838f85c2b546fcd4c501d75cf752ddc8309d5805df466871f6efdfb97197ba0a

Analysis

max time kernel
143s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

838f85c2b546fcd4c501d75cf752ddc8309d5805df466871f6efdfb97197ba0a.exe
Size

312KB
MD5

5746657b7b9b97b3cb07e64c078dd53b
SHA1

244a0dd1fd8e04f258f31b145474eda78b57170b
SHA256

838f85c2b546fcd4c501d75cf752ddc8309d5805df466871f6efdfb97197ba0a
SHA512

4946889f43451a2bd9d835f1a00854ea9fdf40ea6dad230086f83238924f92b49f62fb864edba838e833a6f71ffbff68ee98df1aca828100a8c5722a5ffa0cb9
SSDEEP

6144:IQAx+PXuapoaCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSf:0wuqFHRFbev

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mccokj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjded32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gihpkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpqggh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bboffejp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndgfpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllhpkfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacepg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboffejp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicpgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggjjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllagh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gegkpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcabej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepleocn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolmodpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doojec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojiqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigbmpco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe

Executes dropped EXE 64 IoCs

pid	Process
5076	Qdaniq32.exe
5012	Bhhiemoj.exe
4724	Bacjdbch.exe
3980	Baegibae.exe
2196	Boihcf32.exe
2992	Bnoddcef.exe
400	Conanfli.exe
220	Chiblk32.exe
1032	Cacckp32.exe
2124	Cnjdpaki.exe
2236	Dahmfpap.exe
3932	Dolmodpi.exe
4924	Doojec32.exe
1684	Dndgfpbo.exe
3320	Doccpcja.exe
1352	Ekjded32.exe
2812	Eqiibjlj.exe
4052	Eojiqb32.exe
3648	Figgdg32.exe
716	Fbplml32.exe
1968	Fnfmbmbi.exe
4764	Fniihmpf.exe
396	Fkmjaa32.exe
4072	Fkofga32.exe
3456	Gegkpf32.exe
1248	Gbkkik32.exe
1468	Gkdpbpih.exe
2308	Gihpkd32.exe
4448	Geanfelc.exe
2172	Hpkknmgd.exe
4780	Hicpgc32.exe
4900	Hhimhobl.exe
4996	Hbnaeh32.exe
4408	Ibqnkh32.exe
1076	Ipdndloi.exe
2060	Ieagmcmq.exe
2740	Ibegfglj.exe
5032	Ilphdlqh.exe
4004	Iamamcop.exe
2440	Jhgiim32.exe
732	Jadgnb32.exe
512	Jlikkkhn.exe
2880	Jllhpkfk.exe
3536	Kedlip32.exe
2012	Kibeoo32.exe
2036	Kapfiqoj.exe
3692	Kpqggh32.exe
2752	Kemooo32.exe
3656	Kofdhd32.exe
376	Lepleocn.exe
1996	Lohqnd32.exe
2860	Lllagh32.exe
4988	Lojmcdgl.exe
1028	Ljbnfleo.exe
676	Loofnccf.exe
456	Lhgkgijg.exe
3100	Loacdc32.exe
1596	Mledmg32.exe
1296	Mjidgkog.exe
3216	Mofmobmo.exe
4496	Mjlalkmd.exe
3696	Mcdeeq32.exe
4348	Mlljnf32.exe
1432	Mjpjgj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bacjdbch.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Cnjdpaki.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Pkbcikkp.dll	Loacdc32.exe
File opened for modification	C:\Windows\SysWOW64\Mjpjgj32.exe	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Hlhmjl32.dll	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Knojng32.dll	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Kofdhd32.exe	Kemooo32.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nmfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Opepqban.dll	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Hclkag32.dll	Gkdpbpih.exe
File created	C:\Windows\SysWOW64\Njbgmjgl.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Ccmcgcmp.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Fgcodk32.dll	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Mcdeeq32.exe	Mjlalkmd.exe
File opened for modification	C:\Windows\SysWOW64\Oqoefand.exe	Oqmhqapg.exe
File opened for modification	C:\Windows\SysWOW64\Lepleocn.exe	Kofdhd32.exe
File created	C:\Windows\SysWOW64\Nmdkcj32.dll	Loofnccf.exe
File opened for modification	C:\Windows\SysWOW64\Eqiibjlj.exe	Ekjded32.exe
File opened for modification	C:\Windows\SysWOW64\Fnfmbmbi.exe	Fbplml32.exe
File created	C:\Windows\SysWOW64\Anafep32.dll	Mledmg32.exe
File created	C:\Windows\SysWOW64\Qidpon32.dll	Njbgmjgl.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Hqghqpnl.exe	Gnfooe32.exe
File created	C:\Windows\SysWOW64\Khokadah.dll	Binhnomg.exe
File created	C:\Windows\SysWOW64\Pnlhmpgg.dll	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Cnjdpaki.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Fallih32.dll	Geanfelc.exe
File created	C:\Windows\SysWOW64\Mjlalkmd.exe	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Ncpeaoih.exe	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Ncpeaoih.exe
File opened for modification	C:\Windows\SysWOW64\Piapkbeg.exe	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Jllhpkfk.exe	Jlikkkhn.exe
File created	C:\Windows\SysWOW64\Lhgkgijg.exe	Loofnccf.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Eahobg32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Gegkpf32.exe	Fkofga32.exe
File created	C:\Windows\SysWOW64\Gadeee32.dll	Fnalmh32.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Ipdndloi.exe	Ibqnkh32.exe
File opened for modification	C:\Windows\SysWOW64\Loofnccf.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Mledmg32.exe	Loacdc32.exe
File opened for modification	C:\Windows\SysWOW64\Nimmifgo.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Oooaah32.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Fkmjaa32.exe	Fniihmpf.exe
File created	C:\Windows\SysWOW64\Ibqnkh32.exe	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Fbcolk32.dll	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Nomlek32.exe	Nhbciqln.exe
File created	C:\Windows\SysWOW64\Lcckiibj.dll	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Cmbgdl32.exe	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Ejjaqk32.exe	Ddmhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Gjficg32.exe	Gnohnffc.exe
File created	C:\Windows\SysWOW64\Bigbmpco.exe	Abjmkf32.exe
File opened for modification	C:\Windows\SysWOW64\Abcppq32.exe	Aflpkpjm.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Hpkknmgd.exe	Geanfelc.exe
File opened for modification	C:\Windows\SysWOW64\Ipdndloi.exe	Ibqnkh32.exe
File created	C:\Windows\SysWOW64\Gnhekleo.dll	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Bmdkcnie.exe	Bboffejp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllhpkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnfooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciddcagg.dll"	Hkmlnimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacepg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badjai32.dll"	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll"	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdjlcnk.dll"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegcnaoo.dll"	Eqiibjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdohflaf.dll"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmmco32.dll"	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkmlnimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oooaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	838f85c2b546fcd4c501d75cf752ddc8309d5805df466871f6efdfb97197ba0a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkoplk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll"	Gnfooe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpcjnil.dll"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkofga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjnfn32.dll"	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agolng32.dll"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Bboffejp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 5076	3640	838f85c2b546fcd4c501d75cf752ddc8309d5805df466871f6efdfb97197ba0a.exe	89
PID 3640 wrote to memory of 5076	3640	838f85c2b546fcd4c501d75cf752ddc8309d5805df466871f6efdfb97197ba0a.exe	89
PID 3640 wrote to memory of 5076	3640	838f85c2b546fcd4c501d75cf752ddc8309d5805df466871f6efdfb97197ba0a.exe	89
PID 5076 wrote to memory of 5012	5076	Qdaniq32.exe	90
PID 5076 wrote to memory of 5012	5076	Qdaniq32.exe	90
PID 5076 wrote to memory of 5012	5076	Qdaniq32.exe	90
PID 5012 wrote to memory of 4724	5012	Bhhiemoj.exe	91
PID 5012 wrote to memory of 4724	5012	Bhhiemoj.exe	91
PID 5012 wrote to memory of 4724	5012	Bhhiemoj.exe	91
PID 4724 wrote to memory of 3980	4724	Bacjdbch.exe	92
PID 4724 wrote to memory of 3980	4724	Bacjdbch.exe	92
PID 4724 wrote to memory of 3980	4724	Bacjdbch.exe	92
PID 3980 wrote to memory of 2196	3980	Baegibae.exe	93
PID 3980 wrote to memory of 2196	3980	Baegibae.exe	93
PID 3980 wrote to memory of 2196	3980	Baegibae.exe	93
PID 2196 wrote to memory of 2992	2196	Boihcf32.exe	94
PID 2196 wrote to memory of 2992	2196	Boihcf32.exe	94
PID 2196 wrote to memory of 2992	2196	Boihcf32.exe	94
PID 2992 wrote to memory of 400	2992	Bnoddcef.exe	95
PID 2992 wrote to memory of 400	2992	Bnoddcef.exe	95
PID 2992 wrote to memory of 400	2992	Bnoddcef.exe	95
PID 400 wrote to memory of 220	400	Conanfli.exe	96
PID 400 wrote to memory of 220	400	Conanfli.exe	96
PID 400 wrote to memory of 220	400	Conanfli.exe	96
PID 220 wrote to memory of 1032	220	Chiblk32.exe	97
PID 220 wrote to memory of 1032	220	Chiblk32.exe	97
PID 220 wrote to memory of 1032	220	Chiblk32.exe	97
PID 1032 wrote to memory of 2124	1032	Cacckp32.exe	98
PID 1032 wrote to memory of 2124	1032	Cacckp32.exe	98
PID 1032 wrote to memory of 2124	1032	Cacckp32.exe	98
PID 2124 wrote to memory of 2236	2124	Cnjdpaki.exe	99
PID 2124 wrote to memory of 2236	2124	Cnjdpaki.exe	99
PID 2124 wrote to memory of 2236	2124	Cnjdpaki.exe	99
PID 2236 wrote to memory of 3932	2236	Dahmfpap.exe	100
PID 2236 wrote to memory of 3932	2236	Dahmfpap.exe	100
PID 2236 wrote to memory of 3932	2236	Dahmfpap.exe	100
PID 3932 wrote to memory of 4924	3932	Dolmodpi.exe	101
PID 3932 wrote to memory of 4924	3932	Dolmodpi.exe	101
PID 3932 wrote to memory of 4924	3932	Dolmodpi.exe	101
PID 4924 wrote to memory of 1684	4924	Doojec32.exe	102
PID 4924 wrote to memory of 1684	4924	Doojec32.exe	102
PID 4924 wrote to memory of 1684	4924	Doojec32.exe	102
PID 1684 wrote to memory of 3320	1684	Dndgfpbo.exe	103
PID 1684 wrote to memory of 3320	1684	Dndgfpbo.exe	103
PID 1684 wrote to memory of 3320	1684	Dndgfpbo.exe	103
PID 3320 wrote to memory of 1352	3320	Doccpcja.exe	104
PID 3320 wrote to memory of 1352	3320	Doccpcja.exe	104
PID 3320 wrote to memory of 1352	3320	Doccpcja.exe	104
PID 1352 wrote to memory of 2812	1352	Ekjded32.exe	105
PID 1352 wrote to memory of 2812	1352	Ekjded32.exe	105
PID 1352 wrote to memory of 2812	1352	Ekjded32.exe	105
PID 2812 wrote to memory of 4052	2812	Eqiibjlj.exe	106
PID 2812 wrote to memory of 4052	2812	Eqiibjlj.exe	106
PID 2812 wrote to memory of 4052	2812	Eqiibjlj.exe	106
PID 4052 wrote to memory of 3648	4052	Eojiqb32.exe	107
PID 4052 wrote to memory of 3648	4052	Eojiqb32.exe	107
PID 4052 wrote to memory of 3648	4052	Eojiqb32.exe	107
PID 3648 wrote to memory of 716	3648	Figgdg32.exe	108
PID 3648 wrote to memory of 716	3648	Figgdg32.exe	108
PID 3648 wrote to memory of 716	3648	Figgdg32.exe	108
PID 716 wrote to memory of 1968	716	Fbplml32.exe	109
PID 716 wrote to memory of 1968	716	Fbplml32.exe	109
PID 716 wrote to memory of 1968	716	Fbplml32.exe	109
PID 1968 wrote to memory of 4764	1968	Fnfmbmbi.exe	110

C:\Users\Admin\AppData\Local\Temp\838f85c2b546fcd4c501d75cf752ddc8309d5805df466871f6efdfb97197ba0a.exe
"C:\Users\Admin\AppData\Local\Temp\838f85c2b546fcd4c501d75cf752ddc8309d5805df466871f6efdfb97197ba0a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\SysWOW64\Qdaniq32.exe
  C:\Windows\system32\Qdaniq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\Bhhiemoj.exe
    C:\Windows\system32\Bhhiemoj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\Bacjdbch.exe
      C:\Windows\system32\Bacjdbch.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        24⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        27⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        32⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        34⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        40⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        41⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        42⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        43⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        47⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        53⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        55⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        64⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        69⤵
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5100
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        72⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2648
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        75⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4076
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        77⤵
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        79⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3688
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4896
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        83⤵
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        85⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        87⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        91⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        92⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        94⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        95⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        98⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        100⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        101⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        103⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        104⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        105⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        106⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        107⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        108⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        111⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        114⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        116⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        118⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        119⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        120⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        121⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        122⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        124⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Hkmlnimb.exe
        
        C:\Windows\system32\Hkmlnimb.exe
        128⤵
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        129⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:316
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        132⤵
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        133⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        134⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        135⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        142⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        143⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        148⤵
        
        PID:6920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4052 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:6252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amnebo32.exe

Filesize
312KB

MD5
5e81f4a1530f4c797201b7a680661762

SHA1
16042a83fc5e489c9aeea320d39cd743a4b65cbd

SHA256
a85b131899f82e25204e4facce35efe4237f5fb025c9393f7a4d7f0a5beb6ee6

SHA512
0b2acac8d2ea513dab2488d0ae3c1608a081a28016685afef50160a95ba8e3ee35188f359b9d3ad7c99384f16378e102ac759f12493b6dc2a2ca8fa4296ab875

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
312KB

MD5
6e46ae87516e6f56c7d115133fc54dda

SHA1
3742d7ced5bce5a658edc93e04dd1076daca7bd5

SHA256
21288e0c638d77a8ffe19828823a85782393cfe3ad54d2ae187f107f42056220

SHA512
ec17551caf7e23d8b1ea7b2bf41ff7911aa4fbf18819d869f261d2ba1bb213ea020bf64c8954f34ab76ee4a668e84dc6a948d28df2171aafcf73daa652a87a8b

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
312KB

MD5
37f58e47f3d74dbb5abef5663e1ecba1

SHA1
2418007c804ca650b89866f971adde91dc62d268

SHA256
e38d7190d657cb37873b871ff1d2a57da871e67cb48bb635b6671943efc30703

SHA512
34ac77cde65d3c550ba0e806293375fbac58b4b95560a5756380df1cd4ade4cfcf623588d3022667bf59276da10b21c788d7d2b43b7f53be81a1b473fc8dab69

Download Submit
C:\Windows\SysWOW64\Bhhiemoj.exe

Filesize
312KB

MD5
d2dd94b88aa3b35cf3e8e37c65f1cb2c

SHA1
7deee4676865f26869ca0a36708c563a94ee2c9f

SHA256
5e176073616351146e2a8730e0389b611db83b1f37c4ec58f6a1c522e6ba620f

SHA512
4e05e75592666af3d1e2e5c17e0d268186f7346e722807f076ade1bc08c9e16b3415e5e9ff5902ac3051f90ef74ef7ce2f00058dff4f3a5c0869df026d4dd95c

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
312KB

MD5
57b291cf8e943610407a93ebf73ebbc2

SHA1
27bae14a9c2405f5ed9281c439aff090b3415655

SHA256
a30372494a22c3672b0165e4d738cd7e2e70f84ae95a105475a056863840c206

SHA512
f7e0dd3ff30ec528196a3d9869d42eb88ecd5b88f767a735fb54d4d8eb0ec757bc4111c06fa875e42ba2050f00f776c514f31f07a89f653b1eeeb4c7d4d0de18

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
312KB

MD5
f8a423b62ba35e07134b58d4df582755

SHA1
cf3d31c1875365eac33a954d0fc4914d68f551df

SHA256
a94f2b84897074b358f17278010c8c2d50d1a46495f6e05231f6419ed5102379

SHA512
b1bb000201b3b888b4ea5c96e258f291fc801051af19f5bf8a5f38a3e9343e04c7d72c30bb3fa6c660cb1a4df526d6d47c3d43f1a3b75f43d0fafd4c434717ac

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
312KB

MD5
e88e3825d780161f7a59041fd8ddb940

SHA1
16a4c2ec3fdc3c686c92b9e1fc740ab9c1c4530c

SHA256
a698cf486449da9c8b224f404067ce481bc14875c6171393b3c077219a077549

SHA512
cf725ae745b15881e7bba5eea5915b2e2e13bf6a80e1d84f9e1b566c730559c22c24675478338256cca06455d6ebbfe3edea64475323b8a0e04b871e8104171b

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
312KB

MD5
a42fceccae02ce7f8a1463ae447d5490

SHA1
fbab451a4e7d04cf3e12fc7f0cd99fd08a903f9d

SHA256
50fb45f6ea67f6537f9be2d520b85b86cbdcca4453e7f3d6eab2e25ee4d6a2e8

SHA512
fbf67edb54c1dd378933754b1a9136ae7d99af302cbc9e2486d223e87c5d3afd8fc7ff0714b1e32eca5bdbf16f310ccdff074c32ee58ef825ed3c520f41f776d

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
312KB

MD5
2b4e3a34dc6934335b929d29a4b0c1d1

SHA1
b3254484c776b2371f53cf78c564f28297fa95f1

SHA256
960be96844a83391386f6341a014b30b3791cf07546303170411fbc756144e68

SHA512
56e501c2e4a46b4651554bd617afd1900d41686259b4fff20d49001f8b74c4a336add0873f107bda5d42ae4b084701985a19e0251dbfbf40d90eb614b6eb4729

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
312KB

MD5
cb46862300cd95d24b0927c6323d3e31

SHA1
1a865e602a057c3c7bbfdb09bffb6ebbc3113074

SHA256
9dd9d0af9a56a2d19c808d4842e3908d1c7a18d8c427891e514a4644a9f412bc

SHA512
74d9b888119d2ed1bdfb005720b4f310d7d980b514a9348a66d9f408713cf00c37e1bebdca162b99acb39de1d1461c618d1ece7a1a7a4f0ca40575f71df21228

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
312KB

MD5
645526179717b015d7c5c275a3922afd

SHA1
f43e92ce1ba01cea4cfcc4a03f109acfc6e81f0a

SHA256
abcddc6b95f8ad56ad74b8a714185396ea9e8d0cfb46f0e2e714ba7109a5d0fc

SHA512
5b27cc141081f4af144bc6a76ffd89ffb9cdd616be469b51872551e135522971a9c06b9dd750a8c20a7cbd15256e289a91de69387580895efb4da57161f08977

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
312KB

MD5
f8af36422c5e32e54b1d4e8b77c895d9

SHA1
258d54debd615c4a99756584deee81d0c5fa2797

SHA256
9e2af8c22c07ec08290bfcd0279a3da65aa7d96a1cc1441ab33abf59fedf75af

SHA512
a7b17bbebaf47bdabbe1e7691f7aa4f8497e06c96a03121058b7e230fd55c8ce776843a6f267a3045cb6bb2be927d2db65de054ca813efad45432d6dbe5c1720

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
312KB

MD5
43e0e45a6a6b2bad68c8e617733377b5

SHA1
cce3ad41de8a5e09bc5a4a5fe1b18b9417bfa3be

SHA256
6c07eb213da1ece691df2e8af2f593c2433d22079c9113f0a2d10e98267a08e1

SHA512
c05bb95481e44c86c4f3f88c67d57e6e03d96ca23404aefa8891ee4b48fe572b0fdece0f99f4ed0fd712d49de57364018108b939f4e4c117f52b70f176484eea

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
312KB

MD5
f3a6cd1225a314bba20510bde98832c7

SHA1
5f078faf28638fc8bb361f9dd4c79e0da0492c61

SHA256
4a63410835e032f2efd366406b9f35d89ba48387a21e4a094879c032a893c915

SHA512
4b1092d6513824f357ac1e014b51a1bd7ce537cbbf7b29929c73eebbed3c796fe56e3a925010dc407a89e0fd6c75439a454b10e771053b70c4bd88b66d0ccf4c

Download Submit
C:\Windows\SysWOW64\Dndgfpbo.exe

Filesize
312KB

MD5
645bbad4693ef2efd582e61f2cdd2733

SHA1
724c105f91e2d90e061680630c8b56c25356d3ba

SHA256
dfd262b145684a846009de7ab15cc962600c13afadd80b064c5eb42ef90e4e98

SHA512
50116ff104fe98471d928cf908c607166579219c558beaeae8df377422f68b54e8a57a545238d3151de3b26036e74f6fbd6d221a2d614b8916181ec01408be0e

Download Submit
C:\Windows\SysWOW64\Dolmodpi.exe

Filesize
312KB

MD5
eff8605fb5fd1d98cf2b61febd0cbacb

SHA1
12b46a733ad9328af1a668068dafd1adc38c8f2e

SHA256
87f12b8333ed157f170d61d55a7d7c230bc7fbe67306e80fd3c0552173fcde20

SHA512
0128cfb841bfc10b599e34c41adbc932d71bb8b10fc508812e057f8a4dc0e4bb569bbda2bc931b65a457757c8726c8c96c1598c487f03defc9da64d1bbc6ca5b

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
312KB

MD5
3050f7aa35176bf81de62ee58965de41

SHA1
81df372893e3e1a17b722280e0b4b9e7bba696f6

SHA256
e5a946d1474bb065e0a99906050a4dec13eccb53809ee1c43d02223eada2bc43

SHA512
82a5e31d1d6a9a327cb9bbf3298b9b3e471ae0d03c2fba78eb7b80a52eff84433b50523c2f20624dcdfb51bee6a30f5d9929feaf1713b0d8013c41fb13d40160

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
312KB

MD5
c8551adabc2b650df8467952023f8f2b

SHA1
d2c370b2d2ceb6cff759e9efdd5f743644b77e44

SHA256
fea21c4c8325e03a0516e6b8cfcc223843e246559c7a5f9a60d52dd19b58e589

SHA512
6839b0e2542604dbb493e400681ff2743b755c98e804738c281e0bf4a68d709619e26ec5e4885520d957fbfd521770a019bb599cd00cc3ecca599bd634eded50

Download Submit
C:\Windows\SysWOW64\Ekjded32.exe

Filesize
312KB

MD5
4a2d04b0ffe7a45f93a7243e91420c1b

SHA1
37beba1a38a5222df8bdf54d79385c8accd652a6

SHA256
ac2cebaf42a70615a94dac57c841cbf22672fa33817a57cae17fea429623cd04

SHA512
363fdb7d0e18b13ff7510c3fa45874796b47833466203389470dcbb1623df37121b42c7f7e3d630c9021411a2a3b06057b8f09c473b44020da409a171c0644dd

Download Submit
C:\Windows\SysWOW64\Ekjded32.exe

Filesize
312KB

MD5
093375a096828541e403fa83c8a69069

SHA1
dba11e3f9945cf8960f5415c9937922f657060d8

SHA256
a24345fa1a1eaa2f43a57c07e64d69282f85543b6a231674aab7445ba367d4b3

SHA512
e6433193a17ead6d4a202255ff677f779627a6874be757937fd7c5084a3d6ad3e7634a147502c584a33afeb6bac8421f1825a85e9e33da3857c1b9717cfe54ec

Download Submit
C:\Windows\SysWOW64\Eojiqb32.exe

Filesize
312KB

MD5
6b6d1d877e20940f1c7d033e1df9400f

SHA1
9916c65a8913cfd35c90405ba7e0025725524543

SHA256
8046d57a07d1c5e7ea769382a6dca8057d8c8b3589c5f72495b421cbb1b321f2

SHA512
11ce9168416f0164ce53827fb597b17e3cb7951d956b95020c8c7a41023f8840f38a4f87173bfef154c4c31d62f72e6ee46d048f8136f1654d8f5f44ddc3869e

Download Submit
C:\Windows\SysWOW64\Epdime32.exe

Filesize
312KB

MD5
f18b0e572b4f93768f83cff52a139788

SHA1
bfa15ef346d4c51d148add06832d0b48f38db44b

SHA256
9fd223d19eec6576ac3f961f959eb3a95fd51f4429a641a6eb88bd78ede6a1ac

SHA512
584c7ead3feeb76cf7ad5c9622445675aea768bd5a2bb1990bf06039ad7e3a48d88b4fbbf9fb2501e0326eb93bf5877dd6a571fd8b0153ffd34aa3f0ba6e6470

Download Submit
C:\Windows\SysWOW64\Eqiibjlj.exe

Filesize
312KB

MD5
3fcc18544855a820e475be4c0c828d02

SHA1
a3142d9ee314069175f6f3ae8652220fa443ea3d

SHA256
3b5e16ed1d2179f3e327214783619fd60de570c521dc1855789fd72346dd2eee

SHA512
59f1f8fc055fe4a3a07f012b90d30d0a1e689694d4321fba4d8413625f58bf7569ec9d4147db7f03ff3503434a5d08433dd495cf629ac7ffe7fd723e780af2cd

Download Submit
C:\Windows\SysWOW64\Fbplml32.exe

Filesize
312KB

MD5
a307e6c98c168b8d6bc8a834151bb2c2

SHA1
efd2602122b6b9188f800ec6548229b726c0aab4

SHA256
9d23f558cd74cea01dc19255edc0b183fce5b033c3772ecd58be10b5db6ad9b0

SHA512
4c96ec95a9a53bea69582bfe6e1681aa67ec666d474dc71a1d9178b9aaf43920f20eb7974f9cfd8642423c1752dd33b1807181d6ebfee0a6f3b1e1eb62eaf980

Download Submit
C:\Windows\SysWOW64\Figgdg32.exe

Filesize
312KB

MD5
6a7ff631c57a45ce1efb847599b9b743

SHA1
cfad2868a2fce7a8b5ef67de8418791cb8314bcf

SHA256
37dd038dc03e41ca16d3eacb882a9000ff4f7746ac1b54ca2cb6cc536e79595f

SHA512
dda843abc39f19752e84c62db7bf835974ba72afc4e6836d05ec1138946003bfe62d164a3aa62ff8230a5062f4c7e6c4436142effc02492be918cc2bd702e71a

Download Submit
C:\Windows\SysWOW64\Fkmjaa32.exe

Filesize
312KB

MD5
62b7c694c6c75309fb4a389a03e4f95f

SHA1
4a552ea171c845986e39f085ac52024d769d46ef

SHA256
7d8e5c7d02434e4eec76aef1550ea51e859ec6609690c3c8ca06049cec07162a

SHA512
36acc906d3a5076e7c12ffafc78ed715fbddbb6b42f32771b8b6bc26dee8f34c60ae482eee23858351cbfc48b39847469fe24c0064af0004162801901587fa0b

Download Submit
C:\Windows\SysWOW64\Fkofga32.exe

Filesize
312KB

MD5
d40fd0334774aa9cc5a48a45d80b3063

SHA1
8c3884e10c2ee979828330ff98baf403b88663c8

SHA256
9b1f29a826ea10f412a9e7b8c7e8c95bb0531d19bbc396c388bf2d4ad7988417

SHA512
811bb4b21242a4c2e67b64ca8d0317821b20c427788bada29c32d8349784a7e461acd7c6422944468efcb8c648f5f3cd535e1d30e0ee39a9ad87785b7a6085f2

Download Submit
C:\Windows\SysWOW64\Fnfmbmbi.exe

Filesize
312KB

MD5
dc0d2e58995b4b7451795741616aaab2

SHA1
95e52e6757226683695f0aa5be8a294b255af8da

SHA256
ca2d1e96d947e41a9d90b493ab581094a9ef1d0f1ee9a2cfd4b17a0f12f5b8eb

SHA512
b385e02b7700115ce9422fd68c97e55df9a243927337ca8942f1c4e3127b10a4231cd4285b56b5908febd66d0a376cc09ee78bacfc856594291f4b482fd5d391

Download Submit
C:\Windows\SysWOW64\Fniihmpf.exe

Filesize
312KB

MD5
8a6e10f731e40a9f90a24f4555a87e7b

SHA1
d25269210f4aa2d054de15ade7a3b311ff310571

SHA256
5b5cc4093e4b0c5401f135566bb8fdd69c617b21a283d61c0341a8a4319c8a38

SHA512
5ba393a586e6f3fc90f10818dd06daf25b314784b43ebb3fe0f13e5f65438b2c87be1ba437fa4880eaacef32f1c4243859f8c3ce0a7d91a0f1900e38ef0675cf

Download Submit
C:\Windows\SysWOW64\Gbkkik32.exe

Filesize
312KB

MD5
dfb949d3b91b9be096532fabd29388e9

SHA1
e6a360bc36e562d21b5bc3e39b60d88f9a5c02e8

SHA256
55641caf7d236ca6f41004f592366f39e46c6461fa1d45cb5344ef43b72920f4

SHA512
548af2257c844bca3ce64d5502ddd77a04a89189d49809d1b7f2fe67c799b7191110a04b60580141c939e58907f57d95c8a7224a269c5e29d8d8ce6df6be57cd

Download Submit
C:\Windows\SysWOW64\Geanfelc.exe

Filesize
312KB

MD5
7993cdee6e6625d777e8f180a60df17c

SHA1
90a3c5b9915c9e08e55837840d0b1b3084e61cc5

SHA256
fbd6b809836d24739388b9ad0c819e4e231e6dc3679f71e53655646a3d454d69

SHA512
2269101fd6e11cb6583c6e310454aeefa63ca0f3f16815c407581d58a364040f0d5c9bf1124a2c4114293ff8907eaafe0cf4c8a3bd05b1121dd7be93b03f526e

Download Submit
C:\Windows\SysWOW64\Gegkpf32.exe

Filesize
312KB

MD5
f6cfc5a1d69c7ac39819c033eb97157a

SHA1
a617ff0c584e0d9e3c717fdad216ba2ccd770625

SHA256
75164abafa10c940158fcd160a1fbb50cc353970d52d5ce84a6aaba5226b9da3

SHA512
351e096a222d71f7e028aa640692f110c10c68fa04c4d90c99225837f66700c336dbb33e0a6cbd95b83ea7a94fa88c05bdac62d112c8d9480b4bb4bd68d70957

Download Submit
C:\Windows\SysWOW64\Ggjjlk32.exe

Filesize
312KB

MD5
25b85abe7fc5725b0a65e31e71fa703b

SHA1
be495aa97522f599487f2f9b84740887be7412be

SHA256
33bcc9e0331f4aa07804c23f6527e2af7b93d503e8b3e69a7fafeedba8b8aedc

SHA512
b34ef0547debdf22aa0f68bf1a0b7c3550ebcb539f59683256b917143fcc1b4c05ee9b1e6e77eb808cf7da94d5825180561b048ed6a0a960fd8dd86dcf154f8b

Download Submit
C:\Windows\SysWOW64\Gihpkd32.exe

Filesize
312KB

MD5
a5ae3f7dd29b0f1f6ea61ce5df8b8643

SHA1
1ccf53ac6a70e54a2daa7ac728515ede830dce8f

SHA256
64f8fb0362c765b8aaf857d7a26cdfd71bca82cd49ef14eef531ab69a5920f27

SHA512
923d9c09bc0b7f1e6bbad18ced4466041cccd0189b0bd3183cb4c5de36eb614813d79260be7d85b4f8c19fc3367fed473717e961e1393f904a7687999d78fd7d

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
312KB

MD5
7610c0d19aa98b87c615991b5fd68d20

SHA1
48ab67c92678f511a3e5e9fe50ea786e226cd2ae

SHA256
573c33d00d3b6f5e733bd9d3bf8ff8ffaecbe3b5ab5e3e205aaca411f0dc8580

SHA512
3a421a0c8f3c54e69c43a45f1ff2eb281ac98a638db0d548dfb0e349bde9b98d4eda3b67593a42b0e15767cb9fca509dd7ddafe917f5e3f9f2200628906bd4f1

Download Submit
C:\Windows\SysWOW64\Gnfooe32.exe

Filesize
312KB

MD5
79df462fe62f00f18ee69ae41462bd5a

SHA1
49b84b50b4baeac403d3e9938c0bc85ce29e6c51

SHA256
9bb6e0912965d323d7514d46c9305d0c980873d4fd0bddf15f49a63319864893

SHA512
f84a4a3bdf5c7187942e384f1cea18df7862e17d4829ac7217002ed99d88efcc401e23efb972a42c35765a0fc0300e207394899205a36b2d64245eed3a932870

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
312KB

MD5
0e6f3474d7cac69aeb051a609a4e3f1e

SHA1
c5096ec6dd7478ba70d44cafa746cd2570b58e55

SHA256
c7aa6f2989aef515733d961174870fa58f2de7da411b428cbe98618588cb0a54

SHA512
ea977569e0522a4b127bef4ea00f277ea0a222c519de83480bc39d94ad61f156a9ad0ee9985b492ddf5db70eeb68559c94da5d0f572e947d8b0135649aeb6d74

Download Submit
C:\Windows\SysWOW64\Hhimhobl.exe

Filesize
312KB

MD5
d948a5ef79171dd00f5924ed453b3767

SHA1
25b212a1e33526d642b80b9ab37d35d7c302b836

SHA256
86c61d15b38bf328832cfd3a758872700d1fc3ffeaa243cc5880832d8cf9adb4

SHA512
fc17fbcce3c061faa9aa239a09478f5ecdd8b115d6b3d88ce1b51ab6167f1edcaeedcc54c05f2ce670ef5f0a88bebd16069407a0f78d0e9345e74a69dd61240c

Download Submit
C:\Windows\SysWOW64\Hicpgc32.exe

Filesize
312KB

MD5
8f9aa221e924a4e29db6eff3f3704a92

SHA1
1451f560866926f9b23f7b74c7c450c351b41ae2

SHA256
8fe80641ac15d31a38121178486e776790dbf479c6596ca5ee96ce653c83dae7

SHA512
e86a692336df393fa170ce6595ae8f8cc58ec3bab29cab3cb5ac12711d24310a81ff69b3cbfe3e5cddfdd619713c23824281d28196184a3d1c9ef866dbbd2552

Download Submit
C:\Windows\SysWOW64\Hicpgc32.exe

Filesize
312KB

MD5
172a6761c495b6806696befb6f62f617

SHA1
f94b1d8d83fa8a159e3fc762f4c7e4d0185a5358

SHA256
0bdbd953bab1674056de5a12633d3525712e94b331c6dbac68799172713b349a

SHA512
a71084cb1fb93aca2e3151f3ef0d94b232a288af46fd128a2345ff784648ca22b800690e3cf4c4ff7959bee7fc245693e31b4f98b7b8a5e9042d9d2a7e2eb5c6

Download Submit
C:\Windows\SysWOW64\Hkmlnimb.exe

Filesize
312KB

MD5
e686d93f3ca3e665b617ba74ba92b361

SHA1
a38a85639ab1210492f5bbf7fcbc3f56a3f681e3

SHA256
98742d9aa86843da18d99a06bd906f657aac31a1c784923367d410490be26872

SHA512
f10cd6df79e50cf8e520a862fcfe8fde411628bf0ca617ddcdceaed3f8728a60b34cea5796d5b162b74cb87f2259776af1766c4e071d24b6104d34f4c8b19970

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
312KB

MD5
79c9d3214439454c6c2367bb4d8a5325

SHA1
e6f49b9b79c3be4c064611e73f6cc3af4bb03479

SHA256
13b0e42fbcb36e59c164419d0c9d5189fb0b8c31f872a4083d35f6b54970792c

SHA512
493b1e8678df1216f2f8e22b09e1f612c35ac0a1b417a1e5442b3cfa685bfc2c586931e0adf85ad488584876a327468be1287d40c3862dc33c7c735a198f9317

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
312KB

MD5
9f01f555c929e81fbc198f49da81eacf

SHA1
114cea72e9841099cb485df427c6f7ab959723d4

SHA256
6d38b13fdf0ca0364eb57d73132038a6c70598d94d9780261aed88dd870ec359

SHA512
0c589ef958ac5080b8aa939bf54001dea25e3e1bd9c13b47514fd7a3dc3b54dee49bc9420d40781f4988c3a623fcc1ec2eb14a1dd93676bc7e986bcbf50ae47a

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
312KB

MD5
e08c2d8ada94deb9d334b8864126f226

SHA1
bfff0fc324c56831dee6c101b901cdcc01a431da

SHA256
ad1fd1f927a7f75b1e6cbc646d8878a29c6b7612feebe87271cb32c894da9862

SHA512
bb12c6d0a839ff91d34f3641f9f3c3b849c5957c87a7e00414b2d67ca3efd14dab5d869e41e27036a85951ee033c221838f41ac9ac1eb9a590dda9ea89837028

Download Submit
C:\Windows\SysWOW64\Lojmcdgl.exe

Filesize
312KB

MD5
c5a53f42a0b3aff9a3aa647a08986575

SHA1
32b951187ac1d68d92ad14b4fc7c80c79020cf59

SHA256
c1ab57d2c96abcf8e7fa507df749878f4aa4ba3c3c36d1b0b9d648b40d2b1a8f

SHA512
6923b74e8fee1cd44868424acb3f6acdb1a75c5ffabdc8066cbb51ac3ee1a7355628cb5d19ae27e4a6de266a19866b2264e69c5c0a8eba92749e5f18156b3303

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
312KB

MD5
e1f2b41528fb1558531c435977c9c3be

SHA1
24c9dcd28e7867e415a8376ca6827160583f9926

SHA256
fe149d66b2a89682ee33215e336221be34b8a67d5a7769573b4ef35f42720922

SHA512
31e0bf3014441b125cab4ad63a97ea29bd90932b5331982bfb86d873e0add1060f23de26b25ce7f079297c9a6b3e4a00b1dc99ecec3734c22776cceedca3c798

Download Submit
C:\Windows\SysWOW64\Mcabej32.exe

Filesize
312KB

MD5
78dc254923636e8c2f07dee65dcca66a

SHA1
915aa2ff33ebed131ee0e6af45e38c151969f30c

SHA256
087f05e0788739451d7572434c295098bd7424a025a1b0f25170d187b9c256ca

SHA512
599504004cf623caae63d2dafc11217deccf873b38891e3cf1eadaefc8a081e2fac3fbb568d1e55f1f4c8668dc464afbf052c14a1f123161d7973e8f60dd395b

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
312KB

MD5
502a7e115138efbeec54200b68f298c2

SHA1
d4bfb9ec8d25d9b22234d16e1b2d823fd564dd96

SHA256
b64cab97d317b3ee8b6fbbc968dda1da2fa39c83a070560610ce4d01f94213d0

SHA512
28ab9b5b9f6cad9eef64c826506113da1692e0144c7213d2143bbe0de443df55b23fc60adace8420b5ed5deee28eddc83a3526d3e1edecd2451cb82e5b312e3d

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
312KB

MD5
6098990988efe0a071165290827a1494

SHA1
7c6ff5f94caab9dcebab11fc1d6ed705e88f20ad

SHA256
3aff29c7c3675b253d7443b8595aecad1ef7ef8ada2f71a52ef52cf1f5142396

SHA512
b15a5314b0e936b3b38ec5134e4f90e77b293680d7243dad87d9fc79fd2441ee9fc57a94f2c6835c6fdc40f4dbf8bbbc9a4c0d7b089ec7497018e5367b6286c4

Download Submit
C:\Windows\SysWOW64\Njbgmjgl.exe

Filesize
312KB

MD5
58ac025b2d06033eac3146caf816b4a9

SHA1
1f021c16563fa5294faca8b371a7de3b2afa4791

SHA256
fd26d999f5cdac2492ff40d92221e07f3ad76155f1046db64e2e7fbfd2ef9034

SHA512
57bc165ecf70f23c70ee29c52839f8d54e85952f39e7f5f8c504939c417243409cc6557ab4fba06e42e64def7de41c7d872cd8a72afbb6465f858898a11be38d

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
312KB

MD5
453348da5701b232d22a300958ccabb0

SHA1
6e24cc8548a10b73c9283e7039c12e6f00a60306

SHA256
4ae44a9c91329b8292e27aeccdbe42ec0f4c1b2a619902bda8ffa9a85bc97b51

SHA512
d5e9cc45abf061ff16c321bce95babd2106bd3fca47c1780154435b3b9f4c9c562f97814c18f9b023447bfc22eb357b1aa7c1f91bd9560b0b3081f491c9ddcd6

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
312KB

MD5
e161e0766ef1b7f14897c173042d7ad0

SHA1
bbf980ce108e956e796713a694ecf538d9685317

SHA256
3a2e370642c8f7ae29e3a6a1225b811fce3118c6ebd0be636b4df9a90e7e1f2e

SHA512
ad0bab0ca75ddefd32bd79002090c714051c4669e2a1fc013720e8e82fdd61300e029a2be868a278d9e3821769fc2ce4c94fafe9bbf03d6a4f4ea482d69c5ff4

Download Submit
C:\Windows\SysWOW64\Pfepdg32.exe

Filesize
312KB

MD5
e8b801eb14919bcb1badb7679ddfb521

SHA1
e689f020a8d49c3af65b1e666ad5d563b2f0137d

SHA256
65de046244b127afd20014e27dc801c677573bd14a1cacf9a363331b3fc77ff6

SHA512
e21496fee8ab76c29d2a3f7474709d99d6c75f86f24d515ea809fc0fa4e987b0036b8fb9bcd98e6dcaee6b4e113dc08e6ea9c72c49d0809a593c1f9c7692ffdf

Download Submit
C:\Windows\SysWOW64\Ppgomnai.exe

Filesize
312KB

MD5
04d8ac5541f73e5b0f693edc583e5607

SHA1
f7b5d38395f086b97b869c7bd4de1bf1e993312d

SHA256
6b87971731649e6204ebba3adb4afb6ce63c12ac0d2b0e70072497d872895ac7

SHA512
305c2c27c58df85f17c70709f692087fa9dc35a10adb529264730ad3d05e7777293ed89bfdf2c46cac71a2a3e87b698c2876f605c836f504b7ea056ca3a90787

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
312KB

MD5
723eae39258d074423832dfc5500237a

SHA1
b052b40eacc4b5a3be537d5c2e5e40495924b022

SHA256
c9edbec72f0d4296c4597d13fa22d807a089af9bc9c9b60780d940455ee38c2a

SHA512
998c0cbf3b49f71f0823340340c1f9a65e0bf1f6ff1e77267e86f62ecc6ce32be0ec69d965f02fbc0dc77518357abdc5c87f041fae78745b195a6cf66219f2c2

Download Submit
memory/220-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/376-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/512-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1248-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1296-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1332-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1804-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-555-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3648-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3656-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3688-536-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3844-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4076-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-523-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5140-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5188-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5256-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5300-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5348-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads