3a4ab986f9f504fc5da3c36f9cd763ae32e8c5922de633f78d280925bf5af0d1

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4ab986f9f504fc5da3c36f9cd763ae32e8c5922de633f78d280925bf5af0d1.exe
Size

128KB
MD5

c49ec862aa6f8cfebbf5ae0e9c9004e5
SHA1

26ad5dcdffde859545eb8e0f9f0db41312aa14bb
SHA256

3a4ab986f9f504fc5da3c36f9cd763ae32e8c5922de633f78d280925bf5af0d1
SHA512

207afa2948af4b16f359da50471e65a1a9869722eef50aa8037716a566473d7fe80e15602e12e41138172df46eb04f4ebf691ed1c1a5e09929fee588ec8b9b4a
SSDEEP

3072:2ncbeOhJuaoC4wIuGPxMeEvPOdgujv6NLPfFFrKP9:22RhJuK4wBGJML3OdgawrFZKP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Likhem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejojljqa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Komhll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnbeeiji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpochfji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edeeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahokfag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jokkgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apnndj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnbeeiji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gihpkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hahokfag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apnndj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfennic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieojgc32.exe

Executes dropped EXE 64 IoCs

pid	Process
720	Jgmjmjnb.exe
2440	Jokkgl32.exe
4120	Komhll32.exe
376	Koodbl32.exe
528	Kpoalo32.exe
3216	Kcpjnjii.exe
3944	Kofkbk32.exe
3956	Loighj32.exe
4124	Lokdnjkg.exe
2356	Ljceqb32.exe
4336	Lnangaoa.exe
3440	Lncjlq32.exe
2376	Mqdcnl32.exe
3380	Mcelpggq.exe
4000	Mgeakekd.exe
2428	Nmdgikhi.exe
640	Nqbpojnp.exe
3392	Ngndaccj.exe
5092	Ngqagcag.exe
2868	Ombcji32.exe
2300	Ojhpimhp.exe
1928	Pmiikh32.exe
4848	Pagbaglh.exe
4428	Pffgom32.exe
3280	Pfiddm32.exe
2388	Qjfmkk32.exe
3972	Qfmmplad.exe
1456	Afbgkl32.exe
1124	Aajhndkb.exe
3424	Akdilipp.exe
1576	Baannc32.exe
4584	Bmhocd32.exe
3572	Bknlbhhe.exe
4944	Bahdob32.exe
2152	Cdimqm32.exe
3236	Chiblk32.exe
4720	Cacckp32.exe
1376	Dpiplm32.exe
4632	Dpkmal32.exe
3096	Dggbcf32.exe
4436	Doagjc32.exe
4464	Enfckp32.exe
2164	Enhpao32.exe
2592	Edeeci32.exe
4664	Eqlfhjig.exe
3928	Ekcgkb32.exe
2020	Fkfcqb32.exe
1200	Fqeioiam.exe
1492	Fecadghc.exe
2128	Feenjgfq.exe
3356	Gicgpelg.exe
608	Gghdaa32.exe
3704	Gihpkd32.exe
2448	Gpaihooo.exe
3728	Glhimp32.exe
3548	Hlkfbocp.exe
1616	Hahokfag.exe
4280	Hbgkei32.exe
1752	Hpkknmgd.exe
1948	Halhfe32.exe
4996	Hpmhdmea.exe
756	Hejqldci.exe
1992	Hnbeeiji.exe
2532	Ilfennic.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Pffgom32.exe
File opened for modification	C:\Windows\SysWOW64\Fclhpo32.exe	Eahobg32.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Gicgpelg.exe	Feenjgfq.exe
File created	C:\Windows\SysWOW64\Likhem32.exe	Kcapicdj.exe
File created	C:\Windows\SysWOW64\Ljgmjm32.dll	Oophlo32.exe
File created	C:\Windows\SysWOW64\Pmbegqjk.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dpopbepi.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Kcmfnd32.exe	Khgbqkhj.exe
File opened for modification	C:\Windows\SysWOW64\Mcelpggq.exe	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Qimkic32.dll	Mgeakekd.exe
File opened for modification	C:\Windows\SysWOW64\Aajhndkb.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Gbhhqamj.dll	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Njogfipp.dll	Nqaiecjd.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Mkfoeejd.dll	Ombcji32.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Ejojljqa.exe	Ecdbop32.exe
File created	C:\Windows\SysWOW64\Gikgni32.dll	Baannc32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Odaodc32.dll	Gpaihooo.exe
File opened for modification	C:\Windows\SysWOW64\Gghdaa32.exe	Gicgpelg.exe
File opened for modification	C:\Windows\SysWOW64\Hejqldci.exe	Hpmhdmea.exe
File created	C:\Windows\SysWOW64\Jpgdai32.exe	Jbccge32.exe
File opened for modification	C:\Windows\SysWOW64\Pmiikh32.exe	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Ojcpdg32.exe	Oqklkbbi.exe
File opened for modification	C:\Windows\SysWOW64\Adepji32.exe	Aadghn32.exe
File created	C:\Windows\SysWOW64\Dajbaika.exe	Ddfbgelh.exe
File opened for modification	C:\Windows\SysWOW64\Bmhocd32.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Glhimp32.exe	Gpaihooo.exe
File created	C:\Windows\SysWOW64\Piocecgj.exe	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Aglmllpq.dll	Ieojgc32.exe
File created	C:\Windows\SysWOW64\Ieppioao.dll	Enfckp32.exe
File created	C:\Windows\SysWOW64\Mpaqbf32.dll	Hpkknmgd.exe
File created	C:\Windows\SysWOW64\Fallih32.dll	Hbgkei32.exe
File created	C:\Windows\SysWOW64\Hnbeeiji.exe	Hejqldci.exe
File created	C:\Windows\SysWOW64\Eaceghcg.exe	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Gghdaa32.exe	Gicgpelg.exe
File created	C:\Windows\SysWOW64\Iaidib32.dll	Obqanjdb.exe
File opened for modification	C:\Windows\SysWOW64\Pagbaglh.exe	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Pffgom32.exe	Pagbaglh.exe
File created	C:\Windows\SysWOW64\Qjfmkk32.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Lhenai32.exe	Lchfib32.exe
File opened for modification	C:\Windows\SysWOW64\Lokdnjkg.exe	Loighj32.exe
File created	C:\Windows\SysWOW64\Ejhfdb32.dll	Kpiqfima.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Obgohklm.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Pagbaglh.exe
File opened for modification	C:\Windows\SysWOW64\Mapppn32.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Fqeioiam.exe	Fkfcqb32.exe
File opened for modification	C:\Windows\SysWOW64\Mablfnne.exe	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Lodabb32.dll	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Djkpla32.dll	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Ldicpljn.dll	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Jlkklm32.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Hlkfbocp.exe	Glhimp32.exe
File opened for modification	C:\Windows\SysWOW64\Hnbeeiji.exe	Hejqldci.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Mqdcnl32.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Jpnakk32.exe	Ihdldn32.exe
File opened for modification	C:\Windows\SysWOW64\Lhenai32.exe	Lchfib32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6596	6388	WerFault.exe	249

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhphpicg.dll"	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikifc32.dll"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombnni32.dll"	Loighj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfoeejd.dll"	Ombcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadghn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclkag32.dll"	Gghdaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpkknmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhjomjk.dll"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefiopki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll"	Ejojljqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkffgpdd.dll"	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3a4ab986f9f504fc5da3c36f9cd763ae32e8c5922de633f78d280925bf5af0d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjljdk.dll"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkgblln.dll"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll"	Lokdnjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipaooi32.dll"	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpkknmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpiqfima.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lokdnjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enhpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkpla32.dll"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hejqldci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpopbepi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 720	3540	3a4ab986f9f504fc5da3c36f9cd763ae32e8c5922de633f78d280925bf5af0d1.exe	91
PID 3540 wrote to memory of 720	3540	3a4ab986f9f504fc5da3c36f9cd763ae32e8c5922de633f78d280925bf5af0d1.exe	91
PID 3540 wrote to memory of 720	3540	3a4ab986f9f504fc5da3c36f9cd763ae32e8c5922de633f78d280925bf5af0d1.exe	91
PID 720 wrote to memory of 2440	720	Jgmjmjnb.exe	92
PID 720 wrote to memory of 2440	720	Jgmjmjnb.exe	92
PID 720 wrote to memory of 2440	720	Jgmjmjnb.exe	92
PID 2440 wrote to memory of 4120	2440	Jokkgl32.exe	93
PID 2440 wrote to memory of 4120	2440	Jokkgl32.exe	93
PID 2440 wrote to memory of 4120	2440	Jokkgl32.exe	93
PID 4120 wrote to memory of 376	4120	Komhll32.exe	94
PID 4120 wrote to memory of 376	4120	Komhll32.exe	94
PID 4120 wrote to memory of 376	4120	Komhll32.exe	94
PID 376 wrote to memory of 528	376	Koodbl32.exe	95
PID 376 wrote to memory of 528	376	Koodbl32.exe	95
PID 376 wrote to memory of 528	376	Koodbl32.exe	95
PID 528 wrote to memory of 3216	528	Kpoalo32.exe	96
PID 528 wrote to memory of 3216	528	Kpoalo32.exe	96
PID 528 wrote to memory of 3216	528	Kpoalo32.exe	96
PID 3216 wrote to memory of 3944	3216	Kcpjnjii.exe	97
PID 3216 wrote to memory of 3944	3216	Kcpjnjii.exe	97
PID 3216 wrote to memory of 3944	3216	Kcpjnjii.exe	97
PID 3944 wrote to memory of 3956	3944	Kofkbk32.exe	98
PID 3944 wrote to memory of 3956	3944	Kofkbk32.exe	98
PID 3944 wrote to memory of 3956	3944	Kofkbk32.exe	98
PID 3956 wrote to memory of 4124	3956	Loighj32.exe	99
PID 3956 wrote to memory of 4124	3956	Loighj32.exe	99
PID 3956 wrote to memory of 4124	3956	Loighj32.exe	99
PID 4124 wrote to memory of 2356	4124	Lokdnjkg.exe	100
PID 4124 wrote to memory of 2356	4124	Lokdnjkg.exe	100
PID 4124 wrote to memory of 2356	4124	Lokdnjkg.exe	100
PID 2356 wrote to memory of 4336	2356	Ljceqb32.exe	101
PID 2356 wrote to memory of 4336	2356	Ljceqb32.exe	101
PID 2356 wrote to memory of 4336	2356	Ljceqb32.exe	101
PID 4336 wrote to memory of 3440	4336	Lnangaoa.exe	102
PID 4336 wrote to memory of 3440	4336	Lnangaoa.exe	102
PID 4336 wrote to memory of 3440	4336	Lnangaoa.exe	102
PID 3440 wrote to memory of 2376	3440	Lncjlq32.exe	103
PID 3440 wrote to memory of 2376	3440	Lncjlq32.exe	103
PID 3440 wrote to memory of 2376	3440	Lncjlq32.exe	103
PID 2376 wrote to memory of 3380	2376	Mqdcnl32.exe	104
PID 2376 wrote to memory of 3380	2376	Mqdcnl32.exe	104
PID 2376 wrote to memory of 3380	2376	Mqdcnl32.exe	104
PID 3380 wrote to memory of 4000	3380	Mcelpggq.exe	105
PID 3380 wrote to memory of 4000	3380	Mcelpggq.exe	105
PID 3380 wrote to memory of 4000	3380	Mcelpggq.exe	105
PID 4000 wrote to memory of 2428	4000	Mgeakekd.exe	106
PID 4000 wrote to memory of 2428	4000	Mgeakekd.exe	106
PID 4000 wrote to memory of 2428	4000	Mgeakekd.exe	106
PID 2428 wrote to memory of 640	2428	Nmdgikhi.exe	107
PID 2428 wrote to memory of 640	2428	Nmdgikhi.exe	107
PID 2428 wrote to memory of 640	2428	Nmdgikhi.exe	107
PID 640 wrote to memory of 3392	640	Nqbpojnp.exe	108
PID 640 wrote to memory of 3392	640	Nqbpojnp.exe	108
PID 640 wrote to memory of 3392	640	Nqbpojnp.exe	108
PID 3392 wrote to memory of 5092	3392	Ngndaccj.exe	109
PID 3392 wrote to memory of 5092	3392	Ngndaccj.exe	109
PID 3392 wrote to memory of 5092	3392	Ngndaccj.exe	109
PID 5092 wrote to memory of 2868	5092	Ngqagcag.exe	110
PID 5092 wrote to memory of 2868	5092	Ngqagcag.exe	110
PID 5092 wrote to memory of 2868	5092	Ngqagcag.exe	110
PID 2868 wrote to memory of 2300	2868	Ombcji32.exe	111
PID 2868 wrote to memory of 2300	2868	Ombcji32.exe	111
PID 2868 wrote to memory of 2300	2868	Ombcji32.exe	111
PID 2300 wrote to memory of 1928	2300	Ojhpimhp.exe	112

C:\Users\Admin\AppData\Local\Temp\3a4ab986f9f504fc5da3c36f9cd763ae32e8c5922de633f78d280925bf5af0d1.exe
"C:\Users\Admin\AppData\Local\Temp\3a4ab986f9f504fc5da3c36f9cd763ae32e8c5922de633f78d280925bf5af0d1.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\Jgmjmjnb.exe
  C:\Windows\system32\Jgmjmjnb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\SysWOW64\Jokkgl32.exe
    C:\Windows\system32\Jokkgl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\Komhll32.exe
      C:\Windows\system32\Komhll32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        30⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        37⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        38⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        39⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        40⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        42⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        46⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        50⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:608
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        57⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        67⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        69⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4452
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        71⤵
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        73⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        74⤵
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        76⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        77⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        79⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        80⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        81⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        82⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        85⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        87⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        89⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        91⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        93⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        94⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        95⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        96⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        98⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        99⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        105⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        108⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        110⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        111⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        112⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        114⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        117⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        119⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        120⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        122⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        124⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        129⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        130⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        134⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        135⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        137⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        138⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        139⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        140⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        143⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        144⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        146⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        147⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        148⤵
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        151⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        152⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        153⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6388 -s 428
        154⤵
        Program crash
        
        PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6388 -ip 6388
1⤵
PID:6496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:7156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
128KB

MD5
28175984553705ef9fb3b1c8c16e46b3

SHA1
d1ba057c9dfbde8b35fc6c5f045ca07bf5e68a89

SHA256
61baa6332240e77244c466c456f54d4c1f6719bccabe8b84c81f25c91f9f7163

SHA512
b99d3cf2a91b80a2d700a3d9bf78edffee5c9d4f336ce3821a7911563b99b3b831625e521b889ef620d11fbd50ac975caf2da4678a4012fde1401a772c6ee468

Download Submit
C:\Windows\SysWOW64\Adepji32.exe

Filesize
128KB

MD5
c9a64f4f983b09ce9b676918f0319340

SHA1
234a3dcc14f6b0fd8f9538d950127dd965b7fb0a

SHA256
2ae9d5f107bda825d824c2396335ff6bc7ac94b0f3b77c33badfe68cace8d94d

SHA512
1dafb58f10585e20ce5b6456e51014c1af0b3ee79cd928784a002db716917df2efcfcef2caf2d829aa7d7d90e5cdf820bec355d65f5323ea719c16be46fb52ca

Download Submit
C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
128KB

MD5
69967e733e4621310f988db77eef9a4f

SHA1
8b476ef4271fde9add657dd8609ad02054109223

SHA256
70f8119b6c8972659fc78e54f6970c56a5904e831593a4ccc2d92570fe89bed5

SHA512
1b4bb8cce01973a432651daaf244f3a8625747f87c6e75ecdc18e623899adef4d2ca5f246d712ce54e7a474b8954aece2ba0b8e9d0456ebf731391fe33940ec8

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
128KB

MD5
e965bf4fc556755c0d2b110b223b368a

SHA1
5e35c4fd5c79862fbd934248c57432e4168a6f3e

SHA256
222d021b5a98a6f13253980c9f2ce9fac754281ef119ab86587e35d618b92f58

SHA512
f6aaaf55861fc0b1cd9f0e306739da7349b6b535ef48ad5525a614ea123ab5d0c8781853168148418d6e428b25089851ebf30f783b939c8405cfdea55ae06e20

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
128KB

MD5
3e4e0c532e43c60d57f2d72d14fe65ca

SHA1
d5663cf1f79baafb8d1eebf9bec0bb6291a01454

SHA256
2d9268e6ae7b390c3d60a19f5a8c0884c0197e92cf8462f98eeb3d504347e936

SHA512
9eafb47383dbd76c875f36b49129f232f146eb4b9ca5a8ae11a957e6ab8d5b37fa1f4f491bf628ef9033a9326005ae0fe00a816ab4f1072f8cd46e8646acfbc7

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
128KB

MD5
04bd3a8ac44d7a6dc1e9f6415b189611

SHA1
76f503a54dd85ebb243bc2b8963694a2d82f52e4

SHA256
cd66333f2174d2db67d0e9036b8bc89d1c1fdbba788a8a364339b63453169560

SHA512
f0c8183c16bcc762bf3807a9f7c4dbbd05a773a3c2fc2de57efb4198f094f631406d5f253e81dd7e683d6d8f23de6618db291817860b96dfcedbaecb247cadd8

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
128KB

MD5
cc39b9f4683e3ac6d318766354bd1b4a

SHA1
be37b754f88c8b6763dfe3078313ad1d057b2c49

SHA256
9c7160d0b4f0a14481d4e6d7838d8f8c5333adba6658d9f00ee55e20c4a03428

SHA512
0989cb42b6a441b896134dc67c738c1c663f5c3803f9673f36718db769eaa2cddb321d32cb510dfbce882b319c0c2fdc13431d20cea91aa0a26ae432736534d8

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
128KB

MD5
61ce28f8fc73386edd166740a5c6f14a

SHA1
6997ee6a71e4875e6a83f846eaa43b239bb8de10

SHA256
90c1d499a421ce0f5a1b95fcb11f364b1bfe798e4d59b78d9d95baf27a6906fa

SHA512
d70d331cd03395643ba88b8a9ab2a038d3d7a392d68f2e6c4cfd20be45b33ec008e35d86e151fdad4e59c70d53d422cc942055c4f6bb6374843090275457bdb8

Download Submit
C:\Windows\SysWOW64\Cajdjn32.dll

Filesize
7KB

MD5
b2f6628e9b055834ed7ffafc5e84fabe

SHA1
da031077ceee806ad1de71d7d9a36243a9843bdc

SHA256
20533cd14fdcb05cdc253dedcd1c7a32d25dee0c58262e9fe0dbda5bfdc57ea0

SHA512
a0cc752a57f306d67a45cbea0165ca509c0e6d09bc1bc4e27184b5dcbed9899a13105582e00f634c310e8f33308518048807c4f92f7501178844a48fc921e500

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
128KB

MD5
43a333496cb760cd782f3dc60d36b36f

SHA1
93ae3d5a9989fff0ee829c47af778ed856bccc1a

SHA256
d9ffe16f44317294d205c8c6a88126ba40b6287d2cd2867f6891e65072f88fd5

SHA512
a18e2871749f877dd39ad3457e7e5943fdc3c294d6d88c24a7c800d54b1671084ba188eca8edc355b04601abeaa7f4a05917ceebe33c1f1152fa233e6158344e

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
128KB

MD5
21fc0ab3b4fd3ba15308d54857a64ef1

SHA1
36f95f7e069a15594640754cc28d4ea4a6c6acbc

SHA256
e71b7a40323456b959c5e08eb5a7dcbce34476c9a0228ea1cd8c1c84bc6645c2

SHA512
ac4495c6533853065c7272dffac509c0354cd843f28362ef4c72dcb65033ea4bec7a89dd465c3e1a3f6a2543c51d753839da14c7deae5771b9e9467ababbed98

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
128KB

MD5
5c30b9b2349eb9723d0259c90ba494dd

SHA1
0055fdd9cf05501639a4d0a24e4a9635de1f5761

SHA256
3366d13550f8f4fd41b5a78313e19063347e05e893a4dcfc68b7cc54ee1e617e

SHA512
ed6bd2c0d6920ab660fa64ede8e06177454bb248a3f2a05cc5fea23fed3846350388f71a5743a8af6e685af440d2ea37ec967a52b9fca0730541ce94a5cbb478

Download Submit
C:\Windows\SysWOW64\Dggbcf32.exe

Filesize
128KB

MD5
51fa195407a4268bfe5ecf58ee154da0

SHA1
debd63c8e8eb7bc7a89679dae1e49d3760d4f15d

SHA256
e15d4528fa895c65310698e3f6bafc8f9d45104bde1d8c1d7aae620fa7baaac4

SHA512
5aeec5a1f09fe5bcaea31ec2a080961434893d1968daa48d37b380b390ed74162429029abf231e0741bcb2031188a8a1e57a2876985fd6a02e2d5d7157e59ba9

Download Submit
C:\Windows\SysWOW64\Edeeci32.exe

Filesize
128KB

MD5
2a68c9d172e92d3064d1fe6d59077599

SHA1
e57deefbba853a0500a5ee270cb0f469d3c2d18e

SHA256
c46a938068cf758512ebcf318df77c378026a596cee7de6b512e85f712611717

SHA512
150561e524e12733db49daca209d325b0859fd8ff8f456d9e753882e11c458d15214f638ec79be1e1ce43fc887295f8531d01193fc696e144d5f672ec7a46ec3

Download Submit
C:\Windows\SysWOW64\Ekcgkb32.exe

Filesize
128KB

MD5
945d9b6635bf7fd9a45321a5e81c2685

SHA1
ceb01905c12cf565fc84fae7af68e6cd36f14ab0

SHA256
92ccba546084aee755759cad0edb2a5353e0751d186e2e083937f658321e0076

SHA512
9dcfeea5e3f8ef82dc898df297983197e6be33b1c8df0b79034de83b547e4c000feb9cc163f55e6216e60dcec093c10ecd9d6c000b86b8c82cb5c8d53e72305b

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
128KB

MD5
4430f8c2ac4c91b713c1b11a515b2276

SHA1
8a931c41f6ab5f6f9c7c5e115f0155e21aed661b

SHA256
fa59eca0e7d8c80b0188a25ff1a79feb6b791f5678d015fd896f65db72f8f91f

SHA512
5dc6990a97ce7bee98985d44403ae3af4d19a596e5a9de3bca2048f60c17e2cd8d01c3ec22d41dfc1f5be803933c8dda4ad180547e6a040dbf0850178f5ce2ba

Download Submit
C:\Windows\SysWOW64\Hahokfag.exe

Filesize
64KB

MD5
c3738838f9b5059505bd524235e3d393

SHA1
11ac5f3b9aa1d2ab1249035992989911ddef3c3c

SHA256
fd16f4047e2400de9b12fff32e26278194b493b94dff4b2be0c942fbd52d357a

SHA512
cf150459a7818a7a441330697442a280d209193a7e80ce6fa5758e916cc994d55853976245d2f735b7dd5e732f13ec92777b9eff8b4c7852b38c69f6418a867a

Download Submit
C:\Windows\SysWOW64\Hnbeeiji.exe

Filesize
128KB

MD5
4ccc3f6e5bae8bf5f255ca1b064a554f

SHA1
6e805afff06745cc4fa1a5c88914015719a76d30

SHA256
bc438f65de5a10869dcf285570006bdc80408ab90fd3a91e92e689f7bdef808e

SHA512
a143109d28a4140051364de9cfdcf20b6edf8beff16210e866d113e14b7a5a3097d2c460520d04d5e9a846822e17c72dc555dfac5faac9f88795463e0a851aff

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
128KB

MD5
96282d1fe29429cfac335a3232d6d714

SHA1
b588330ff01606bbf2c27fc539bfdc03e6cdb29a

SHA256
bd6e5ef74be4f804b89065c35dab7e6acac0130ac6db74864191b2b48d7ad477

SHA512
7ab5c8e98b844a9277260e3338e82539040aed3b7ba863312d7827ed649e9b8421d15749ccee1e000cf307cd7b9cca4451d390b77d875f05dfd4b1bea57de7ba

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe

Filesize
128KB

MD5
4f6775af064d909540994135d945eddf

SHA1
8a6673d070095ddd6e467088fde0b8fe15561789

SHA256
4ca7ce8aa2c6ba26fc70813c8dbdb61660e24be92323d49735c9977323bb839b

SHA512
cdac75fe39662ce2f5aeff599fd843af75b68bab44da15ee37ab1c1fd43c659e0626a0fb02e735c6bd4d449a374a91d3d3167d387c85790302648b9fc1dcb3c4

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
128KB

MD5
1370c26e044e379dabf76ead5ccc82b9

SHA1
e0befac735d96ab0cdf76ea7f8fb372fd9e126d0

SHA256
27d56bdfcbc69c88aa40395d5abc1daa7d956430fd9061ec03d43ebaf04087d7

SHA512
a36125f050302ec08be5754fe819f4c3838131431591152c1e0ee95475af3001b56180f159672c7300b6b8cd3f55687588835215c19f5822ad8a1766b1a82a1a

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
128KB

MD5
4383cb7232bda67e612f5b84e5411f4d

SHA1
b019d3a34d6361d7d249e24e313ae24540211e31

SHA256
d1f78f6dd000373f9c4c65394788a75e112a127a8d67b5e1e47c52cfba76d6fd

SHA512
6c50dcff72798d9de63128369afed90d2044dd3e14018fa0b787ea98c3a157f6ad3bfdc5e8ca12011d5418b2166cf8f908f15dcbdc4caa6aa7a0e06d5646c7ad

Download Submit
C:\Windows\SysWOW64\Kcpjnjii.exe

Filesize
128KB

MD5
663d0889c0e9ff16458e5f4e7ed5cd24

SHA1
58d9061b8c1050cbc99510438a12bbbcb2bd409b

SHA256
4d0ca84eb9c39bb345d618d1605edff43b87617814681f7fc4dc36a1edc33138

SHA512
97bf9335df4a68c16def5407e62d0d09b4a1f30d90823620da1ae51c9269d7e2ef90a11729f69f2c2b42fbbd09964d3ba2a0aaafb70d18cfeedd89ad58e24098

Download Submit
C:\Windows\SysWOW64\Kofkbk32.exe

Filesize
128KB

MD5
6b1cbb487465c59a4848648d047f632c

SHA1
49a0deaa101d1794045fda5f1bf2c4623ddd54c9

SHA256
e2ccdef986d5cdb174935f13b98a2fadc41755d84eb7aadb8d2a5d75d2787a98

SHA512
3ade42c4af71fd2b2dcd6c1419ff8750a971e361988f103ac207a57cde27a3db2338d1c87956b60e43c87ca62fdc2be6a19bfe4294e14b581a82e01543f69cf5

Download Submit
C:\Windows\SysWOW64\Komhll32.exe

Filesize
128KB

MD5
6e615996e51044c47c4c37fc73cb58af

SHA1
4b30e9f59b5cc604d98a14e79563b5506e7b89ad

SHA256
183e8990bd7cf67bc172c6b619b2a9da805b89c7cf4fbcb22db7874e5c3c2225

SHA512
7e4f04ec40887eb79c2f03ea0d10cfb5df445b5a28efe3071d2c289cef8d168d70fdb0a0c672ff3153d00ef525b015f3d70191c42b1ac84a85c35a6fe617230e

Download Submit
C:\Windows\SysWOW64\Koodbl32.exe

Filesize
128KB

MD5
e115e76572696850d9401180c7c76ff0

SHA1
d993e296e2864c4c83ddb984ef8f9d54151643c5

SHA256
acf833abda885b3ad21c87990934929617a83c1ac3acff38b3415ce5b4c2e4eb

SHA512
a4ce90a33a13d791f1a3c11d54a00b118d5fb97b1bb68f9c070bda8a44c8884ac59f56a04bb2c517eaa7886e650fdc861365c363dea78315fefe5eff324485d6

Download Submit
C:\Windows\SysWOW64\Kpoalo32.exe

Filesize
128KB

MD5
b26cfedd0ec409d0ecb1af4ee730b988

SHA1
deae1a2c97a655199b30d1117a72355684429866

SHA256
946cb9a69d7be6c535110b39bdfa129788ce620c3c36f0c702ab94334758211f

SHA512
be6fb9dcfdedfca596135db68abcb2188d12ed5a465150e79d00c25912e0189261c68990bc512700a43a8740d38ce2ad8a6ab2b22433032338975c26013fa50e

Download Submit
C:\Windows\SysWOW64\Lchfib32.exe

Filesize
128KB

MD5
eae3d6d357bd7468f8b1931072dc40c4

SHA1
dc5fa1977851882d9a86d877cf9736681cd63e35

SHA256
13678f860e4c6f09a59ec9631409471fde16cee6f98e302b513ac08fa067bfb2

SHA512
92a905eb083c617a12f3b9aedad026a4d62d2045305ea8df2a331b6f36e2758057914b9d8cc9d08b62c5cb2864b5905d28383a4d4b8d257aaa124181f1b0048f

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
128KB

MD5
425df3ec0310abb5a1dd2fe642fd5584

SHA1
47c0896e21a77fb954e648e11ce7a687dcf715cb

SHA256
d5355f0313959f3bf9b293bc530c86b6a0570ab48594e73dec3ec143cd0ab500

SHA512
20a8144e0e78cbd5a4842b933fcbf113bf69b1daeaca4642e9130797458b5726c1d07363dac338418e1c0ccd11ccb8822c2e2f28395656a9cad6453ee8d1b831

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
128KB

MD5
6b96340a25db21d954712ca837478cf3

SHA1
7fecc5275db63f39fe3c8e7f08858fd001ec0bc1

SHA256
a373733cdc82696d4e0682c5e73dee4c746e443420bc99b1700efe8fa42f5f9c

SHA512
5b96754835022e86de60c27ddca13fc22d91fda217c4c245c059eba9bbb3aa433774e9a80485a82702a3285d4ab0048beb9dfa69d4c94aeed904aa5b553d8402

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
128KB

MD5
a0de01a38d851a3b6f1bb67a376d69c1

SHA1
c4fb3bf6373779de3edecd4cd0ba743bd616a7ea

SHA256
7d3841b0d4bbaa787e078990fc06198ac2a68b0121497c160adfac721d14e8ff

SHA512
6b925a1b8ff77b35310280136b3055dabd25c5ae572eeb4315a34241edd6ac99c131915b8f2172c17283afbf8be5c73e2f877626dfb40df7395e4bf21b98b75f

Download Submit
C:\Windows\SysWOW64\Loighj32.exe

Filesize
128KB

MD5
ff2bd18fa4b0dea7bbdd3840785c5a6f

SHA1
9f714df1f80ac47281a2f3b2ac8eb2d54cac6d9e

SHA256
286fcc0201d4fa3b7032e51bbe1af52f8a3eba6ce2d1740b3066f80d258dd3a0

SHA512
16bfbfde441319f38c564d737d759e8fee22dff4e032b3c784f5b51709e9860bea7c2a39e98e055c80ec8733fdd98e24f40e947be3e9777f102f61be5e7f3ab7

Download Submit
C:\Windows\SysWOW64\Lokdnjkg.exe

Filesize
128KB

MD5
d7a04c18986a1b4f10f13283338c40a1

SHA1
02081fbea532b1c69e89adc2b6a2f4a8c45f4022

SHA256
0b8a1f38f377f403b10296dcbdb9b2179f90c7ef2130a5208bcb988c39394ea4

SHA512
17d8f09fd62526cf80c668b3c5087a9b4685aae0e7f0131d12845410fa338e091736bc359de63db7fda55d5c28fd2714b94332be93acb8574ecc6d2643d0c699

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
128KB

MD5
796ca516104c45b56cad23fd00fa53c5

SHA1
ea3e80392caab3fc8af901aa964259f54d293dc5

SHA256
9e07b61c9923766d8168f4b39f8637865599542afde34b6b779de8271dd0d5f4

SHA512
4f44c09c8506c62e0c62b73eee8714865fe17f7fb88a0dfa0ce5facf9bb79335648283040204a4fdc3b529092de853ad2086d00d0590bef5ccabb97acbfd7592

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
128KB

MD5
f7b9679af2387b2003f76e64f9f74d17

SHA1
11e6f5342d0ce5406020f71586c8ad074b984aa8

SHA256
bc68202d994d6d350d80a1e26713fdc13d6f9ecb3f0f7b473937245ea8bea72e

SHA512
fa26445a9d4a61b2487734e7802cd65002f88d2e96bf61ace63cabccc87733a90fb79188f134c4dc68777ea340ea84502bab06bcffdec76ffdbec35da10a28c7

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
128KB

MD5
5800cb49ae38abdff8f7f25f7aef2d85

SHA1
6c9b15fbee9a34a74fad2cba9367559330309be2

SHA256
db01180f63d62df216f2f5550c964c440e4456bfbe98db172e98528ed9aa785c

SHA512
ceb11a729f7952d8fd213c9f5a4ad227f7647afbcbd06c704f1db187729dff587f6080e926b1736766e0b0f1507979f39a4aa19ebf058a0829d0f51e187f5287

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
128KB

MD5
0fd6b8adf859c6af17494522861bcbea

SHA1
14329608d2741fae3747962e10f6ab0c5ab17a45

SHA256
74f174f02e8c328df19e0f8d2fadc988945320aa21d8a3a84e0d869a5af40364

SHA512
d90d6ad634e95fdefc552a62eb86c468f6a811f54861f4076347ba0efbf67ce3c245d4cdd574a01966f88e176c93aaddc32606ce8c76e126d1737f68d40e702b

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe

Filesize
128KB

MD5
5f65ffd2e6e0ccf38c1243d5d345a0cc

SHA1
91d593986efed12b0f0002df67d5cda87af95739

SHA256
ff061ce7869057af10ecd983057e041232382e98ed89a9ef48cd477981351589

SHA512
50ea3e6eec941e13e46df812d3e94f701b1a7b4e9aef7f8a3a7b2a776cb9b2830957f7fb1567057730457675dc9e7fe4f21fbfbfd341af4d5bd956bc3c35f34e

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
128KB

MD5
4b6661c40ef622d9ac73c68bcb8a3f5a

SHA1
448444dda6b24290e5b8d0e9d3dcbc590317669c

SHA256
1f818d5a979d0e972e74e49dfdf3ab5da695b0704594f63aa7fafde4b1113175

SHA512
b02012c627263745d9f2f324b19b238cefe8608eae60cd3b18c6e8061c86af99e48d2c67c0849ff655a886e99ddb54b0629a05307e34a134ac08e4f7a4bf2daf

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
128KB

MD5
78068e67c9a45293edf98c2e3d7ae6a3

SHA1
924e88e0f2ac59d3827f5d15d9e49b7d35fb7aca

SHA256
8c2ccb7f39789c7efb76b7fb671c7ba129feb21d29a9aadf065593b98cf27cdf

SHA512
41a6026ebb5b8baa978be1f86bb7f47e0deeb25b6e932667c63184321c1cd847a289f7037b3dc83f5d365d94a43c394dad9ef2f00256f1ce710815f9359ac2fe

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
128KB

MD5
6a3032a2403f8c74764dab069fdccd9d

SHA1
239058950397c0b04a72a84df9bafaf2787d1b86

SHA256
8490a4a661cde1665cef1df8d07e05791c3dfc1b5a70de6e62b14b0ea2741378

SHA512
9496dc65d9f47ee113ba49846d29d22f2fec7fb6b60f407c31c7a4741354eb7a1f12a2a8068f73fc1c318fe989c0b652af282001a853dc06367fa211c6d70cfe

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
128KB

MD5
a5ff706873a8d2796111a7aa367959d1

SHA1
fa5506238f508d89276b496f70ef3ff593a9d3b5

SHA256
cac06502a162d7edaca3444603597f62c9da795dfe98685e520ec16c81ef7c7d

SHA512
a2917feb1e8f961c7b99e9dc9883f8669581ae1ebdf051fcc0cfeb6f5555b89171677a012a9dfb5364b490aa124910c21c4748ede6d5e727fecb86dffcfcf679

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
128KB

MD5
da7b956c06b33afbfc581cb7f7840515

SHA1
0bfea024443d8494b665366463ca61c8214de1b7

SHA256
8382709cfea2103f17fc7ecad669783056abb14a4996b2becd16819ffce3cc85

SHA512
497ccb440274c2010f95a0433acdf161fc8e6a7f2402aea4b293e0cd056d55342ce5c83f153191455a9c5649efa5741241a9b92bcf44a193676a24cde7c0f79e

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
128KB

MD5
e4747ce417d9ee80087fe7a448e94650

SHA1
caf96e6b5226f305ecfb70b0ab1097c303665679

SHA256
f4466a580a270c84f921a14795b7edcb91b5d49ae557110fe18bd625ead3b2ea

SHA512
a2d5faf4905d559e03dd3e701da5482575a4d381fb8757d7964c96fe57c5430842945d37d353054d9fffe93d638916f80f6d9891600ccb5b47c4b8011e7e035d

Download Submit
C:\Windows\SysWOW64\Oophlo32.exe

Filesize
128KB

MD5
33ee841924dbba2637acbc6a070f9a2a

SHA1
6af9b24bb801d771576dfa1e8e8911505e4afe8b

SHA256
59d4b760d882a32767995ef5e6b9184e8f4f4f6845d69a8e2d84a1212a039c5f

SHA512
c03f4da165a1d5bfc721a07a93d82dc248055bad4a5726e26cff5afe63599ea9fe771702dd9b15ea37e78b2c2beef1b8008154bab6333d090ae0feb5346f2b0a

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
128KB

MD5
c94ab2b982991465a4eba28262edbc27

SHA1
ecc36c3b8e37ee83d0d7f5ef40d423338d8d951c

SHA256
701083cd746b5a090a0ae70528ce1901720301bd475238599ecc501c0cd57174

SHA512
8771ad181027db64142a80594b6d594591ad49ac2b8452357e81b4ff9058f0dfa29da06927dedeb45401f133401d3a2d8883e26fd3c0f0c7f19fcb31a4acbd16

Download Submit
C:\Windows\SysWOW64\Pcbkml32.exe

Filesize
128KB

MD5
8ef4029ad51ab62163d2a552d33c267c

SHA1
394d9c75f09bfd212f7264ff19a45b07bf421bfb

SHA256
32077f7c827f96c320686b05047904841ace32a62e846b65db3295f69b74c492

SHA512
c1dd8de70b21ee9f35ed70e8fc839d4e5c2ab000519022e7e1984287773e4aab08c9c3e490b69e85c9b400e4a28d4f6075557b36e343473120125138f0f01eca

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
128KB

MD5
88ccfbf5d8dbda5a93b794ceb98a7dc6

SHA1
8155b9e94eedf535ab2403508fb6149d95997ae1

SHA256
03d7b8692f90d356d2182c46fdbe8de3238b31fff5cab748b58cc444c64d74b0

SHA512
a03d28bf5b46966c9029e3e2d0b824cc72b78c4a0c0102a4bdb7027131f6980a3c769ed9306cab757c0ec06e44c3e6e73f7729767df35c29fb9f5ca89596b852

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
128KB

MD5
c6a352208d46dc8a21172b3be42c53a8

SHA1
94e2821ddb3dcf0768dee0bbd39434178d1b136c

SHA256
3bbb894bd53e3e9efbd0988351b53a43693e39a6e0bcf88ec56f30cb7b21758a

SHA512
922932d1cce9bab0f0f2ef7d083c132b22054ec4fad10c657f2690c267d573bcc3dee25f25ddaf94a16cf86fce2a1cc1ce0a422851b5641551fe72e224e5f474

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
128KB

MD5
81e89a41adb88f73b99da9835bf06f65

SHA1
75f27a605844d7afa267b6c4502e4cab0fa1c2d7

SHA256
9de0b24976618d5e5866735280cac008969c07ffcc1f17530fff88e29e13f9ab

SHA512
850472157769efe6712b29ba27c15b8568fb8f2f1b2dd179b86827d3b6dc31cfd516bd7a4772de6991d307aff95733300a6d13f25c6ba203ed4bef92cb39882d

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
128KB

MD5
f3b52029b50717a5b3ddb7d6a9dff8b8

SHA1
420b32383b3996c82901da8ff6f8365d52fb29b9

SHA256
2b7afc18234b6e79317ffe8a62e0ba0fcfb5944682277933007602e64b3e2c11

SHA512
4bf622fd0d633b5aa30078f9f3494e4def92a92f9299fd31e920c7ee5299a5f952e68f45dda1c9b1d08e6e3c902d1ff0c3ef9867cee0725236aac356f7dffb48

Download Submit
C:\Windows\SysWOW64\Pmmlla32.exe

Filesize
128KB

MD5
25c5b4b524eb3bcc1255d9acb4a8fd5d

SHA1
5bb0eb37361e3cebf705bceeb08131fdcbe410c5

SHA256
a4323a6c3cf0a5d42c286226bc13e0bb3a22aa0f79e49a3966d96634ca51317c

SHA512
d6cc2f3c9e02aaf7934305ddec2b5bab7f90e35b48dcfd0528db27de2776e09e4d5ff1816b2cefa466e93df55753d10ee6daa6af7e3ed0438a8b81c1bd626160

Download Submit
C:\Windows\SysWOW64\Qfmfefni.exe

Filesize
128KB

MD5
39de515c84818f1f39726c2c4015d50f

SHA1
5a0e1a871dea081e36f3537cdd39411ff3aa0d8c

SHA256
ee54a9e4ff4c251553eb623abca75831fea9b177df9029b3983bfc13469a4e3f

SHA512
0b8d7f06f721384c687cfea34331fc50ccf6fafa233824e58138adb51d0a12cc58ea1063a9d1868c8a12e25fa20fc7cf7e51815387cda3b18beb62b6e3f8bb4c

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
128KB

MD5
c5e4b6254e5e2c6f69164a60201de07c

SHA1
8b5f993d26ff3c5f4c5f2da10f386a1b76674ed2

SHA256
7e74a2386a3f727afcb32d9eb78a9588c5516205f99040e7574cdf8059bbccd5

SHA512
dbf762072386e3fcec51bd284d831f418d43a9fa2b1627beedc3d4127131d76031aab6b3815384868e6822820a2e3d837695519ebadc1ffad3eb8aebb14c6b7f

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
128KB

MD5
f68ea1e7b1c493de78caeb2e27b57917

SHA1
fb2b4e07081bd6213c852a5fd4741d5ff605428c

SHA256
cd060b03dc64b20c1e80498bba57c5e9d3086453a17615a99d722f03eaba7b40

SHA512
cd42e3e08c963dbd6ffeb8dc154e5c1697770b2a885a4d96728facdffdb9242caf4ae93f337940bb4dc7b1f4b27b716c9678fac0fa3c945472c41d743637619c

Download Submit
memory/376-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/376-115-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/528-39-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/528-124-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/608-419-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/640-144-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/640-233-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/720-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/720-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1124-251-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1124-327-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1200-391-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1376-321-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1376-390-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1456-243-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1456-320-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1492-398-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1576-341-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1576-270-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1928-188-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1928-277-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2020-384-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2128-405-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2152-300-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2152-369-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2164-356-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2300-179-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2300-268-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2356-169-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2356-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2376-108-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2376-196-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2388-225-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2388-306-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2428-135-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2428-224-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2440-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2440-97-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2592-363-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2868-170-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2868-259-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3096-404-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3096-335-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3216-133-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3216-48-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3236-376-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3236-307-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3280-215-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3280-299-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3356-412-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3380-205-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3380-116-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3392-242-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3392-152-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3424-260-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3424-334-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3440-187-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3440-98-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3540-71-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3540-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3572-355-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3572-286-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3928-377-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3944-143-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3944-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3956-63-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3956-151-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3972-313-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3972-234-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4000-125-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4000-214-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4120-106-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4120-24-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4124-160-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4124-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4336-89-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4336-178-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4428-206-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4428-292-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4436-411-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4436-342-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4464-418-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4464-349-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4584-348-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4584-278-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4632-397-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4632-328-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4664-370-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4720-383-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4720-314-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4848-285-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4848-197-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4944-362-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4944-293-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5092-161-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5092-250-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads