5b12a77e8039d185e2eb45fc56457a100a10cd49eec2b70db1490fb941bf9bc57399a3382d67fad83506d1b618b46bcbe4096717a870e2ea7adeb2

Download Submit
C:\Windows\SysWOW64\Oldjcg32.exe

Filesize
236KB

MD5
72d0b9c15fe8c601f99148bea02cc39c

SHA1
95a8c56be71a50ebae4ec424d697c366a8733bbc

SHA256
86940352cc9f1f17b620dedcda4f2aa731f0f826c5570d2b3f22a963eb4894ce

SHA512
a71289f6ec975618ccb4bc4830a49a015902977e271f50de5ced8c0042f16b5df2815f6a0be15c1252327f35f7ddf1947ef6498eff39cc220c22d0b4cc640a61

Download Submit
C:\Windows\SysWOW64\Olfghg32.exe

Filesize
236KB

MD5
234ec4a9b409e5d4671ced5993c920d8

SHA1
bd7d4a2cd58cba5a584c82dce2aae1d8fc39db77

SHA256
8574a0f55563316356b7aa7cf63b1a180a1bf8f27aa25ba7994a35143edf879f

SHA512
624af3f7f2f84df815404be62c5bfe7dbbf502f69059664b0d9c5d3993725909bb03fb5474fdc6c28862ee961ebe0fbdc0194cf72ae9c3526fedc62fa420e994

Download Submit
C:\Windows\SysWOW64\Olicnfco.exe

Filesize
236KB

MD5
e4f768534c501545f95b3287ec8fe093

SHA1
e2bcae2402660cb460cd3f44b050bb39c702d350

SHA256
d45947323260e6a5eaef45263593d871201bbb53eb3180136b0067d760b31cac

SHA512
1948536db7f35f6da1edac67d90903b05f528d805b3d5c2fbf723868065a4dc2d4000a8780475e3d9362bd4fe1017aa78bf7037007db3a2b5b2bc33d9e03560a

Download Submit
C:\Windows\SysWOW64\Oloahhki.exe

Filesize
236KB

MD5
e1bf4b243bf8198ade247c6506faae64

SHA1
cd1af756d1cfadb1bb590e2da1aa5ba0c8f702e6

SHA256
4b458940e2ec8896e9c1cc0c8b473565ba5c154ae3454193bcd81ccc969b3414

SHA512
5a5ee95ca23700c25557048369d12b45d005d7b7a8f6504385a1e03137c041002be16b2fb1949b6b4c176e263ee155433990b31bccd41b0aa94e6207bb17d63d

Download Submit
C:\Windows\SysWOW64\Omcjep32.exe

Filesize
236KB

MD5
551e02078d6fa726de0163ae3668ac56

SHA1
449b9ef6a0c0252183d5308a6a73bead04d51bfb

SHA256
17ff822a87c3a96dc0a1337c82b18ae41262cbf5a7512c049af438f742fd815d

SHA512
de41d8afb21ab1148840601508a6e35ff7413dc1b76503ff44dd65178482d3d3b98a2e3e90b3f7d548c14d51d3cb46f155fd25bd1aa6ce12ca3db5c729501fc8

Download Submit
C:\Windows\SysWOW64\Pajeam32.exe

Filesize
236KB

MD5
4aa2a1a10b8337f4ad70a551e0f1f8f5

SHA1
8ecaed2a41a01683317361c93319ef3ccf9ea9f3

SHA256
27e75cc61fcae87b8e25100bd6cf96bff5e92f5ce2e81ecdd04213e693b1e597

SHA512
ca369b4b3eb0f2aa14d460f9b8ddcfc1c68b5144f226cdc65e6ffe8d698720aef7597d09e25017c442c698f385304c7dd05294ea63b540b577cd75bdabd5c032

Download Submit
C:\Windows\SysWOW64\Paoollik.exe

Filesize
236KB

MD5
3b4e9501dbe695f2359e1755749ed159

SHA1
c4404084542a174e3a72c9a57ef248b997bb8808

SHA256
c6af3cbeae6a887e0b1735fd0391b379daab11df3e980490be1fec0afd09939e

SHA512
a99a598229c13d1121375a540c91b90d97d4c442c0df09ad87e6739f304601e02f394fbfb0f53117f6e0a44b9b4691835503984522b57d68d52cf29561fee452

Download Submit
C:\Windows\SysWOW64\Pdfehh32.exe

Filesize
236KB

MD5
9b47a56eedd4fae4d27f10e10b33a36d

SHA1
6468f2786156450b0626cfb2803d1725bdb7dca4

SHA256
1d3d28b837a00e83a17379c3e922218b05503bdc9b891623bedfa30f61f90a15

SHA512
374dabaceed8ed5cd5ab03a5a98004af90d32228e7e8a304d555b2403b1d119afafa76a9810dd98ff750a5873c3cbeb2fa9ecc256b13c160b016d75fe82decce

Download Submit
C:\Windows\SysWOW64\Peahgl32.exe

Filesize
236KB

MD5
998a5445b5fb25e4976bd42d15e27b33

SHA1
a77d97d3db3d58ad0cd0b6672e31ed44c4cdbee6

SHA256
da8d4012af12ea6ab00c7273b000303b822864730e644262067635d4514b1a61

SHA512
834d50f5479b6029df83e74ecfa1a01540c4aeab572d035de759dbccb75156478e17b8ab69cfd4095a48c23765b52bc6a9242ff050b9735dea0da03d44441871

Download Submit
C:\Windows\SysWOW64\Pmaffnce.exe

Filesize
236KB

MD5
c8e24f807e29b61d8e143ab904cef92a

SHA1
babf0ca64dd9978fa4fd652021cd0a0210e92810

SHA256
a913b2dd334cbbef1ca9fbde8dd0748a7f1aa108c47540c927cdebf2e65279fb

SHA512
ddb0cba7434b505fe03564979f817618942b287d677f938ef81f7a01e31fae3021c3fa0b4c5e67d7938d4574f7681f614d120eefa38350a6489a1fc804d76c67

Download Submit
C:\Windows\SysWOW64\Pocpfphe.exe

Filesize
236KB

MD5
bc2ef3b816da4f92d78b914562779254

SHA1
db93196b781dacf5f34d545a99f295b219733f84

SHA256
8e2936eead6ae133434677f6bde0f8e0654bb81d2174d2c1160a3c5e3e5aa91f

SHA512
5f15c139fc98d7f54f86b066f188780a6c02c1b4b0833b258c2d826bd52f686a18e835e94dea4de5d9ee761ebfdfccd301e68b8e742be3294484bae01cbbdf42

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
64KB

MD5
1b5ce1c3cc5fb7ba00894672da75cca4

SHA1
2839de1b16d294fa5c0037d29f8f9b1fdde62177

SHA256
27610726ea896a7332fd97b62058ba5f901f9285e14c02baea12225422ba85db

SHA512
1906ada7e7574fb420d22134e4f0a0db8ba3189d5f041a5e2d0d18bb942140948f233e8a59a7abf3dc7067614aad343b68bee27078bfbce1f9f2a6ca7960becf

Download Submit
C:\Windows\SysWOW64\Qlgpod32.exe

Filesize
236KB

MD5
2b1c49e39dc4cd73ed17605f12aa2994

SHA1
410f075e34b7efc53b0cb13e4ecd48e1e2fc34cd

SHA256
3a5bc497bdbfd58e673d3c9faa57aa403bc2243ef2c965816e4e6382e8d0fa65

SHA512
c4e084269a40bbba14c3caa591c4c749beea6008980e62c4924b7327797111ed56442399fd0decdb15e07974e5421f94d45f9ee30101a4045cbe2a88835ca822

Download Submit
C:\Windows\SysWOW64\Qlimed32.exe

Filesize
236KB

MD5
15c22f4f9152ac1d132b6cb6a667fbd5

SHA1
ad0335d595c8d0ab32e91a434e1735bac98bd1c8

SHA256
0406d403a1b5def30a4b6ae838ebb8326db40db5df0780562a05906c5206cc8f

SHA512
823042af9f7184c963d13dcdbb35c197cbe859b3928c3ed62db5ae78b81b5339647949c4f2a0568ebbdefa10301a4f1d327dc61dc63ffd977288a30ceda17a61

Download Submit
memory/260-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/368-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/492-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/664-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/864-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1456-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2368-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3036-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3424-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3464-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads