ea247a5fb553e3bfcceda2fe75421175a29695565714d7243e6fa74f65a4856f

Analysis

max time kernel
91s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea247a5fb553e3bfcceda2fe75421175a29695565714d7243e6fa74f65a4856f.exe
Size

71KB
MD5

b30e9c5b3763bbfecf33b140bf4aef4c
SHA1

72df7c008e319db8b35ada2bc102e57d20539772
SHA256

ea247a5fb553e3bfcceda2fe75421175a29695565714d7243e6fa74f65a4856f
SHA512

894911a49dc84aac8eca39f082087de4d38e96f258557f4de249ecddd668ea1804be29f43066148f289163d6451816a08b40cd3d25c38c3520846a08d4bc25dd
SSDEEP

1536:CLlgZ5f4GvuHxNJBcWQJJiFhjAql2LZN7RZObZUS:ovL0nZNClUS

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe

Executes dropped EXE 64 IoCs

pid	Process
2464	Odmgcgbi.exe
4716	Ofnckp32.exe
2168	Olhlhjpd.exe
3516	Opdghh32.exe
4060	Ocbddc32.exe
1932	Ofqpqo32.exe
2280	Onhhamgg.exe
3572	Oqfdnhfk.exe
4780	Ogpmjb32.exe
3032	Ojoign32.exe
5048	Olmeci32.exe
4024	Oddmdf32.exe
4364	Ofeilobp.exe
776	Pmoahijl.exe
1540	Pdfjifjo.exe
4840	Pgefeajb.exe
1112	Pjcbbmif.exe
5024	Pnonbk32.exe
1132	Pqmjog32.exe
904	Pclgkb32.exe
3200	Pggbkagp.exe
3764	Pjeoglgc.exe
3520	Pmdkch32.exe
808	Pdkcde32.exe
4340	Pcncpbmd.exe
2948	Pflplnlg.exe
2128	Pjhlml32.exe
4044	Pmfhig32.exe
3576	Pdmpje32.exe
4312	Pcppfaka.exe
3288	Pfolbmje.exe
944	Pjjhbl32.exe
1800	Pmidog32.exe
3492	Pqdqof32.exe
2024	Pcbmka32.exe
2756	Pfaigm32.exe
3300	Qnhahj32.exe
3512	Qqfmde32.exe
4028	Qdbiedpa.exe
2668	Qgqeappe.exe
3340	Qfcfml32.exe
3896	Qnjnnj32.exe
3952	Qqijje32.exe
4900	Qddfkd32.exe
3924	Qcgffqei.exe
1168	Qffbbldm.exe
1240	Ajanck32.exe
2708	Ampkof32.exe
940	Adgbpc32.exe
3592	Acjclpcf.exe
3320	Ajckij32.exe
4228	Ambgef32.exe
2200	Aeiofcji.exe
4988	Aclpap32.exe
4240	Agglboim.exe
1408	Ajfhnjhq.exe
4132	Amddjegd.exe
3556	Aqppkd32.exe
1972	Afmhck32.exe
3324	Andqdh32.exe
2192	Amgapeea.exe
5016	Aeniabfd.exe
1068	Aglemn32.exe
4284	Ajkaii32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	ea247a5fb553e3bfcceda2fe75421175a29695565714d7243e6fa74f65a4856f.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Hdhpgj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Mgcail32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5980	5772	WerFault.exe	232

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2464	1400	ea247a5fb553e3bfcceda2fe75421175a29695565714d7243e6fa74f65a4856f.exe	84
PID 1400 wrote to memory of 2464	1400	ea247a5fb553e3bfcceda2fe75421175a29695565714d7243e6fa74f65a4856f.exe	84
PID 1400 wrote to memory of 2464	1400	ea247a5fb553e3bfcceda2fe75421175a29695565714d7243e6fa74f65a4856f.exe	84
PID 2464 wrote to memory of 4716	2464	Odmgcgbi.exe	85
PID 2464 wrote to memory of 4716	2464	Odmgcgbi.exe	85
PID 2464 wrote to memory of 4716	2464	Odmgcgbi.exe	85
PID 4716 wrote to memory of 2168	4716	Ofnckp32.exe	86
PID 4716 wrote to memory of 2168	4716	Ofnckp32.exe	86
PID 4716 wrote to memory of 2168	4716	Ofnckp32.exe	86
PID 2168 wrote to memory of 3516	2168	Olhlhjpd.exe	87
PID 2168 wrote to memory of 3516	2168	Olhlhjpd.exe	87
PID 2168 wrote to memory of 3516	2168	Olhlhjpd.exe	87
PID 3516 wrote to memory of 4060	3516	Opdghh32.exe	88
PID 3516 wrote to memory of 4060	3516	Opdghh32.exe	88
PID 3516 wrote to memory of 4060	3516	Opdghh32.exe	88
PID 4060 wrote to memory of 1932	4060	Ocbddc32.exe	89
PID 4060 wrote to memory of 1932	4060	Ocbddc32.exe	89
PID 4060 wrote to memory of 1932	4060	Ocbddc32.exe	89
PID 1932 wrote to memory of 2280	1932	Ofqpqo32.exe	90
PID 1932 wrote to memory of 2280	1932	Ofqpqo32.exe	90
PID 1932 wrote to memory of 2280	1932	Ofqpqo32.exe	90
PID 2280 wrote to memory of 3572	2280	Onhhamgg.exe	91
PID 2280 wrote to memory of 3572	2280	Onhhamgg.exe	91
PID 2280 wrote to memory of 3572	2280	Onhhamgg.exe	91
PID 3572 wrote to memory of 4780	3572	Oqfdnhfk.exe	92
PID 3572 wrote to memory of 4780	3572	Oqfdnhfk.exe	92
PID 3572 wrote to memory of 4780	3572	Oqfdnhfk.exe	92
PID 4780 wrote to memory of 3032	4780	Ogpmjb32.exe	93
PID 4780 wrote to memory of 3032	4780	Ogpmjb32.exe	93
PID 4780 wrote to memory of 3032	4780	Ogpmjb32.exe	93
PID 3032 wrote to memory of 5048	3032	Ojoign32.exe	94
PID 3032 wrote to memory of 5048	3032	Ojoign32.exe	94
PID 3032 wrote to memory of 5048	3032	Ojoign32.exe	94
PID 5048 wrote to memory of 4024	5048	Olmeci32.exe	96
PID 5048 wrote to memory of 4024	5048	Olmeci32.exe	96
PID 5048 wrote to memory of 4024	5048	Olmeci32.exe	96
PID 4024 wrote to memory of 4364	4024	Oddmdf32.exe	97
PID 4024 wrote to memory of 4364	4024	Oddmdf32.exe	97
PID 4024 wrote to memory of 4364	4024	Oddmdf32.exe	97
PID 4364 wrote to memory of 776	4364	Ofeilobp.exe	98
PID 4364 wrote to memory of 776	4364	Ofeilobp.exe	98
PID 4364 wrote to memory of 776	4364	Ofeilobp.exe	98
PID 776 wrote to memory of 1540	776	Pmoahijl.exe	100
PID 776 wrote to memory of 1540	776	Pmoahijl.exe	100
PID 776 wrote to memory of 1540	776	Pmoahijl.exe	100
PID 1540 wrote to memory of 4840	1540	Pdfjifjo.exe	101
PID 1540 wrote to memory of 4840	1540	Pdfjifjo.exe	101
PID 1540 wrote to memory of 4840	1540	Pdfjifjo.exe	101
PID 4840 wrote to memory of 1112	4840	Pgefeajb.exe	102
PID 4840 wrote to memory of 1112	4840	Pgefeajb.exe	102
PID 4840 wrote to memory of 1112	4840	Pgefeajb.exe	102
PID 1112 wrote to memory of 5024	1112	Pjcbbmif.exe	103
PID 1112 wrote to memory of 5024	1112	Pjcbbmif.exe	103
PID 1112 wrote to memory of 5024	1112	Pjcbbmif.exe	103
PID 5024 wrote to memory of 1132	5024	Pnonbk32.exe	104
PID 5024 wrote to memory of 1132	5024	Pnonbk32.exe	104
PID 5024 wrote to memory of 1132	5024	Pnonbk32.exe	104
PID 1132 wrote to memory of 904	1132	Pqmjog32.exe	105
PID 1132 wrote to memory of 904	1132	Pqmjog32.exe	105
PID 1132 wrote to memory of 904	1132	Pqmjog32.exe	105
PID 904 wrote to memory of 3200	904	Pclgkb32.exe	107
PID 904 wrote to memory of 3200	904	Pclgkb32.exe	107
PID 904 wrote to memory of 3200	904	Pclgkb32.exe	107
PID 3200 wrote to memory of 3764	3200	Pggbkagp.exe	108

C:\Users\Admin\AppData\Local\Temp\ea247a5fb553e3bfcceda2fe75421175a29695565714d7243e6fa74f65a4856f.exe
"C:\Users\Admin\AppData\Local\Temp\ea247a5fb553e3bfcceda2fe75421175a29695565714d7243e6fa74f65a4856f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\Odmgcgbi.exe
  C:\Windows\system32\Odmgcgbi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\Ofnckp32.exe
    C:\Windows\system32\Ofnckp32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\SysWOW64\Olhlhjpd.exe
      C:\Windows\system32\Olhlhjpd.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
      - C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        23⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        24⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        33⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        37⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        40⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        45⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        46⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        47⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        57⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        60⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        66⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        67⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1888
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        70⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4580
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        73⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        74⤵
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4296
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        76⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        78⤵
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        80⤵
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        81⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2772
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        83⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        84⤵
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4776
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3284
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        87⤵
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        88⤵
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        93⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        94⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        95⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        99⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        101⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        103⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        105⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        107⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        108⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        110⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        116⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        117⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        120⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        123⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        124⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        125⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        127⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        131⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        132⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        136⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        137⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        139⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        140⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1048
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        147⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 404
        148⤵
        Program crash
        
        PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5772 -ip 5772
1⤵
PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
71KB

MD5
afa20d9f7b7711499b16ad4f02961d48

SHA1
16f45f84de8e00348bb03c78652434d26aaa6e8f

SHA256
ef5551e8bfb6cfbb65eb36285f1864ae09be8c71db708db71ddfd2524d0c59a9

SHA512
02a9cf33a96e836eb1bfc542d1109a219d0a27be81960bbe2fbabaaa2c0e14a7f28a285545441891319e01d6dd88775041aedca498ab7bbdc7ebbd912e42ffd3

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
71KB

MD5
d0c5db07326c0be3fb223a7607d2b802

SHA1
988467c80dadd97c34083e87b3ac9fe7aa164f84

SHA256
f6bb8bbec298b150f81e198c9a8c62939e724f6e2a6111a568803e5d9feae86b

SHA512
75af932e486eb75bd05b36803d4263304a729c75e8152173370ebe10ac276bfb68fa4cbe3e6a2da6db83996e149cf460af3e32574f6559382d52bb8f9e1519ff

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
71KB

MD5
f5908d04efbc2aaabdf7dd22ea548d38

SHA1
61f730553d4e93c45aad1fe191f56b482602e7ce

SHA256
694928b30484e51c60d9b28e2d6b4a3c0d8d9fe9f190469a83e21361506c34ac

SHA512
0f02a531c9c59b626d39126dc716689e045950568214aa5de404f5213cc4bc55bf0eeed6eadd644dcbd6f9bba599423983933a15adae7007d72ab81939535699

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
71KB

MD5
0c6f08ac9a31afc6f475de1238d6f355

SHA1
dc325456577b995b2262878c217db4277f1ff977

SHA256
25e4dc8c2257387b8ed601348e881c67d5f40076b4542639f6d2a153437cd825

SHA512
0a13977a7d7902a51f4aea11ee98374e4795f09d7994ca12145a00d9748bf2915f4148d30c83c0e91b7d040b33bc98528f698bb44e719a30ac53536c9fa62297

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
71KB

MD5
54a117032940644c1bdbbdee91e02962

SHA1
08ca218c0ff9709e257b56a013b35c39d1023c93

SHA256
9c29940a8902f7519031a4422df0fb3703c0654665a3838e19576566e55715ad

SHA512
c36849b117d20dee67d63160b614097d9123c58aa97507dc745f597705963269baf504d70208282579a4ef49cebaadd67307d9c7a1c778b232f733a4226e4140

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
71KB

MD5
f08ff5cec9f424331fac238c9703e3f9

SHA1
9b4dd2412c37acdbceb9baf747cc3a73cb81b520

SHA256
4586eaa5df83b870921d2e78ae647c1137466b38959428d62b5ec209d00cc652

SHA512
71d0f5387895e488bf923a2d14f703fb135c3b6f4bc0af4c968b5711c5ca558b1e793ade0bc21858706eacb473740039ccdc18b6e0a5212f698fd0373444d62a

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
71KB

MD5
e89c6ef11c565b73dae0f939b0c48692

SHA1
85ae4131e9a1e7a6a3fcd40dbdda1f633a26ed23

SHA256
947c2cf9d871ed5b64b8357746c894db43bad3de172a650341b60016fd27f676

SHA512
5caa98dc1abb99837a1d55dd9d22a728d6c0ff0bad9904a9cf316ac32cc03b5cfcea28dc3da5176010b7f262e666ab09361aa403aff2f13d66e54b5edc3c9521

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
71KB

MD5
2f05eb500de0f0ff2e6fd047b3b52ceb

SHA1
93a4e1d06c922b7815f2af3a9241015fca5c40a0

SHA256
4fc04dedb56e70ceee8674ef98a3d22450c2879399039b3fd6136897ed123dc5

SHA512
bbbf4f1c6983fb6e37437663fb2a51918f4838221711332887733fb2df5ebc2d8f9d95e56bb5d17e3d8f7623f2584f664e002d1f349716bc32b9800c0875b5c3

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
71KB

MD5
8dd5f787995bc7b929cf37d5edc82f20

SHA1
06ea9cf1b3015e08dbb7911c8a725ea153c852cb

SHA256
155ea13abe48cd79b15f263321ae74d62c5660d4f59e9dfa0df5f83dcc25b8a9

SHA512
8efc267263bec21c8b7c807c7e8f851c21d554c2345de7e2840de2f01a69dab21e9324a5d0faf3748e29aa71c93c6fb31ddec0c42c2d98b1818914ae2a06c4e6

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
71KB

MD5
94a70213fa963e6976cd8a26d90ed3eb

SHA1
36e7ac8010b0bf4fc9a7f19c07da95f686f00f82

SHA256
e9ba36a6b4ccbf85432e4a096d43e9db47e72348a3dfb4d30606ac826d6a56fc

SHA512
f696ed7c705aaa8a4ff93c550ab13a644857b9e7b7190790850c76a3d984a8e1274cedc104432ce35edd33199a5819bd5968f96cb6c7532d555998381b2c8ae1

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
71KB

MD5
417195bfb6cd1bc6c37ee9379633e308

SHA1
eb23299b5f93a44f435e6ec18ee2f4bf2a4dab9b

SHA256
5c194cc8e52cfb53677f9f431091c4e7aa342ab5d520cdf4ce3c5e21ea941f6d

SHA512
56ac4fb8356e706a95302555a8ecadf3897fbb40167f9d33b73499158cc0d2a0b5f05b852ca4fc460578ef63e5ab12c099258d8b954708e532fc3e9ff10726b6

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
71KB

MD5
8cc85fa9a068aed6fdf30f596708196e

SHA1
21f1704f6b14009040fd58f139f3df20247353a4

SHA256
7b5ce953b6b6f5d0138a9270e2148cbc5dd9f3b3d6ef1e64fb9c3f30f7de7db0

SHA512
ae9ce262471d28b883be1d564919797f8e5871c5a93fbc72e5ad83640abc8a04a8d8f513ba4fc31a7f36543aae4d46176e72ecb4a8e46b036be8f9c1baddae0e

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
71KB

MD5
3b6d7b0e609793434cfb7e7fe8630508

SHA1
66fe667ec51f475e04501c937e4b5378879dc788

SHA256
6c12b5696f44dd08ad56374ae36cb13b134fe12a013c47f0f3e78c5162cd9d67

SHA512
a3e182f2115030473c72fa61a628c227db8d4388197ae9cb6140f7fd61557ea9c18342b48aea48b8ebe236d40a4dd4976859d1f58df9a00a571e522c69825aa1

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
71KB

MD5
1db84eee2d1b64716526902862d60c9a

SHA1
fe62612f98ba482746a3c874240659c3bc8b5b0a

SHA256
88b78ee090653db6d0def6a65eb7c92e1f2e2762f1a83c1b067f0970b772948d

SHA512
c8c099a05f4c994765379f28927e2f768895cc094a635905093ad4e9483b9aa3def93dbd608d9e6041220b2261ca150c5e525783c800e3e08bbf03bef02513aa

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
71KB

MD5
bd56bb5cd311c0ef2c0dfbabcafcb1b1

SHA1
0830d89bdae041e66afb1ed5d42179bdd9b15ab0

SHA256
e9dc220323387baed3ded54c291dc10e5b4ee080de2b06c60cceba72cf2ae552

SHA512
e8ac08b1bfc64f1af7290ff8e9a829a76dd3fcb1c958058fbe6a659a93b8ebc9e251779a569be49f44db4b1df654fa4f66eeecd87ccdf4d2411c9ef7957d3e96

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
71KB

MD5
13b05c0c5359a00e6a4bfffd3fa30d17

SHA1
92b7b870c4193656b48578244ae400e5185e235f

SHA256
8b7776b72a47ff23facf20d2c9c4a6eedd831f4248d573bb0cb53e5d4e106935

SHA512
c48b4d726789766dbcfb24b3c4c195264ce59568fdc85c65a34ee9dd06c80336a8b63d36e030839af038cb1195d99a0b5d98335bcd1127dd085df21729d63130

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
71KB

MD5
047b9f75d1b3ce8f06974dbadc05c22f

SHA1
08e91ad6f911e4c4653a8316620061b9bc2cf07c

SHA256
6bd77f73dd8f227a4292c5d876ffa6a42748f73ba45e9bcb0c883929ac5cee30

SHA512
5ed09682e2eba0eade5a2d82fa40e1ec82ebc4797bb3329e73199a718c8e83d3f90d2b976ad6fd34594e772df652a08895b58847c02fcdfec7920ce046c9088e

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
71KB

MD5
627adf8d888e66067e24d751a740a6cf

SHA1
af2d8152c44e43a92049a8672d9ebb4d905159da

SHA256
d50fb62a750e8fa217457f9e24089bde33324c8fd4bc859ef3a2e8a2b00f8039

SHA512
61092e47f59036dd6c8e54544f50eaa32593ca0efcc591c4757eb7d0a60170c9f49698d8be27fd125aaa79729dd9dd02a2b4159f3dc872c804f7e23532c97e99

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
71KB

MD5
01100f07b3206053700bb90e11588cf1

SHA1
ce72bcdca3247a023410c87e6a07cf4860066f15

SHA256
85ad7cec2fa9d739d01cddc5bfc1bcea33bf4ec1530bb10a9faf38c751c3054d

SHA512
0399df45a251223e160609e9ed27e7d5a9c577511cdd26061dc9b3f42c356c26d378ed99929d9e8a3ece7fc668d3650ee0826819d2591709eef653e62b92d019

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
71KB

MD5
b6adc56bfc6aa97facaecd28a8163d8d

SHA1
6a0ad924cc65002ef47682c1df5dfdb51422e25b

SHA256
c951bfc990c0b168eed7fd8953b370c6d2be0a7d0beb1835d30d0cc1a02e1959

SHA512
7b2c26a3f29f2985cf5f6b402946f9846c50b57f24fcf0ca039d2cf7653ec774d3db1675830422e7dd903773a4b335e329cb8bbe003436770e31e047d1471746

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
71KB

MD5
27e6deb80b973c6a0e506337a1a41f68

SHA1
ff243b5d60df83fa67c2d7270637b68feca68e16

SHA256
23a1dd15f070633a1ee0d2035aca9ccab872543451b346e79e5bf3657cae9633

SHA512
c60e0a1ef7c635f700f0929040627b69a3f5c8bb5712a6f2f5eda5038edcaf71a9a865945cf5310ead13896887ba581984d5fe6945c5d5d863933ae233a7ff95

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
71KB

MD5
6042022ef7a6711d7cd42f84d5ded5da

SHA1
3f1dc289bb16dd044ca8dab7200a24bb2e8b2c7c

SHA256
fbb348bcf7a5e6ca40c26615e1c749395f0b2d32992d6c1a062321ffa910803f

SHA512
310428095f60d18fefffcfd3af6f7e447a773623366b8fe60c3722bc04d9ac402073e4ab0b551797af6cba04ee179b664cdc704aff6180d8ef41c5c403fd0b10

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
71KB

MD5
48c1228a78d783b390cd358e752dbbd2

SHA1
c6c48b932e175ce00f5fd433fd68eb08397913cb

SHA256
b114573de05785125603c2e1a5e6c1de1706de013a3000daf379f5663b941bf9

SHA512
dfc35bf9c06ac32f55fe5045a24379390c3357ffa615c28208f6a7bc367baeac9cb38b9c8d3cdefb108dfb0bfb1b9dae51d28c074b74e0cebe90a32b5480bf83

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
71KB

MD5
18e273a27500900ab2236bde0d5dbfe6

SHA1
f5d08c1884d8d41b9fd68d55faa77dc3b1a6eece

SHA256
7be4006adfe195d21fef0e2a068d86a59bd97afa76807659820dec59b4a74134

SHA512
4b36d64d2d5b193a63cdd566f16579d7458f0657641624bcf610371287fa540d54632f943a8d712a4539319b5538a45a8cbd9d919a884aaa07b2e3cadfe99c74

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
71KB

MD5
48250b8a773cd077e39602256624a6c6

SHA1
0fe1c28385e1e09cbb13d96afee58190ba9b3417

SHA256
4ae9ddf988d25458e8a6a86504d4b07c0774361432fda329cb1cdc1893fdd95e

SHA512
734eff0146cb611fdf3535e7579e645490d0d00e20482f1afee94ac17936f5c4d0d4bd5baaf0a2cf49b41e661c4dfa0589590ce58bc0bc7d47ba00cda651dce8

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
71KB

MD5
c74157e88387ee896fe5be2ac7d46512

SHA1
c06cb5b2776c7b891dc56b7f46b3778dc1b44cb2

SHA256
bfcb6ea0e9e3792fdf9b697e0745bb3054762d48d67b6090447e86df2bc274eb

SHA512
5d7dcf6e8db54b1d53e4604b1ae4c1cb76b6bc6162970d83f2da8f4e889c39e270c2a641ad6cc294d260a1d01fb9fa8291431bb2ed67f9c325e9391a59593027

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
71KB

MD5
76e1087975124c33a2d6e939c028d7e4

SHA1
da06e83f54907bdce95bff351fa2cca5ba6b9468

SHA256
9cf354f68ea22bcbb3e9fb225a4b74cda78dcc5beca087748b446428ddaf8a61

SHA512
72993b76bc71491aa44dcdcad761718337f7cfc641b70f215918ff66fe51bd3435b494e4307e982b19f4f039dd505036725a3da6387acc4d8d866719dce8c997

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
71KB

MD5
1870bb3022376076239047c334fed16c

SHA1
738b931933c913bbc0c4b70b33a7058852b04724

SHA256
5214db1b7cd0571ec52d5c687c02c474981ab45c32b888a77aa05a244006592b

SHA512
b30015579c750d495d648e05b655724601e3fbf012d549b9b08379ebf29bdd947420ce74889b5ce9088f586f8bb1bd5ca6f4ce8c7cc189b4a4349708faf23fa5

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
71KB

MD5
b00c18a08e4688ec5e75bc0e717d1019

SHA1
3315391990413e0a7a38463b4406b32b4dca9ab2

SHA256
5ed6f1ac71b2a6e783ea0c773d73ecc25800e03b1ed9608c629835ab8a9f89ff

SHA512
51b4fd408459281e7dcbede3503af45f0267f1ea653a6582d3309505460dc30f60db087899137d26b8bc8caef41e8a2373071b2bd1ddc81d7fc3bfa2d597caba

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
71KB

MD5
79b345c18768fb5c239f24a02b5ea07a

SHA1
170c95406c489320f6ae0a3486778f7c4624f664

SHA256
fbad44dc7bd7dde4d98ff7d10d57f91fb05fcfe22bc569ab84322fe03193ad8e

SHA512
232c9388045ab781073f4d3387a3e5327e7d04037ba1847b4f7bbc99bd1e77a7d526657eee71bec2b57afebaf15ae4bf050000357c97d709b5ed433b46711475

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
71KB

MD5
42ad9db3c46133bd1431959f880c5569

SHA1
69736bf67b1f995425e84d6f974b5b6b1853bf29

SHA256
3c8071f655b7ff4f78dcf76ebdf7180584b1a575429596b21703ce3d427f611b

SHA512
2c6af1740fda8777d3b9d871a9d21103da21c576595acbdaaa4688be42da8ffc4697b5bb3a912444a5e38791450fe3c0c40175ef4ae9f8a9144abfd711581725

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
71KB

MD5
4dfdc01fb69c476ec20b668a79898733

SHA1
dfa6d193ddf764063333194d58c4df587f7c93f1

SHA256
1571a7a60926149c310a34dde32b91b9036a33f58c0fe997a6baf150e26cb96a

SHA512
d1df5f261546178cc4df7b2cf78002ff2aabb9c3f43b2e1470ffb4f04feab063f079a5ce5b0f8dcfbe9c917ecbd913aba3f7167b46ca711665d72811f9a41b94

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
71KB

MD5
4ce4b54432312e11ceda7196e9d51eba

SHA1
4c397adc62c96eebbf968173b810466ca3163106

SHA256
5213f20054d8b9e580d0b806dceceb47b5942fd0a1333b7ebe2a169dac8e23d8

SHA512
1e2ef5bd882cf08781e049f43a2102f4ea1582ae7d5a0ddd0fe0f5935f35aa2f0ef3d4bd906d518bf162bc9e4a920ce15d535762c4e2b0b8fad27165e122b440

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
71KB

MD5
fe0c808b0480c963f1596bcfd62f71ad

SHA1
95fa76de7e6d8d43d4f4b8bd06dcdaf22a5cde47

SHA256
9b093156dbfdea4efc4105f473bc343b0ed1d20d562345e965866f8973b83ca8

SHA512
7a42d746f9db5e180c8f33e29712cf21b545a6c5d6fdc5b979b1c0b2470f2f747eacbca645420a7f0812d5819b85381658172e7c45fc15c99a3034a0c03e5ef1

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
71KB

MD5
9c6a8976bc94562073ba69027cbffbfa

SHA1
5ab3ec9fd09eb36e13c5820f97e24de8f1d0ab4f

SHA256
a9b696e1182ab75daa1d288c73dfc598c09093a8a12c99ec4c357190f7c40087

SHA512
8d354249082c63d93e92e4aa0c1c7594bcf11afd61a1ea07d8fc64be004b69aaf5cce855213bc9b8d191cf17a02cd7eda87ea9dec1f2147954a81f8edf7f1ef5

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
71KB

MD5
53200a0dc7bd01b3a020c760f13491a2

SHA1
da3dd1b7fb00e70da4cb0350f401f50d2bb37101

SHA256
de4c5cd7c1839c5abe5b4af8811c6affb75504da0581d9dabb0635d514831e8a

SHA512
051fc991f75c91c9cd6aeee72eff08fb301093c4165fcaf9d611f47a322b304dcd1e1174ad9f35342257f9a24ea51f3375e7b6b10d78aa25639ef92fa4b7da70

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
71KB

MD5
bc39a7d4ef42b4b3bd12371f281c1bc7

SHA1
395325cfbfc8fb6e92daa5f708f87303a16788ce

SHA256
822ce461714950f137a06490bf2c26bdf6450ae2c4e8339903cda4562e6fc727

SHA512
b2f983ed1b1350e7a185a3c6413e8b603722e69e80ff223847a280d2f50b50e0ba7f403081b61abc5e372a77f59ce71958722b38098e428bfa3583305c15196a

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
71KB

MD5
c4b5b080a35f09b24fbd8eacb1e76e47

SHA1
26598057b0c8a0c4693a260b293c50829b06f174

SHA256
bf2b39443be9f551c3288089ddfca5cacb1e0bce7e3906a3348967b0d0c3e290

SHA512
fa3f285efd1103dd1abf33294475b153aed8355b97e6ad5671601ed3e2646d81e47fe90e70ec345be8727c85390361f4ed5a8f49f7e7cc45193d8cb7f3276466

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
71KB

MD5
e4a4bb3c4854ae4885ed8f65d59bf8cd

SHA1
d093a8774cd51dd5757df4ce645074d4727b7ebb

SHA256
0cbf1b0913ac757795eab375a8251978741c932c63533b0a86b52d2a9a18fd1c

SHA512
0de5d35604fb3266ac2fac2afd5cc9be61e9755241800a5dcf24e60ff543182ed1e32c5f2903b0c3b3a1121aa8ddae32bf095fa11b71ec2d7b00b3838bcc3dd3

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
71KB

MD5
f96d545082f639c97ea5fc0f6aecadba

SHA1
5a079b8d0639bd455e54e842f876d0766441240e

SHA256
4f1d5d0f231b41ee76f7fa29c0226b3f48bd55703de91b9526c09d5c0e4a6633

SHA512
19213e643bbfea9c5a3c4e35bab191ccd368a9444333ce96f602964e558f55fa31452b21fc24c1bb87a20fbbf6c0ae43c4346b879f28e0579ca958aa55f98a59

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
71KB

MD5
719eeb8d35204ceb74d078a524952acd

SHA1
0e0e1f688ef79ae7f6d5458810cf02dcd27c92d0

SHA256
978b18a630701d07ee0334bf937794592ad55b0246ecbf4c5371012bdc0944a5

SHA512
a11b3cf1bb44e1b702b3fc32a0a85b7ca237bf0118f99839fb3cc1d7b5b159debd395d7e0b87cf3515b17b960235b5b32b06f086bc768c626e64a817c0b1fe79

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
71KB

MD5
4edf4689e5b544544b2cd1e6682a71f3

SHA1
a57a721026f775483cc1604ee6648ac44974b40a

SHA256
e900c7324376be877674122ca8eb49d462e3461384eb02e84fbb695c5a3cd616

SHA512
ecb04387b55f9851819d08048f1257dc03348e20dc9708f9956b621a135e403e2278139bab562db80c119df59ceeb02b7b77724d6b82ef8bb0ed176f47982939

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
71KB

MD5
430d1fcd34a862522e174ede895d2cf0

SHA1
5fb234039998c1523a029fa9d44ad605087536aa

SHA256
557a5687d30ca8b16b83929e88083411acb0eab7adde3bc7e619de8b1554eab6

SHA512
58ed89f11f4ee592e74799346bacad9d52edc83020c86d39a3476c2f71cb56af24371de808d94c7eec8a0a27fff894ceaba55811f5675552c1f4cfaa8fde36fe

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
71KB

MD5
53a3b17fcaa4eb38c2023f6fd0375f01

SHA1
6014baabaa1661b28ae3b1bdebcfc0dfef2d2327

SHA256
0bacf3b4b5b9cb596462baa0d157c66af9c66c560805f026b8ea8337876605f9

SHA512
24b839f2256fb625a666ddd3934ea839b4279aaddc965fc0bb704f7a6d7b68c21e4318cf6cf9e100ceb1e05c96d3a2eaf5afae3adaea255be94264d23aba1990

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
71KB

MD5
1fbfa0821db9f873dd6aa3515dc287b8

SHA1
1abb5da346211339db8a48d609a9ce8642fd7580

SHA256
7a8711c39adcee3921f20bd81decb9dfa49b4a6ca54f082016f09499daaf5caa

SHA512
58d53a57deeffd8099ca695ae13b14e49f1f538008b57c84107fb6caa10b35f4ef90231959c42fea8eb466269e86050a0a157960fd035f51623487b675a2894e

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
71KB

MD5
53b6ac46a292efe10ce149a710719a83

SHA1
99ebd9abec0594f79b0cc205438e852d92edf4ad

SHA256
6722918d84da7cbcf37b5f73fa0b47341f59fca568bd11b8b98ef5161399e7a2

SHA512
38c026334b70a50c2ebb709b4335cace82a659749b22b4e60b4bcc248b9b6052dd6252d7ea8973b63f990d4665a38e64a5b7281df43d15ec8a01a2f02f3ef694

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
71KB

MD5
7702787c949c6b6abf2defc0a724db2f

SHA1
cf67bcccf1922e15aa255594620e9f98e450ffbd

SHA256
bf73ac2720f32c4a85208162e960e54b613b41cbc49b3aea2f7b14e11de065e2

SHA512
af510e33798723fe47bf05b9c92ce398c38e11148f34b10d9ff4333b98633662d42098b82f160c1705044b11263c3f99227cb193f38105657825357bd553e2c4

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
71KB

MD5
f233edccae7824e189fafaa4a5a3ddc4

SHA1
18860bd248542f382cdc8a10044bfcd4aa70678e

SHA256
441913f8a66823a86c59173305de6ca4fad3cd55d77486c77f8dfe990451124e

SHA512
a0419285a97d9bea5851d1441b756b69e0e4bb110379dd034afeb622058199a5c286f1c64d2c5a121a1f7ec7a3015781a63ad0e7ce099af80d34fd8041fc4bd9

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
71KB

MD5
ff6ebe7f3417f614798d70e7a0abfdec

SHA1
42b1a846bc7ce44a1c18ba1dcb97e8b69c0207f6

SHA256
8511115b8fbb1e0328023dc06002b3c93cbb3263a29972c057692b748d6ec373

SHA512
19f67f9861ddf13350f44e19da340d2951e007d5333a5de691380d0153c5119bd5a00b5ccf7b87b5a5a871100d6fe75d1d319f16c42d407ea4a2032d67cfec74

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
71KB

MD5
a522be0837e0c9f58b4ccb25abce3a33

SHA1
ae59b6fae89c6de14fcac56d95556c08f16ccfd6

SHA256
304a397750b6ec764fd6ec3a86201416820cbb3bde0ee46c8ba6bf0caba2181b

SHA512
5e69ea810606383d8073d993399226d082a6426556b5909c0f9d4ba340456e8a4aca65d8276b0772b84e32ff661b3f9389a545917b0150982e07946ccf09b83b

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
71KB

MD5
668229583f5c9960dcd092ce13870bfb

SHA1
7a64e8b44449a936a5598daebd54ca8471acd9ed

SHA256
ade545c93c70f51ff9df080d14aaf799376a0426df24e124d3af72001df564c1

SHA512
3d83c9d4e67dfbbcf063e684a5a51a8c46125633a923ef4e24bf64f1ddde57bb88b9428aa0e9b58723e429fe34dc38e38e70d54ab6da1491292e0468845dbbf8

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
71KB

MD5
22166ef7ed6e3c3c27918e9f820eca30

SHA1
91b5e090cf2749cbb92c07561aff898ee54c976c

SHA256
ee190e9beb623ef84016f6841c89e7203f6c65b34472fcebe06e172007148e96

SHA512
9dbd05cfc12748b8b4c8c31502b45ae80ef52b76d1fcafb8b72ce145e746adde668bfc31977be86829f98492e19457c0370d163ce8935859b9eb35b8f9125cf3

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
71KB

MD5
3c197616f3897e2c3ad0d069cb7dc896

SHA1
60bc9891b9d35f8adb25e89825ce2b9448a2d370

SHA256
2f8b4ec3b50df325e26a1cc3973531b6b78db8008a11e9d0d428277fbe7bacd5

SHA512
748a740ca4798c7380ab75730b7d8c9f31f61916c92fab51f0ac709ac10d600c04eaf3da5ba8b6a75a48c9d86913ef477ee155be3e66c801fa635643996c5d4f

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
71KB

MD5
ef792e7ca3785d2f245e3a98212f5a8b

SHA1
8319e6e29a0969ed62b85a3e905bb17868895ac1

SHA256
c164965ef48b42e07c7d3e57f14d3dcc96abaa9fcacdccbd91d3a814fa8d5c1b

SHA512
4b034c6d7ad8f4aab3382e391efe01369b02772d90e8b6692975712bb65d3388caba94568aa71abede8519232efbd9227a54f91675bc2bc6868af1c751975754

Download Submit
memory/776-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1400-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads