ccaf0f9afec576f439a9e4a702fea44adcab866a51622c5f41f30d2447c4949e

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccaf0f9afec576f439a9e4a702fea44adcab866a51622c5f41f30d2447c4949e.exe
Size

768KB
MD5

ae441c1c6986901dacbebb97f64bb552
SHA1

52f770d62bc6b123224084e9010fa00f808e3cc0
SHA256

ccaf0f9afec576f439a9e4a702fea44adcab866a51622c5f41f30d2447c4949e
SHA512

edd072123008b3a386cac40e8add6fee108b5bc37b05741b5a6af2955da1b4ef73419a705b399d77a837de2f00d43c6e045d3bdad996a2063a07ef39faead8bf
SSDEEP

12288:cXg+vv6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvO:cXguq5h3q5htaSHFaZRBEYyqmaf2qwiv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlolpq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajaelc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jojdlfeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnmlhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haaaaeim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibegfglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modpib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaiqcnhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdknpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdknpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igajal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaifpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqdkkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejqldci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jebfng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioflcbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnhkdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiiicf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klggli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaifpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkmfolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haaaaeim.exe

Executes dropped EXE 64 IoCs

pid	Process
5008	Igajal32.exe
3436	Ioolkncg.exe
4644	Jiiicf32.exe
4984	Jebfng32.exe
32	Jlolpq32.exe
464	Kpcjgnhb.exe
4976	Lokdnjkg.exe
1016	Lqojclne.exe
4556	Njfkmphe.exe
3780	Oaifpi32.exe
3088	Ppgegd32.exe
4436	Pmnbfhal.exe
3112	Pfiddm32.exe
700	Qjiipk32.exe
2996	Ahofoogd.exe
2256	Aokkahlo.exe
988	Apaadpng.exe
5004	Bpdnjple.exe
4444	Bklomh32.exe
2224	Cpmapodj.exe
2100	Ckebcg32.exe
4704	Cgqlcg32.exe
3932	Dojqjdbl.exe
4400	Dkcndeen.exe
2016	Eqdpgk32.exe
1412	Ebifmm32.exe
5024	Fooclapd.exe
3388	Fdlkdhnk.exe
1160	Fofilp32.exe
3852	Gokbgpeg.exe
2884	Gghdaa32.exe
2544	Gpaihooo.exe
2112	Hioflcbj.exe
2912	Hehdfdek.exe
3368	Hejqldci.exe
5100	Haaaaeim.exe
3948	Ieojgc32.exe
2040	Ibcjqgnm.exe
4256	Ibegfglj.exe
2432	Ibgdlg32.exe
4308	Ibjqaf32.exe
1228	Jaonbc32.exe
4320	Jaajhb32.exe
3268	Joekag32.exe
3616	Jpegkj32.exe
3372	Jojdlfeo.exe
2392	Kbhmbdle.exe
4876	Khgbqkhj.exe
4084	Kpqggh32.exe
3604	Klggli32.exe
4588	Lljdai32.exe
4604	Mjggal32.exe
1544	Modpib32.exe
832	Mjlalkmd.exe
3324	Njbgmjgl.exe
2472	Nbebbk32.exe
732	Ojnfihmo.exe
1164	Ojqcnhkl.exe
4208	Pbcncibp.exe
2348	Pbekii32.exe
560	Pplhhm32.exe
212	Pmphaaln.exe
2236	Pfhmjf32.exe
4840	Qbonoghb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibdplaho.exe	Igjbci32.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jacpcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jebfng32.exe	Jiiicf32.exe
File created	C:\Windows\SysWOW64\Ojqcnhkl.exe	Ojnfihmo.exe
File opened for modification	C:\Windows\SysWOW64\Abhqefpg.exe	Amkhmoap.exe
File opened for modification	C:\Windows\SysWOW64\Ekljpm32.exe	Egnajocq.exe
File opened for modification	C:\Windows\SysWOW64\Hqdkkp32.exe	Gdknpp32.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Bigbmpco.exe
File opened for modification	C:\Windows\SysWOW64\Enopghee.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Hnggccfl.dll	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Oaifpi32.exe	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Gokbgpeg.exe	Fofilp32.exe
File created	C:\Windows\SysWOW64\Ibjqaf32.exe	Ibgdlg32.exe
File created	C:\Windows\SysWOW64\Jaajhb32.exe	Jaonbc32.exe
File created	C:\Windows\SysWOW64\Efoomp32.dll	Aaiqcnhg.exe
File opened for modification	C:\Windows\SysWOW64\Jjdokb32.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Gpejnp32.dll	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Kpcjgnhb.exe	Jlolpq32.exe
File opened for modification	C:\Windows\SysWOW64\Fdlkdhnk.exe	Fooclapd.exe
File created	C:\Windows\SysWOW64\Ecipcemb.dll	Fofilp32.exe
File opened for modification	C:\Windows\SysWOW64\Qapnmopa.exe	Qbonoghb.exe
File created	C:\Windows\SysWOW64\Aanpie32.dll	Qfmfefni.exe
File opened for modification	C:\Windows\SysWOW64\Pmphaaln.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Dcmnee32.dll	Jbbmmo32.exe
File created	C:\Windows\SysWOW64\Kongmo32.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Kaaldjil.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Ibdplaho.exe	Igjbci32.exe
File created	C:\Windows\SysWOW64\Ijikdfig.dll	Ahofoogd.exe
File opened for modification	C:\Windows\SysWOW64\Kbhmbdle.exe	Jojdlfeo.exe
File opened for modification	C:\Windows\SysWOW64\Mjlalkmd.exe	Modpib32.exe
File opened for modification	C:\Windows\SysWOW64\Qbonoghb.exe	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Jopaaj32.dll	Hghfnioq.exe
File created	C:\Windows\SysWOW64\Oefgjq32.dll	Hehdfdek.exe
File created	C:\Windows\SysWOW64\Dohnnkjk.dll	Acqgojmb.exe
File opened for modification	C:\Windows\SysWOW64\Jbncbpqd.exe	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Jhhodg32.exe	Jjdokb32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Jebfng32.exe	Jiiicf32.exe
File created	C:\Windows\SysWOW64\Dolqpa32.dll	Lokdnjkg.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Gclafmej.exe	Gnmlhf32.exe
File created	C:\Windows\SysWOW64\Gdknpp32.exe	Gclafmej.exe
File opened for modification	C:\Windows\SysWOW64\Pmnbfhal.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Nhhlki32.dll	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Ghfedh32.dll	Fdlkdhnk.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fboecfii.exe
File created	C:\Windows\SysWOW64\Eocmgd32.dll	Gnmlhf32.exe
File opened for modification	C:\Windows\SysWOW64\Jbijgp32.exe	Ibdplaho.exe
File created	C:\Windows\SysWOW64\Qfmfefni.exe	Qapnmopa.exe
File created	C:\Windows\SysWOW64\Jbncbpqd.exe	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Jlkafdco.exe	Jbbmmo32.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Mlmadjhb.dll	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Gnmlhf32.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Fljloomi.dll	Hnhkdd32.exe
File created	C:\Windows\SysWOW64\Oaifpi32.exe	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Biepfnpi.dll	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Alapqh32.dll	Mjlalkmd.exe
File opened for modification	C:\Windows\SysWOW64\Pfhmjf32.exe	Pmphaaln.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6436	5828	WerFault.exe	217

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbonoghb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpmamlm.dll"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njfkmphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngmnjok.dll"	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoomp32.dll"	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnhkdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ccaf0f9afec576f439a9e4a702fea44adcab866a51622c5f41f30d2447c4949e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljloomi.dll"	Hnhkdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkmfolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alapqh32.dll"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilcaoaif.dll"	Hqdkkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojfj32.dll"	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmgd32.dll"	Gnmlhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll"	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgldbkn.dll"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Dgdncplk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 5008	3304	ccaf0f9afec576f439a9e4a702fea44adcab866a51622c5f41f30d2447c4949e.exe	92
PID 3304 wrote to memory of 5008	3304	ccaf0f9afec576f439a9e4a702fea44adcab866a51622c5f41f30d2447c4949e.exe	92
PID 3304 wrote to memory of 5008	3304	ccaf0f9afec576f439a9e4a702fea44adcab866a51622c5f41f30d2447c4949e.exe	92
PID 5008 wrote to memory of 3436	5008	Igajal32.exe	93
PID 5008 wrote to memory of 3436	5008	Igajal32.exe	93
PID 5008 wrote to memory of 3436	5008	Igajal32.exe	93
PID 3436 wrote to memory of 4644	3436	Ioolkncg.exe	94
PID 3436 wrote to memory of 4644	3436	Ioolkncg.exe	94
PID 3436 wrote to memory of 4644	3436	Ioolkncg.exe	94
PID 4644 wrote to memory of 4984	4644	Jiiicf32.exe	95
PID 4644 wrote to memory of 4984	4644	Jiiicf32.exe	95
PID 4644 wrote to memory of 4984	4644	Jiiicf32.exe	95
PID 4984 wrote to memory of 32	4984	Jebfng32.exe	96
PID 4984 wrote to memory of 32	4984	Jebfng32.exe	96
PID 4984 wrote to memory of 32	4984	Jebfng32.exe	96
PID 32 wrote to memory of 464	32	Jlolpq32.exe	97
PID 32 wrote to memory of 464	32	Jlolpq32.exe	97
PID 32 wrote to memory of 464	32	Jlolpq32.exe	97
PID 464 wrote to memory of 4976	464	Kpcjgnhb.exe	98
PID 464 wrote to memory of 4976	464	Kpcjgnhb.exe	98
PID 464 wrote to memory of 4976	464	Kpcjgnhb.exe	98
PID 4976 wrote to memory of 1016	4976	Lokdnjkg.exe	99
PID 4976 wrote to memory of 1016	4976	Lokdnjkg.exe	99
PID 4976 wrote to memory of 1016	4976	Lokdnjkg.exe	99
PID 1016 wrote to memory of 4556	1016	Lqojclne.exe	100
PID 1016 wrote to memory of 4556	1016	Lqojclne.exe	100
PID 1016 wrote to memory of 4556	1016	Lqojclne.exe	100
PID 4556 wrote to memory of 3780	4556	Njfkmphe.exe	101
PID 4556 wrote to memory of 3780	4556	Njfkmphe.exe	101
PID 4556 wrote to memory of 3780	4556	Njfkmphe.exe	101
PID 3780 wrote to memory of 3088	3780	Oaifpi32.exe	102
PID 3780 wrote to memory of 3088	3780	Oaifpi32.exe	102
PID 3780 wrote to memory of 3088	3780	Oaifpi32.exe	102
PID 3088 wrote to memory of 4436	3088	Ppgegd32.exe	103
PID 3088 wrote to memory of 4436	3088	Ppgegd32.exe	103
PID 3088 wrote to memory of 4436	3088	Ppgegd32.exe	103
PID 4436 wrote to memory of 3112	4436	Pmnbfhal.exe	104
PID 4436 wrote to memory of 3112	4436	Pmnbfhal.exe	104
PID 4436 wrote to memory of 3112	4436	Pmnbfhal.exe	104
PID 3112 wrote to memory of 700	3112	Pfiddm32.exe	105
PID 3112 wrote to memory of 700	3112	Pfiddm32.exe	105
PID 3112 wrote to memory of 700	3112	Pfiddm32.exe	105
PID 700 wrote to memory of 2996	700	Qjiipk32.exe	106
PID 700 wrote to memory of 2996	700	Qjiipk32.exe	106
PID 700 wrote to memory of 2996	700	Qjiipk32.exe	106
PID 2996 wrote to memory of 2256	2996	Ahofoogd.exe	107
PID 2996 wrote to memory of 2256	2996	Ahofoogd.exe	107
PID 2996 wrote to memory of 2256	2996	Ahofoogd.exe	107
PID 2256 wrote to memory of 988	2256	Aokkahlo.exe	108
PID 2256 wrote to memory of 988	2256	Aokkahlo.exe	108
PID 2256 wrote to memory of 988	2256	Aokkahlo.exe	108
PID 988 wrote to memory of 5004	988	Apaadpng.exe	109
PID 988 wrote to memory of 5004	988	Apaadpng.exe	109
PID 988 wrote to memory of 5004	988	Apaadpng.exe	109
PID 5004 wrote to memory of 4444	5004	Bpdnjple.exe	110
PID 5004 wrote to memory of 4444	5004	Bpdnjple.exe	110
PID 5004 wrote to memory of 4444	5004	Bpdnjple.exe	110
PID 4444 wrote to memory of 2224	4444	Bklomh32.exe	111
PID 4444 wrote to memory of 2224	4444	Bklomh32.exe	111
PID 4444 wrote to memory of 2224	4444	Bklomh32.exe	111
PID 2224 wrote to memory of 2100	2224	Cpmapodj.exe	112
PID 2224 wrote to memory of 2100	2224	Cpmapodj.exe	112
PID 2224 wrote to memory of 2100	2224	Cpmapodj.exe	112
PID 2100 wrote to memory of 4704	2100	Ckebcg32.exe	113

C:\Users\Admin\AppData\Local\Temp\ccaf0f9afec576f439a9e4a702fea44adcab866a51622c5f41f30d2447c4949e.exe
"C:\Users\Admin\AppData\Local\Temp\ccaf0f9afec576f439a9e4a702fea44adcab866a51622c5f41f30d2447c4949e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\Igajal32.exe
  C:\Windows\system32\Igajal32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\Ioolkncg.exe
    C:\Windows\system32\Ioolkncg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\Jiiicf32.exe
      C:\Windows\system32\Jiiicf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        24⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        25⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        32⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        34⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        43⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        45⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        46⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        49⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        51⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        58⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        67⤵
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        69⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        72⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        73⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        76⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        78⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        80⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        83⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        85⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        87⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        88⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        90⤵
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        92⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        95⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4896
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        100⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        101⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        102⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        104⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        110⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        113⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        116⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        118⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        121⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 400
        122⤵
        Program crash
        
        PID:6436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5828 -ip 5828
1⤵
PID:6240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:6548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
768KB

MD5
cc0af57bcee61b1d1c8b50badbfa9202

SHA1
6c192b8f173ddd0f0757eba20f37faf39f10aa24

SHA256
f30d4986d220c31ac067f82d3ab7836c50ce922e772e3a2b51f279c2229d396e

SHA512
a5e9f85f64fdc2405877fcbfdb2f2e6a2fb6ed4efc1f04d55f1d0aa5ce00f4718f3a9513c6da265438a1f5313c1b674227104302bc9bdf3774c854a4913d6c5b

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
768KB

MD5
94cc491aabd86c93b98e5ead6bb13c59

SHA1
ea81445bc7139f7cfd99af9dac3f03a6ea0fa8ee

SHA256
14170e868ab15fd9becbf6cf522fa16a81225608bf7ce784c660a4005cc78729

SHA512
fa3777d523c8d8f9a58ee88389fe78768100568d2e5bd4ab477813c4626924a96170a01b81304545a6a0cc5790b502c50a4d9e0a86a8b7167ca131a757b04025

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
768KB

MD5
3962d29be5dc2b346faf8d5838bf4904

SHA1
e9b9181d508765c9e1bd774b69c033d950a5ea87

SHA256
d69da80c46b4a402bef74bd1ae59ba0a8b5b0a48df8d993f53cdec52c9497534

SHA512
fe5f11c6ffa1eae86f2ed6881025b0804cc5773df24fbef0124811fb076a98ace3fc7889e945ff0315aaea98a098f2c296f80432b0e87cbfb027bca6348d4f1d

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
768KB

MD5
87f8d00872263580e875339404bed052

SHA1
e337ce119a5b9af6713c86bcae519886d39c717f

SHA256
3f2e30b1eca94a1c776da63662ad15d4825b4557ea796ca5543b1d1d18b12fda

SHA512
dde7a25bb8b779b67442253ea9310a33a2f5736640d3deb1e8fa9c97a33ffd7efe0c27aed2cdb5c064ef13453b48be9d5492d09e8ee23640b0144843e10afcf6

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
768KB

MD5
e6a69393e20e955d42cf07c6a055b007

SHA1
56a8a2faefd05eaaa578fdafb431b5e9a6fd3856

SHA256
7ad29b8a815f0af21c4ad7f752fa0dfcbcb32b45a4adb397c160cb3838d73cf3

SHA512
2045fcedec843ba1bae367d9b7d3e419f2365e4ea01068846c2bf561560e8b4a85b00581cff876579182b206d028418dbf69ebe97f3c117b11776b06a6c66e9d

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
768KB

MD5
0fcd8551887d6f2e2b1444c6bf68c537

SHA1
02b8b60c7744e52e6401ffdb0e4d8b3495692112

SHA256
775ba80c20908a04130af17f373afde0e36bff2b6df476fe9c956c5410977b7c

SHA512
5a4cd5a4731a4e9378e047b2d7adadd14d643c69ca166cc3defe178ba9eeb009d64c25ecf317b0561571a2a42cc7b38f2927a797f00e9471d655e36125d030f8

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
768KB

MD5
b5ac0737b9da743d166b32f6a69d6692

SHA1
80b47c176bac8f06bf2cad194b2e75c914ca3992

SHA256
e9ab5f6c17939a1066e2a2fdaf455665fd07192191e0570b850f4abf08d17f82

SHA512
15cbd7d99e646ddb4f0144f249d06a473b26c597c12a8b7712eb23df229cbbe049dc2ec7278263efeb1e9524c903fa4d416777cfbd2981f0b6932e26d2135367

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
768KB

MD5
5b992cffd73914591157b62a04997b8d

SHA1
92787b6528315a7bc02ef23fd3140ac8becf8a40

SHA256
f7e063edea3e03bf0d02640d4a1ca9921697e38fdda103b754121501fa51505c

SHA512
dce9a9576bb555958204c75ee683b48cca9883a69fecefe1cb05d773f2db45ac8ff8e81a24a5c457c85cc974e91b9b380026a06ff255c4dfb8695bd9cd6fa097

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
768KB

MD5
a43e177a304465c4036ccb6736561e2b

SHA1
061ed91801fccabacc98f0a340a23e01f7509315

SHA256
066f17a63e74b030d150917c31b7a166294350278e3c35c56f3e295c8b455143

SHA512
19630a4100b471c0c4abb4992449abea0c910dde9d70cf78488008ad62c6deebe15b287a710b3dbb501f498e829c46377e5d347406b1a21c2de1a09562a5accb

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
768KB

MD5
20c9529be846f7c5077dcc870d9f0f69

SHA1
90f51feecad9ed9e61ba316a89951141c43ed720

SHA256
28bba7cbe84fec49be02643e022a1581c32947625f74760ac50c20f128d5c0b9

SHA512
96ed8103545a2eb0be7ed758a95a490885b617308db0c94b285bb175ce044990a044dbdda8a6e18b21ed69550ba850fe5d8d9d5e3341d184c6a631d5017a7f1b

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
768KB

MD5
71c329978673520817cb57f5770bdf8c

SHA1
ab303e3b1aa8bd7ee61be48f6a47f464b95fefba

SHA256
668e371aab828e516df1816689ae7b01457583b6c1953530b2644a1f526003bc

SHA512
4f2f424749c32be54410d27a9e306592a6da748eac3637faad6137f72ef09b52760566661d5d430dae9651ef3a657e3fe3b75620ef413785a4d59ad9f80f434c

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
768KB

MD5
adb050f0743b96904d33e20c81cfe094

SHA1
3ac505be07c51a84694c0b019ea25c8c782d37f8

SHA256
0274a85ace9f31924fc4c2df4f3c30a7a15eebcf3bbbf00e3f6c90161ab4d9c5

SHA512
461065b5fb6c78ba2fe0793435a6088b0a0bcdc5bdcc98c568892ba2b9141346ad6d22eb16ced22c312eb143f56feeabcd5125d2406e4f3b5311b26a0c6ffe69

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
768KB

MD5
918a2b26f357e6e229e6408ee1b83d2c

SHA1
4640d659f918eb384e3080bd8af1f76140f50c33

SHA256
477786f8e90a567ceed7b692c1b4808f6df96a64702bdfddc3daf78d4702e1fd

SHA512
b9a8c92ecd82301141e08592daa78b16e47b3663f709f24142a2afbab869f1f4cee9e33691a25375bbc4c65c5f76a938bdfcae83e60c74227f328908ad5ba6b1

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
768KB

MD5
845ef9a0da5996fd0b0b482bddb07514

SHA1
e62ef6006541244fa024ffdc028def47129ce74e

SHA256
4771aa1329761f2599620ae0affa07efc26cdc8cb06d483924a8f5797db8778c

SHA512
5da3a3f8697916477b0f27a1e1d08eaeb1a5a46e19516bda9f8dd0e8329aa61cff2ac8307469b28cf9a0a81454bdd1351202a6e1f506de67ac4c20fa1633a229

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
768KB

MD5
068ae4ca267681ce878c162dd740e206

SHA1
39864c6cb585637cf16fb37d3c3016bc9abab459

SHA256
913d2f1592e897af1a84150364be4c7b8a58a3ffd5cd7bf32ff37d3bf514872b

SHA512
5e49d2a5025097e0851e0420144b184a60e97264f1c781cc3c885b3a09b793c054ddb7ccc0be563d55ac56d298f78f9ab5d548d4e49eb80067cbacc620ede1ff

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
768KB

MD5
c7792bf761c308c14089146c8e265519

SHA1
7bf3c0732305bfab265c806735123f0a77835ff0

SHA256
700dd65adfe973e363496198b5fc07e506fb1a29ad1dce9d9e57454c04c6230a

SHA512
bcfa266cd6518047ced2853e89574ffffffa7ce076889c651bbefe441c1a39357f599b90d5512c04522370484e7b8f97dc46588b9addb467ad654dd531075d11

Download Submit
C:\Windows\SysWOW64\Fdlkdhnk.exe

Filesize
768KB

MD5
c236fc7bb52aaf13dd240c348c112b36

SHA1
03a27c9a9b2c139ea8e0ea5b2a4d0642311a8be1

SHA256
092659d06540efb1673b7ce0ea751f312816dc142ecfb821e6998c1637da1502

SHA512
9059e85f0572327f587539248f1dc1e804dee88b1f58c50498e6595fe3224c336f84dfa6907e0da7d3e4599d3fd9bf6d5d37fcde8f65120cc1f2cb2cb735419a

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
768KB

MD5
a23d05a059b3301c84fdc28a06716209

SHA1
3cd60efb008708869fb0809d60dcae09b8f8cb5a

SHA256
e1dcf4c125842a2eac9e64a8c109fdd9539a4565eb023f2669d4edb7cdaba08e

SHA512
e0653a783faa4bd3e26a5d8ac9744a073e83b9423c1972d51308c496dbadbeb4bb447776509c876fe64d48039391ca24643d8b38a051d005f2bf8c453e0e8ef8

Download Submit
C:\Windows\SysWOW64\Fofilp32.exe

Filesize
768KB

MD5
fb6352f28d55194f9b01bb5752cea069

SHA1
baa15eccd61d21e5d6b4c88553aa075763ce0527

SHA256
9e5d71483763e8a0cad730b20dc6b2a01388581e2610c33bc1b7edca499979c5

SHA512
f5154fa9d8fff30bb557da303b4887fc72d1cb385ad94b297abeffbca07faa46b65bad051bf595e568c2afbb4b573172b6e79258cef901002f552a5eaa227a23

Download Submit
C:\Windows\SysWOW64\Fooclapd.exe

Filesize
768KB

MD5
ad66c8afb3daf61ad0059d5bfc86e5c4

SHA1
2f4de6d5e47a50ad4eb0ed8aa43fa92e45c65d63

SHA256
2bbd717dd3f210f764f7b401bd69e87fed07cdb4ab69e134ca43490cef8d197d

SHA512
b6abb7d51cf2195ee09a38db7343f079a30224fa156b52dd237c1e89a83b307445ff3502d3a934afe4a6fce91e7c365f4f0d0eeb551413791fd59579194f3372

Download Submit
C:\Windows\SysWOW64\Gghdaa32.exe

Filesize
768KB

MD5
f3bb182a00a396b9f20ae651dec43118

SHA1
18fffe6536c793ef3430b6c0adde5c84687a2f39

SHA256
826aae1e48033aba96895e9ebc92722e04d8d991e7c1b5b717d4fa7c22ac8d3b

SHA512
04f4d7fe0749bedb6715e84ff1da44a99f3ae657eb46eaf5babc6073865be24f2739006be1ec03945c7c2fa87adec3fd22ea86362663e6d3884c1dee3b96db19

Download Submit
C:\Windows\SysWOW64\Gokbgpeg.exe

Filesize
768KB

MD5
7aa769d4a078b8ec574d2ad6e7008490

SHA1
bce3d6ec7b600078f5bccf1b03951824f27d41f0

SHA256
ed55cad3cea6a993ec9c31fc4ac639ec5d6260e193f65456b323536b5024e03b

SHA512
79286be79bb3937c4f30af60f2c42053942d0a2ddde8061ef729d7baa26a968f3fbd22fa5af075a34a5bbdea41800e2bcf2fd9295d0efdde3cf60598aae0917d

Download Submit
C:\Windows\SysWOW64\Gpaihooo.exe

Filesize
768KB

MD5
ff89499eabe2b90848b823d05bd5b894

SHA1
41973da83f1ad2cb885c64dd843e4ac18a437e40

SHA256
b8f24e0331d8e732f3ac25238a5cc31f288e1e786417adebaaa2bcf08b6ffdcb

SHA512
a53326f5e715324062fe35892e9220c691f21addd2301e0f8aac686ec2938ca8573999547600f0f71e5fef22e0ddf64d4e088d670ac67530ff00758268ba392b

Download Submit
C:\Windows\SysWOW64\Hioflcbj.exe

Filesize
768KB

MD5
d85b4087415a0b23dc2882fdc7284b03

SHA1
a8fbb362af91b8471b45fd360e24607968a2cffb

SHA256
eff5829096c1d7f81908409c25bf02e23a9fc3b48ab6eb0d457c837dd5665071

SHA512
516bb2171b96729fca98aac18bc791ae67076c4f6816042a4f962185001f4c129a447cf99c3800a2883bbd2b71d670b5edd99c021495222b894213d561bf11b6

Download Submit
C:\Windows\SysWOW64\Hjaioe32.exe

Filesize
768KB

MD5
da7fcde402564e2cb1f4374a09fbf8f0

SHA1
689bcdc609815c97c8ce2a8a4c3c71ce0e892d26

SHA256
702cc122eadb0c95ce73c6b25d210705268d95fbe6292dad8545df687558589c

SHA512
9d6fd07cbc73005b48aa7247d1466f5a142becac9fcabbb01f85c26e750c04ce7906069202012f7d0fcf5ffe6478b282b3072650ea022728c908a7c9d5019039

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
768KB

MD5
8fa0fbe882e418e367009678b3f79e13

SHA1
c91caf3b0a9cfce9d3e229644e67187a70e14ea0

SHA256
36f4267f372d35342daf7235db126d7f266c648c47cd3ca351e4f5a29dfa02d2

SHA512
f7234ed0200171892f73476c81b1b89b97a61e11bfec504d01321405ee3c4d559465b5dd3b502768ecfd99222918c945fe003ee91e1fa7909bbb82fc2a4f39ce

Download Submit
C:\Windows\SysWOW64\Igajal32.exe

Filesize
768KB

MD5
86dc3a0b5d14bb1e03029bc530a5b7ba

SHA1
425cc1f1946d81b2f694f1678cffa4324b0802d5

SHA256
4082a0894fd3840f0c61f955bed4e66ccfa7727f6c5f1d0dfecf5d0479f6a1ec

SHA512
eb9db5326333ce727021f2eacb40bc968646989c04b733960cbd17c3d900921e5ccc6b7989c87e5facb75d55622013e755ecb2765ed07bb356d8b161ca4aca22

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
768KB

MD5
6987a5120cdd39afa3b7ffa8a85d1ca7

SHA1
2c725dc20a9e37ede2e8e3cdec14739fc23771e5

SHA256
0f607b8b7d01a7107b6423bc34d2b4273534a1632d9a630a7a13f5f0510d2914

SHA512
b21b892c25c2e8e3f57cf878c92d871f1f2bac390f9431d7dbd2e021f537d7550fb2cc5fb83a5a3bff0433ff952ef468b903f39e30e8e7f8552b381309104013

Download Submit
C:\Windows\SysWOW64\Jbncbpqd.exe

Filesize
768KB

MD5
028b61c638c51b592c744f37da7f53dd

SHA1
28a66e31a6d79e573f37f2c9dacaf5acdcc779a7

SHA256
2199ce5442021eda612debb5319d9beefe036df6dedcec56ea9518a4118507a6

SHA512
06f0060782ad85447fd96ecb8340f711fecaacb6590fb3e88275f9aef192410eddb65ce849634778ca4b6ca898f1c742391be17fcdf69665e4f90e5cc1688fc3

Download Submit
C:\Windows\SysWOW64\Jebfng32.exe

Filesize
768KB

MD5
e5d710716f8cc05c3f9dc9376393b6c8

SHA1
2c3af2b57dbaac5aae61bbbd691474950c4d179f

SHA256
1ed51a8ca63cfd3f779fc50f1a6ca187974314ae563e2b8c1af272dad9cf6db1

SHA512
811ab41dce2bef8a74322469a8b3470ee885208be4aa83fc6d6fa0fcee1ddb89f0835c2f41389a91deeeb181c8ff3ac8729bc129700306d297e977c1a3b491c6

Download Submit
C:\Windows\SysWOW64\Jiiicf32.exe

Filesize
768KB

MD5
9ae1ab2064c6005b529aa452d9ba6765

SHA1
5a932a843dd1bd90dbb02bec9d868e46c58d2ea0

SHA256
3858f446a27f53d1495445ee4b17f7e8079e5a05d811e7c5affb4e873ad9483a

SHA512
4a5e41a76e903ed56cb58c7457ecea23e748a6f6013087212a3782c60a9355e13b08e8902fdf214d2163d1858629b72f15d416fd3d1c15347a123ecf95d2177d

Download Submit
C:\Windows\SysWOW64\Jlolpq32.exe

Filesize
768KB

MD5
e3fb10d8d66db62971d496b7ae30d287

SHA1
a1c88e3344b27b8ba44698748228625a1776037b

SHA256
368bac0b11d79660f94b78da40c80cd906f2885cc6bdd85cd1f620b532272b8e

SHA512
8c5f53715b46dcbf0cc6dfd41c298d7ebc9c4ce9ffe175e4b6c82d4058aa7875a467b1e61d07d57cc1540da4172bae7b0974fd80b05dce7b129f3e8079b61d64

Download Submit
C:\Windows\SysWOW64\Jojdlfeo.exe

Filesize
768KB

MD5
5df135adbabfe2f00b9119c8643a2bf6

SHA1
8887846fc1bb9edf77be855a260f726d8b32dff8

SHA256
e239c631bbea6c4b0be5b638d1f2cce9dbd0ea158656f52723164df97c18e4f2

SHA512
7c542497f743c8768f9734d448656c2ba7faf4e7081a10f754c1af820cfddba306b84d4e8c5693508bbe145bbd2e236f2122be56f8e6533a47933cd67abb4aea

Download Submit
C:\Windows\SysWOW64\Klggli32.exe

Filesize
768KB

MD5
ec26eb5e6487804faf6037c7edc97f62

SHA1
0014633baf8c5629d6b8ac6f7ac1b2515aed3c42

SHA256
a29542b66e861502b7d5adc82cb62cd0469b331ff20163d58028ea95119bf119

SHA512
b0da63333d515bc59bd8135be59272a990ca2708002d598a9d261498510a6914ce0ed132bc89c04ba22fbe7b5f38dc2e7ac43bcb5c594b70b88473f3982d2fcd

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
640KB

MD5
ac18327e201cb202ddc10f5793786113

SHA1
1bb9fa7ec6d1870463ca2b60324abeec304b0372

SHA256
485d295b20ed9fa9e33ede1d7744a732130a81e5d7844b9923c36cde14f36c9f

SHA512
1af5fc11cc4a78570b5d674a390c915608a6656cb7ad041a4e0d7cbe4771c55358c19e2fbcb21f903807d944098b49dd4b34f63ef3114a895cd514d65594dfa4

Download Submit
C:\Windows\SysWOW64\Kpcjgnhb.exe

Filesize
768KB

MD5
7c459b6a6661f4b547fe380f5134014f

SHA1
2179fbfe5119b292366d23c9c57968d19d826d85

SHA256
e041bd64211f52547a2d0b0af57929414ba88a7cc48f5ff11c7b082fcd7e9c8a

SHA512
33f5b6f76652e7bee5f309a6ddcfb1baa9ca4c2e4256fbac34eac2de0bc27572fda4d6d55e44d2952bc6e0562fdaafcb9a90e6d7ea252048edef627bdb05d09d

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
704KB

MD5
0e5f092c735e8c2ffb3547e8d7f9b08d

SHA1
28aa893c50518d96d87a074d1c3f311ad880a71f

SHA256
d202d5b1322c9d0e21a4a1aa2f4ac97ac61fa93989f98528e3a062014ab47a75

SHA512
e65568d995f5aca50adb897332f95ba3a47fb1d2aa132b243ab4d134c07e0f047b4a7ba94d6aac2cef5f751f7736d60df158a3d4467c34e1f6a77b8d4791cf02

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
768KB

MD5
49a11d7a20c44374433995cd29b0db80

SHA1
06a999e98320eb63382bef7b3a72c1e7dbfe1908

SHA256
ad381da571e98afda995981605645b52fce1c0b0ebff89994af1206de3d010bc

SHA512
8dd5fccdb580ab1b8cc2cbbaefde27e53e5306e57f82d266b5234c1a566ce511635cdf574ec9618f7202accf6427179e721c961ccd525a5a4f6e05aad8c8af7b

Download Submit
C:\Windows\SysWOW64\Lokdnjkg.exe

Filesize
768KB

MD5
acb36bd17cebaef6bedad845b9d7e932

SHA1
a2b6b810323bbdd63bce0dab64e381555306bcb7

SHA256
36e4da60d7797651e9b6ce4d7df9dd2fb88f3f999cef491908d3e869cd786a67

SHA512
2e86d9e7fc3958863da9670aa1cf2ee4f90bbc1560c1ae17711458a5bf326eb62a9f7dbe9cb1f0a64d38e3c91dc364ee9959cf2e00a32d9acdc8d1c985b604bc

Download Submit
C:\Windows\SysWOW64\Lqojclne.exe

Filesize
768KB

MD5
16fed3b485c465a0b9f841d3bc3ef083

SHA1
eb3e6855da07b6898f8ceaa010e5624bd997354c

SHA256
8472ae4a5789040cc2445afec461b01e650a58ef6c951eb80ee6b5f3c6bd1db8

SHA512
421967e015dec2b1a2f0d09a9bb1325f84d42c3757af37f882e54ab23e0f92831e12d3ccaebebd8e8a08ed700e28693467a0162462ba91f5d93a2a01a67b0fe2

Download Submit
C:\Windows\SysWOW64\Njbgmjgl.exe

Filesize
768KB

MD5
0fa1d7f933a385546c809911a85ee7b9

SHA1
75b05a24eafbaea595d4282f969d7a90f180b1f2

SHA256
f19c661ebef4aa51cf99e7f59fbf39bf2bea1e9669f2296aaa9c6dd8ac61089c

SHA512
83891b91a7b90c58b629e53bce677d809ec1e9963fe3e7b0d310c63c5a3fed037ef9a33a2645674797fcc661a395731ba5e61cb802b3e2fdbe2699280c244181

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
768KB

MD5
5989abe0f300b14e14f0ab57cfcdc056

SHA1
698b7ac596cfd30ceb97af92382c85c3062eba9c

SHA256
385891fe6d442cae6755dabf9006585fc36362a8dd3409d4196605a10d0a3c08

SHA512
e69560831e45a36b3080337882e79137ec59b5fd2988492e671961f7c0b09f7f8e9d0d7a7efbaacef6e5cd81439fd92a5b2bc237ce6fec0b005da1e362241bc4

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
768KB

MD5
1277781173c062f91a21ab3c3d55099b

SHA1
9125c7cff59d550c6d464be0f1945f83ed2588f9

SHA256
24b15efb9f3abb15ce313e9447a0478dfa7bf3bf00bf602d0be8085517ede160

SHA512
23190161e44ef1bf0be22ff3c726d2a44806a25482c593cc07eed5c20ddbfd75a8acd7c5fb5cde71632c920e221704906bae7e689b15b3f446555a60b4bf1252

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
768KB

MD5
be9d11a9f300534ff8a71d14965b8471

SHA1
56119e37324f98d8877dee5e05b96ab9e5f2dc80

SHA256
9b4a2c57215bc8636fb1e2e8d7be694abc9c8fe89722ab4422af4694d8b5c521

SHA512
a6a47b8b00a154f9cc9f86e0d60e55bdd7fdd32de322f2ba013be6309c7c241a05657f09c785058665d206c1210343ad56981977336686054519847571e41f56

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
768KB

MD5
fc980078a4cb986fbb9a35fa3e3fd4a2

SHA1
065b986b26f7de940bdc527eb801589c05e13239

SHA256
6558490a7993f4240a2ed448f117b5604adffbeb325f1d9df8a4b69be017372c

SHA512
0f101a30f285ce374b2f5856a1754994e89dcc5f420c1f010ac2e49ab68f18e11b392f5d34f5dce5de5e876af24c84bb6207a983fecc4c79178a169f9c0cbba7

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
768KB

MD5
065af273b3fb757d7cbef3a0795e60af

SHA1
e71f3b9e1b6cfca2328c06e743e15c6ae2f3bf7c

SHA256
3a86b4a55f3b6e6d7e4a2ed27ec6885b5362a407fc23e97be3b633bb35dbfe5e

SHA512
626e73325741a062ea304d38f1adbbb66a36a9cf1d193d21151b86e89e2b5d79f82b5f3dfa3a8394eb0706d0237c80306cf53d1c1acbb69a249233d20d2be962

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
768KB

MD5
b06fcfd4fb7609225398a3dacc72b8f9

SHA1
b7386934392402ad7445f508c0acbd1574f11760

SHA256
e48f77b424102af717e6d03d78b4cdacda8271afb67fa6381e6ce050cefcefd3

SHA512
e7e37958e33a54dcde2049159e9e988b2574567f0a3fba9e47ec7ebdb5baf384e4940a4097b067a8487966469874a15347db47397ba5688a7690a04d0dc9b6ff

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
768KB

MD5
19f2e00b88fc6a1c4a5c580ba44331a1

SHA1
3d5c4faa22f93728421b0aef68b7e807f7d1bbb5

SHA256
e02f5ef1f5472557023a370f0454108534d01cec9967cc2ad4fdea867f62076b

SHA512
4808464a0387fca572e804a1b931792fd717face23b42aa315d39fe45989fdda3c5cb5ef21209c24c2140b84384f88821857dcf0e122127311e407a663d31675

Download Submit
memory/8-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/32-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/32-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-637-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-601-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3324-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-624-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-650-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5240-631-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5256-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5296-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5336-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-644-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5388-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5448-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5476-651-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5532-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5544-657-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5580-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5620-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5660-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5708-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5756-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5800-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5844-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5884-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5980-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6036-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6096-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads